Without embarrassing or punishing them ensure the ones that put in credentials get trained. The credentials should automatically sign them up for interactive mandatory online courses so they are not being embarrassed in a classroom. Reward the teams that don't get phished. Reward the managers, sr. managers, directors and sr. directors who's teams and orgs do not get phished. The higher level of management organization that is free of phishing victims, the higher the rewards. Incentivize the leadership to discourage warning others in company chat that a phishing test campaign is in progress. I'm sure the director of incident management at my last place is reading this. It's up to them if they want to share high level stats. I would not be allowed to disclose details but I do know this methodology absolutely works, at least in a place that has integrity and employee trust.
This of course only works for employees of a company because they have signed legal agreements that would permit the company to phish their own employees and have their own corporate attorneys that reviewed this process. Any other scenario should have a small army of lawyers review the plan.
The best way IMHO is to make a damn fun security awareness training. The best training I've done was basically doing running an "attack" against somebody and going through the whole process like an attacker would, but with the group as passengers and with explanations as I go. Seeing under the hood can be a lot of fun, and can be very enlightening.