← ALL POSTS
CYBERSECURITY EXPLAINER

Phishing training that people don’t hate

Most phishing training fails the same way. Once a year, everyone sits through a 45-minute video with stock photos of hackers in hoodies, clicks through a quiz, and forgets it by lunch. Then IT runs a gotcha test, publishes who failed, and the main lesson everyone learns is to distrust IT. Meanwhile the actual phish that lands in March works fine, because a yearly video doesn't build a reflex. Training can work. It just looks different from that.

The goal is a reflex, not knowledge

Everyone already knows phishing exists. The problem isn't knowledge, it's what happens in the two seconds after an email that says "invoice overdue, pay today" hits an inbox at 4:50 p.m. You're training a reflex: pause on urgency, check the sender, and when in doubt, report it. Reflexes come from frequent small reps, not annual lectures. That's the whole design principle, and everything below follows from it.

Simulations, not shame

Simulated phishing emails are the reps. Tools like KnowBe4, Microsoft's Attack Simulation Training (included in some 365 plans), Hoxhunt, and Proofpoint send realistic fakes, and clicking one leads to a short "here's what you missed" page instead of a real breach. Used well, simulations are the single most effective piece of a program. Used as a trap, they poison the whole thing.

The difference is what happens after a click. The wrong version: names on a wall, mandatory remedial training framed as punishment, a manager getting an email about you. Do that and people stop reporting real phish too, because reporting means admitting you almost fell for it. We've seen shops where an employee clicked a real malicious link and stayed quiet for two days out of fear. That silence cost more than any training budget.

The right version: the click leads to a 60-second teaching moment, private, immediate, specific to the email they just fell for. That's the best training minute money can buy, because it arrives exactly when the lesson is relevant. Repeat clickers get a friendly extra module, not a public flogging. Failure data goes to the program owner to tune the training, not to managers as a performance metric.

Make reporting one click

If reporting a suspicious email means forwarding it to some address nobody remembers, nobody reports. Put a report button in the mail client itself. Outlook and Gmail both support this: Microsoft's built-in Report button (configurable to route copies to your security team or MSP), Gmail's report phishing option, or the add-in your simulation platform provides, which also tells users instantly when they've caught a simulation.

Then close the loop. When someone reports a real phish, tell them what it was and thank them. A report that vanishes into a void trains people that reporting is pointless. A reply that says "good catch, that was real, we've blocked the sender" trains them to do it again. The metric worth watching isn't click rate, which mostly measures how sneaky your last simulation was. It's report rate, and time-to-first-report. One fast reporter gives your security team a head start on quarantining the same email from forty other inboxes.

Celebrate catches

Flip the incentive from fear to sport. Shout out good catches: a line in the company chat when someone reports a real phish, especially a convincing one. Some teams keep a lighthearted leaderboard of top reporters. It sounds small, and it changes the culture faster than anything else, because it makes the security-aware move the high-status move. People start forwarding each other suspicious emails with "check this one out" energy instead of hiding them.

Leadership participates or it doesn't work. Executives get simulated too, and when the CFO admits in a meeting that the fake DocuSign one nearly got him, that does more for the program than any policy memo. Executives who exempt themselves are also, not coincidentally, the people attackers impersonate and target most.

Realistic cadence, realistic difficulty

Frequency: one simulation per person per month, roughly, with the timing randomized so it's not "first Tuesday means fake phish day." Quarterly is the floor for keeping the reflex alive. More than weekly starts to breed either paranoia or numbness.

Difficulty should ramp. Start with the classics: fake package deliveries, password expiration notices, shared document links. Over time, mix in the ones that actually hurt small businesses: an email that looks like it's from the boss asking someone in finance to change payment details, a fake Microsoft 365 login page, an "updated bank info" note from a vendor. And keep the formal training short: five-minute videos a few times a year beat one annual marathon, every time.

One more thing worth saying plainly: training is a layer, not the defense. Somebody will always eventually click, including you and including us. Email filtering, MFA, and EDR exist to make one click survivable. A program that expects zero clicks is measuring the wrong thing.

How to know it's working

After six months, look for these:

If your current program is the annual video and a gotcha test, the fix costs a few dollars per person per month and a change in tone. Cheap, as security goes, and it's the layer that's on duty every time the filters miss.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
New tools stick when people like them Explainer
NIST CSF: a map, not a mandate Explainer
Ransomware defense: the five layers that matter Explainer
Dashboards people actually open Explainer
Dark web monitoring: useful signal or scare tactic? Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston