The weakest point of security in any organisation is the users, either due to a lack of awareness or security fatigue. Attackers know this, and they target users through email because with a working email address, a malicious but well-crafted attack could easily get in front of a vulnerable employee. Attackers are also very determined, so they will continue to pursue a target-rich environment until they find a gap in defenses. A recent Consumer Affairs article reports that as many as one-third of AV scanners failed to find malware samples in a two month test. That's why attackers keep trying, even when they know a company has anti-virus protection in place.