Most phishing training fails the same way. Once a year, everyone sits through a 45-minute video with stock photos of hackers in hoodies, clicks through a quiz, and forgets it by lunch. Then IT runs a gotcha test, publishes who failed, and the main lesson everyone learns is to distrust IT. Meanwhile the actual phish that lands in March works fine, because a yearly video doesn't build a reflex. Training can work. It just looks different from that.
The goal is a reflex, not knowledge
Everyone already knows phishing exists. The problem isn't knowledge, it's what happens in the two seconds after an email that says "invoice overdue, pay today" hits an inbox at 4:50 p.m. You're training a reflex: pause on urgency, check the sender, and when in doubt, report it. Reflexes come from frequent small reps, not annual lectures. That's the whole design principle, and everything below follows from it.
Simulations, not shame
Simulated phishing emails are the reps. Tools like KnowBe4, Microsoft's Attack Simulation Training (included in some 365 plans), Hoxhunt, and Proofpoint send realistic fakes, and clicking one leads to a short "here's what you missed" page instead of a real breach. Used well, simulations are the single most effective piece of a program. Used as a trap, they poison the whole thing.
The difference is what happens after a click. The wrong version: names on a wall, mandatory remedial training framed as punishment, a manager getting an email about you. Do that and people stop reporting real phish too, because reporting means admitting you almost fell for it. We've seen shops where an employee clicked a real malicious link and stayed quiet for two days out of fear. That silence cost more than any training budget.
The right version: the click leads to a 60-second teaching moment, private, immediate, specific to the email they just fell for. That's the best training minute money can buy, because it arrives exactly when the lesson is relevant. Repeat clickers get a friendly extra module, not a public flogging. Failure data goes to the program owner to tune the training, not to managers as a performance metric.
Make reporting one click
If reporting a suspicious email means forwarding it to some address nobody remembers, nobody reports. Put a report button in the mail client itself. Outlook and Gmail both support this: Microsoft's built-in Report button (configurable to route copies to your security team or MSP), Gmail's report phishing option, or the add-in your simulation platform provides, which also tells users instantly when they've caught a simulation.
Then close the loop. When someone reports a real phish, tell them what it was and thank them. A report that vanishes into a void trains people that reporting is pointless. A reply that says "good catch, that was real, we've blocked the sender" trains them to do it again. The metric worth watching isn't click rate, which mostly measures how sneaky your last simulation was. It's report rate, and time-to-first-report. One fast reporter gives your security team a head start on quarantining the same email from forty other inboxes.
Celebrate catches
Flip the incentive from fear to sport. Shout out good catches: a line in the company chat when someone reports a real phish, especially a convincing one. Some teams keep a lighthearted leaderboard of top reporters. It sounds small, and it changes the culture faster than anything else, because it makes the security-aware move the high-status move. People start forwarding each other suspicious emails with "check this one out" energy instead of hiding them.
Leadership participates or it doesn't work. Executives get simulated too, and when the CFO admits in a meeting that the fake DocuSign one nearly got him, that does more for the program than any policy memo. Executives who exempt themselves are also, not coincidentally, the people attackers impersonate and target most.
Realistic cadence, realistic difficulty
Frequency: one simulation per person per month, roughly, with the timing randomized so it's not "first Tuesday means fake phish day." Quarterly is the floor for keeping the reflex alive. More than weekly starts to breed either paranoia or numbness.
Difficulty should ramp. Start with the classics: fake package deliveries, password expiration notices, shared document links. Over time, mix in the ones that actually hurt small businesses: an email that looks like it's from the boss asking someone in finance to change payment details, a fake Microsoft 365 login page, an "updated bank info" note from a vendor. And keep the formal training short: five-minute videos a few times a year beat one annual marathon, every time.
One more thing worth saying plainly: training is a layer, not the defense. Somebody will always eventually click, including you and including us. Email filtering, MFA, and EDR exist to make one click survivable. A program that expects zero clicks is measuring the wrong thing.
How to know it's working
After six months, look for these:
- Report rate on simulations is climbing. Above half your staff reporting is a strong program; most start in the single digits.
- Real phish get reported within minutes, and more than one person reports the same email.
- Click rate trends down but nobody obsesses over it, and no one has been publicly embarrassed by the program.
- People forward each other suspicious texts and calls too, unprompted. That's the reflex generalizing, and it's the real win.
If your current program is the annual video and a gotcha test, the fix costs a few dollars per person per month and a change in tone. Cheap, as security goes, and it's the layer that's on duty every time the filters miss.
Stuck on this, or want it done for you? That's the job.
Email us →