Your employees are your first line of defense against phishing. Technical controls catch a lot of malicious email, but some attacks will always get through. What happens next depends on whether your people can recognize and report them.
Training needs to be ongoing, not a one-time event. Phishing techniques change constantly, and people forget what they learned if it’s not reinforced.
Each session should cover:
- Current phishing examples relevant to your industry
- Red flags to watch for (sender address mismatches, urgency, generic greetings, unusual requests)
- What to do when something looks suspicious
- Recent incidents or near-misses within your organization (anonymized)
Skip the slide decks. Use:
- Real phishing email examples (sanitized) for group analysis
- Role-playing exercises for phone-based social engineering
- Quizzes and knowledge checks
- Group discussion of “would you click this?” scenarios
Different departments face different risks:
- Finance – Business email compromise, fake invoice scams, wire transfer requests
- HR – Fake job applications with malicious attachments, W-2 phishing
- IT – Credential harvesting, fake vendor support requests
- Executives – Whaling attacks, impersonation of board members or legal counsel
Train employees to check for:
- [ ] Sender email address doesn’t match the supposed sender
- [ ] Generic greeting (“Dear Customer”) instead of your name
- [ ] Urgent language pressuring immediate action
- [ ] Requests for passwords, payment details, or sensitive data
- [ ] Links that don’t match the text (hover to check)
- [ ] Unexpected attachments, especially .zip, .exe, or macro-enabled Office files
- [ ] Slightly misspelled domain names in the sender address or links
- [ ] Messages that bypass normal business processes (“Don’t tell anyone, just do it”)
For suspicious emails, employees can forward them to ForwardToSafety.com for verification before taking any action.
Make it easy and safe to report:
Every reported phishing email is intelligence your security team can use to update filters and warn other employees.
Simulations test how well training is working by sending realistic but harmless phishing emails to employees.
Do them right:
- [ ] Frame simulations as a learning tool, never as a gotcha
- [ ] Follow every simulation with immediate educational feedback
- [ ] Track trends over time, not individual failures
- [ ] Vary the difficulty and type of simulations
- [ ] Run them quarterly at minimum
- [ ] Include vishing (phone) simulations, not just email
Avoid:
- Publicly shaming employees who click
- Overly tricky simulations that erode trust
- Using simulations as a punitive measure
Train employees to:
- [ ] Be skeptical of unexpected calls requesting sensitive information
- [ ] Verify caller identity by hanging up and calling back on a known number
- [ ] Never provide passwords or access codes over the phone
Track these metrics over time:
- Phishing simulation click rate (should decrease)
- Report rate (should increase – more reporting means more awareness)
- Time to report (should decrease)
- Number of real phishing emails caught by employees
The goal isn’t zero clicks. It’s building a team that catches and reports threats quickly enough to prevent damage.
Leaders are high-value targets for social engineering. They need specific training on:
- [ ] Whaling attacks (phishing specifically targeting executives)
- [ ] Business email compromise (requests impersonating the CEO/CFO)
- [ ] Deepfake voice and video impersonation
- [ ] Verification procedures for financial transactions
- [ ] Setting the tone that security is a priority, not a nuisance
Join thousands of security professionals who receive Craig Peterson's Insider Show Notes and cybersecurity updates.
Join 10,000+ cybersecurity professionals