How To Guide
How to Train Staff on Phishing Awareness
Training is the most cost-effective security investment.
Overview
Regular training dramatically reduces phishing click rates.
Step 1: Training
Build the programme.
1
Initial
- Cover email, SMS, voice phishing
- Show real redacted examples
- Teach red flags
- Explain reporting procedure
- Keep under 30 minutes
2
Reinforcement
- Monthly security tips
- Share company examples
- Quarterly refreshers
- Reward reporting
Step 2: Simulations
Test with fake phishing.
1
Run Campaigns
- KnowBe4, Cofense, or GoPhish
- Start obvious, increase sophistication
- Track click and report rates
Pro Tip:
Frame as training, not gotcha tests.
Step 3: Measure
Track effectiveness.
1
Metrics
- Click rate: Aim below 5%
- Report rate: Aim above 70%
- Compare quarter over quarter
3
Create Training Materials
- Develop a library of real-world phishing examples (redacted) from your own inbox
- Create comparison guides: Legitimate email vs phishing email side by side
- Build a quick-reference card for desks: 5 signs of phishing in under 30 seconds
- Record short video tutorials showing how to check email headers and URLs
- Create department-specific examples (finance gets fake invoice phishing, HR gets CV phishing)
- Update materials quarterly to reflect current threat trends
4
Build a Reporting Culture
- Make reporting easy: One-click 'Report Phishing' button in Outlook or Gmail
- Respond to every report with acknowledgement and feedback within 24 hours
- Share anonymised statistics: 'This month the team reported 47 phishing attempts'
- Recognise and reward good reporting behaviour publicly
- Never punish someone for reporting a false positive — better safe than sorry
- Create a dedicated Slack/Teams channel for security alerts and tips
5
Advanced Phishing Scenarios
- Spear phishing: Targeted emails using personal information from LinkedIn or social media
- Business Email Compromise (BEC): Impersonating the CEO or a supplier requesting payment
- Smishing (SMS phishing): Fake delivery notifications, bank alerts, tax refund messages
- Vishing (voice phishing): Callers impersonating IT support, banks, or HMRC
- QR code phishing: Malicious QR codes on flyers, emails, or fake parking meters
- Train staff on ALL these vectors — email-only training leaves gaps
Warning:
Business Email Compromise costs UK businesses millions annually. Train finance teams specifically on payment diversion fraud: always verify bank detail changes by phone using a known number, never the one in the email.
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.