Phishing Training for Employees

Phishing training for employees is one of the most neglected aspects of cybersecurity, even though studies and phishing simulation data show that training can significantly improve an organization’s security posture.

Many cyberattacks target employees and try to trick them into handing over sensitive data or installing malware, and the easiest way to do that is through phishing. Phishing is the main way that malware is delivered, with one study by Symantec indicating that 92% of malware infections occur via email. The use of stolen credentials is commonplace, and phishing is one of the main ways that credentials are obtained.

IT departments often view employees as a weak link in the security chain and for good reason. The IT department will put a range of measures in place for blocking phishing attacks and malware infections, only for an employee to respond to a phishing email and disclose their credentials and give an attacker access to their account or will open an email attachment without thinking and accidentally infect their device with malware.

Businesses that do not provide phishing training for employees have to hope that their email security solution blocks every phishing attempt, and should a phishing email arrive in an inbox, their employees will be able to recognize and avoid the threat. That is not a sensible approach to take, and it is a big mistake to assume that an email security solution will block all phishing emails. Further, phishing occurs over the phone, SMS messages, and the Internet, and an email security solution will do nothing to block those attacks.

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks on businesses increased by 11% in 2021, and account for at least 36% of all data breaches. The Federal Bureau of Investigation and the Anti-Phishing Working Group both report that phishing attacks doubled in 2020. The Verizon DBIR indicates the human element is involved in 85% of all data breaches, which is commonly due to a lack of security awareness training. Training can reduce the risk of suffering cyberattacks and data breaches.

Do Businesses get a Good ROI from Providing Phishing Training for Employees?

Providing security awareness training to the workforce, especially phishing training for employees, ensures everyone is made aware of the threat of cyberattacks, knows the importance of maintaining good cyber hygiene, and understands the common signs of phishing attempts. How effective is phishing training for employees and security awareness training in general? According to a study conducted by the Ponemon Institute, “even the least effective training programs have a seven-fold ROI, and the average performing program results in a 37% return on investment.”

Another study, conducted by Osterman Research, explored the effect of phishing training for employees and how the provision of such training improved the ability of employees at recognizing phishing and other threats. The biggest wins were in recognizing mass-mailed phishing attempts, with the perceived ability to recognize these scams increasing from 23% before training to 68% after. There was a jump from 27% to 63% in the perceived ability to identify spear phishing emails, and a jump from 24% to 57% in the ability to recognize social media and web-based scams. That study indicated small businesses with fewer than 1,000 employees got a decent ROI from security awareness training (69%), whereas large organizations with 1,000+ employees saw an ROI of 562% from providing security awareness training.

Tips for Getting the Most Out of Employee Phishing Training

Providing phishing training for employees will help them to recognize the signs of phishing and avoid any threats they encounter in their inboxes, via their phones, or over the internet, but to get the most out of training, be sure to take these phishing training tips on board.

Make Training Interesting and Fun

If you want to engage employees and effect a change in security culture, you should ensure that security awareness and phishing training is interesting and fun for employees. Use a training course with a variety of content, videos, and interactive elements. Don’t just hand out printed sheets. Gamified training content will improve engagement and knowledge retention.

Train Using Real Examples of Phishing Attacks

If you want to teach employees how to recognize a real phishing attempt, use real examples of phishing in the training and ensure you provide many different phishing examples – Including hyperlinks, attachments, macros, SMS phishing (smishing), website-based phishing attempts, and spear phishing.

Ensure the Training is Relevant

Different users in the organization will be targeted with different types of phishing tactics. Ensure that the HR department is training on CV/resume-related phishing, and finance/payroll employees are made aware of BEC attacks that attempt to divert payroll or trick them into making fraudulent wire transfers. Keep training relevant for each user group.

Training must be an Ongoing Process

Phishing tactics constantly change and so should training content. Keep security fresh in the mind by providing training several times a year and updating the training course to reflect current and emerging threats. A once-a-year training course is not going to be enough given the rapidly changing threat landscape.

Deliver Phishing Training for Employees in Small Doses

Long training sessions provide too much information in one dose for it to be fully assimilated. Provide training in small doses, such as training modules of 10-15 minutes. This will make it easy for employees to stay focused and take the training on board, while also making it easy to fit training into busy workflows.

Make it Easy for Employees to Report Phishing Threats

If an employee encounters a suspicious email or correctly identifies a phishing threat, they need to report it to the security team. There may be similar emails elsewhere in the email system that need to be removed. Make it as easy as possible for employees to quickly report threats, such as by providing a mail client add-on that allows one-click reporting.

Conduct Phishing Simulations

If you just provide training but don’t conduct phishing simulations, you will have no idea how effective the training has been. Phishing simulations highlight gaps in knowledge, such as types of phishing that may have been poorly explained in training or missed altogether. Phishing simulations also help the IT team to identify individuals who require additional training. Also, use phishing simulations to measure how the security awareness of the workforce changes over time and determine the ROI of providing training.


Phishing training for employees is essential if you want to develop a security culture in your organization and has been shown to be effective at reducing susceptibility to phishing attacks. When combined with technical defenses such as email filters, web filters, multi-factor authentication, and antivirus software, businesses will be well protected from phishing attacks.