The Fundamental Guide to Phishing Awareness Training

By Nitzan Gursky
image July 20, 2021 image 6 MIN READ

Approximately 90 percent of all data breaches result from a phishing attack, according to a recent report from Cisco. Because of phishing’s lucrative nature, the number of successful phishing campaigns continues to climb year over year, resulting in a growing number of security breaches and massive ransomware exploits. To protect against phishing attacks, follow the steps in this guide to deliver engaging and effective phishing awareness training to your entire organization.

6 Necessary steps to a successful phishing awareness program

1. Identify your ‘phish’


As a best practice in choosing a cybersecurity awareness program, you must, first, identify the issue that presents the biggest risk to your employees and your organization. If you’re reading this post, you know that phishing is your biggest risk. But do you know what type of phishing you need to focus on? 

Without proper phishing awareness training, phishing attacks can lead to a data breach or full-blown ransomware event that can threaten your organization’s very existence. Here are some of the most common types of phishing strategies attackers use to trick someone into taking actions that bypass existing security measures. 

Generalized phishing by email or text

Generalized phishing is the most common form of phishing. Malicious actors design a general-purpose email or text message to appear as though it’s originating from a popular service, such as a bank, or from a brand, such as PayPal or Netflix. The message deceptively urges recipients to click a link or install a piece of malware. If recipients click the provided link, they can compromise devices or unknowingly enter classified credentials on what appears to be a legitimate-looking website. But if recipients innocently install malware, they instantly give hackers a foothold to their organization’s internal network. 

Spear phishing

Spear phishing is a more advanced and dangerous form of deception based on information that was previously gathered about the target. It may involve personal information, such as names, addresses, and social security numbers, that are publicly available or were previously exposed through a separate data breach. With this detailed information, an attacker gains greater trust and has a higher chance that a victim will comply with the attacker’s wishes.

Voice phishing

Voice phishing centers on phone scams that start by voice and then encourage users to go to a specific website and enter their usernames, passwords, and other sensitive credentials. In the category of voice phishing is synthetic voice phishing—falsified audio using deepfake technology. With AI and machine learning techniques, attackers can now synthesize authentic-sounding voices of real people. For example, with as little as 30 minutes of recorded audio, an attacker can reproduce the voice of a company’s CEO and use it to request a transfer of funds between accounts.

In-person phishing

In-person phishing—often referred to as social engineeringtricks a person through conversation into carrying out a malicious actor’s agenda. For example, the actor might take on the persona of a member of the IT team and fool another employee into granting them access to the company’s internal network.

2. Focus phishing awareness training on your employees’ unique needs

Every person is unique—an amalgam of geography, culture, role, and life experience. Create content that is personalized to each person’s role, experience, or language. This way, your employees are more likely to engage in it, remember it, and apply it in an actual phishing attack. Focused training yields far superior results in protecting your employees and your organization from an attack over a generalized phishing awareness training approach.

3. Engage employees through action

Engage Phishing awareness training is only effective when it engages employees through action, such as phishing simulation. Training that requires employees to read manuals, attend long training sessions, and deal with a topic that’s seemingly unrelated to their role isn’t effective. 

To engage employees in awareness training, use an interactive or gamification approach. Give employees real-world experiences to become phishing-aware by providing simulations. Integrate recurring phishing simulation campaigns into your company-wide security protocols. Also, by making simulations part of your employees’ workflow, you encourage them to question whether an email is real or a scam.

4. Offer consumable bites of information

Clear and concise messages are critical to understanding. In today’s high-paced work environments, create information in small, consumable bites that are no more than one minute long. This approach makes the information palatable and easier for employees to skim through the information and engage with it. It’s also easier to retain the information compared to long-form training provided in a video, tutorial, or lecture, which can seem intimidating.

5. Train continuously

Training that isn’t maintained erodes. You must maintain phishing awareness training over time. Continuously train and test your employees as part of a regular routine. 

“Information fatigue” is real, constantly bombarding people with an information overload. To combat it, make phishing awareness training a seamless part of their daily routine, without interfering with their general workflow.

6. Measure the effectiveness of your training program

Phishing simulations are often measured based on the click rate—the number of employees that clicked your phishing simulation. The problem is that the click rate only tells you how many employees are falling for the phishing simulations. Without the right context, over time, employees will continue to lack phishing awareness

Instead, look for progress, not participation. Continuously run your awareness program. For example, if you run 10–12 phishing simulations a year, such metrics can provide insight into organizational-wide behavioral changes. The key is to look beyond click rates to see what the data is really telling you in terms of progress. The data can also help you identify high-risk employees and demonstrate the return on your investment (ROI).

Identify and manage high-risk employees

Proper phishing awareness training requires identifying weak spots in the organization. Every organization has two types of high-risk employees.

Demonstrate your ROI


To ensure checks and balances, you’re likely to have to report the ROI of your phishing awareness training program. The key is to tell your data story. Start by explaining your initial goal or goals, such as minimizing the number of high-risk employees. Then show the data that backs your story and supports your goals. 

For example, you can indicate the number of employees trained over time, the meantime between failures, and the ratio of high-risk employees. By telling the overall story, you demonstrate the value of your company’s investment in the program. 

Starting a successful phishing awareness training program

The steps outlined in this post set the foundation that organizations need to build a successful phishing awareness training program. How? Start with BLAST—Behavioral Adaptive Phishing Simulation and Training from CybeReady. With this platform, you can:

CybeReady combines learning expertise, data science, and automation to make security awareness training easy, engaging, and effective. Request a demo.