My company's new 'mandatory' security training felt like a total waste of time

Last month, our IT department rolled out a required 30-minute video course on spotting phishing emails. It was the same old stuff: check the sender, look for bad grammar, don't click weird links. I've been doing this job for years and felt it was just a box-ticking exercise. But then, a guy in shipping who took the same training flagged a real invoice scam email that looked legit, saving the company a few thousand bucks. So now I'm split. On one side, it seems like basic common sense that doesn't need a formal course. On the other, that one catch proved it can actually work for some people. Is mandatory, generic training the best way to go, or should companies focus more on targeted, hands-on drills for different teams?