How to Train Employees on Phishing

A step-by-step guide on how to turn click-happy employees into cyber sentinels.

Employee learning how to spot a phishing attack
Gareth Author profile photo
Gareth Shelwell July 16, 2023 (Updated: October 23, 2023

In this blog, we will provide a step-by-step walkthrough on how to train your employees on phishing. We will explore practical techniques you can use and share some engaging drills, like the Phishing Olympics!

Whether you're a small startup, a large corporation or anywhere inbetween, we've got you covered with budget-friendly, effective solutions to turn your workforce into a cybersecurity fortress

defensive cyber security badge

Why Should We Train Employees on Phishing?

It's simple – because cybercriminals aren't taking a vacation. Phishing is a huge threat and growing more widespread every year. According to Tessian research in 2021, employees receive an average of 14 malicious emails per year. Phishing attacks make up over 90% of all data breaches (according to Cisco's 2021 Cybersecurity Threat Trends Report), far outnumbering malware and ransomware attacks, affecting millions of users yearly.

If these figures make you gulp in disbelief, you're starting to understand why security awareness training is not just a nice-to-have but an essential practice every business needs to undertake.

How to Train Employees on Phishing: A Step-by-Step Guide

  • 1

    Start With the Basics: Begin by explaining what phishing is, and how it can be disguised in many forms - from emails, to text messages, to malicious websites.

    It’s important to understand that everyone is coming in with a different level of expertise. One clever way to describe phishing is by using the analogy of phishing being like a wolf in sheep's clothing. It's something harmful masquerading as harmless.

  • 2

    Show Real Examples: Before you begin training employees, give some examples of phishing attacks. Everyone has heard the word, but some examples will bring the concept of phishing to life.

    An organisation getting some cyber training

    Let’s start with a bit of fun by sharing this scenario:

    An office is excited because they received an email from the company's CEO with the subject line, "Huge surprise for all employees!" Everyone gathers around as the email is opened. The message contains a link with the text, "Click here to see our new office retreat destination!"

    With anticipation at its peak, they click on the link, only to be met with Rick Astley singing "Never Gonna Give You Up." They've been Rickrolled!

    Another example of phishing, one with less Rickrolling and more punch, is the one about the man who scammed Google and Facebook for over $100 million!

    This man is Evaldas Rimasauskas, a Lithuanian who successfully scammed these two tech giants - Rimasauskas created a company that shared the name of a legitimate Asian hardware vendor, Quanta Computer. Using this name, he sent fraudulent phishing emails to employees at Google and Facebook. The emails were designed to trick these employees into believing that they were conducting business as usual with Quanta.

    Rimasauskas forged invoices, contracts, and letters that were allegedly signed by executives at these tech companies. These documents were used to trick the companies into sending money for goods and services to bank accounts controlled by Rimasauskas, instead of to Quanta.

    Between 2013 and 2015, Rimasauskas tricked these companies into wiring over $100 million to bank accounts he controlled, all through a well-executed phishing scheme. This high-profile case shows that even the most tech-savvy among us can fall for phishing scams if we're not careful.

    Using real-world examples like this not only underscores the importance of vigilance but also makes the abstract concept of phishing more relatable and tangible to your employees.

  • 3

    Simulate Phishing Attacks: It's often said that practice makes perfect. When it comes to training your employees on phishing, this rings especially true. Think of simulated phishing attacks as the ultimate role-play scenario, where employees can experience first-hand the cunning tricks of cyber adversaries.

    Taking this interactive training one step further, you can introduce secondary payloads like fake phishing websites. It helps to show employees different ways a simple phishing attempt can escalate the attack. Plus, embedding real-time training into the phishing simulation platform elevates the learning process. It's like learning to swim in a pool before diving into the ocean - it provides a secure, controlled environment to build confidence and skills.

  • 4

    Gamify the Learning Process: Let's face it - training can sometimes feel like a drag. But what if you brought some of the excitement of games night into the learning process?

    Swimming with Sharks Learner Badge
    +50 Points
    Swimming with sharks
    Dodged 10 phishing attacks in a row.
    Marathon Learner Badge
    +15 Points
    Marathon swimmer
    Completed all assigned trainings before the due date.
    Phish Fingers Learner Badge
    -25 Points
    Phish fingers
    Fell for ten phishing attacks in a row.

    Some training platforms, like CanIPhish offer built in gamification! Take advantage of these tools to maximise engagement!

    Check Out CanIPhish's Badges!

    To supercharge participation and enjoyment, introduce elements like company-specific quizzes and leaderboards into the training. Quizzes test the employees' knowledge while leaderboards allow them to see their progress compared to others.

    But why stop there? Spice things up with rewards and friendly competitions. Remember back in the day how the prospect of a gold star in school motivated you to do your best? The same principle applies here! By offering incentives such as digital “gold stars” employees can brag about, you not only make learning fun but, also inspire employees to go the extra mile.

    As a bonus, consider introducing game elements that promote teamwork, such as grouping employees together and seeing which team falls for the least phishing attempts. After all, cybersecurity is not just an individual responsibility, it’s a team sport!

  • 5

    Offer Continuous Training: The world of cyber threats is much like a shapeshifting villain - constantly evolving, always coming up with new disguises. Your training needs to match this pace, like the Spam Samurai constantly honing his skills.

    Think of continuous training as your regular gym workout. Just as you wouldn't go to the gym once and expect lifelong fitness (if only!), you shouldn't expect a one-time training session to arm your employees against the ever-changing phishing tactics. Regular refresher courses are your treadmill sessions, keeping your defence muscles flexed and ready.

Evaluate and Improve

Imagine setting off on a long journey without a compass or a map, trying to reach a destination without any checkpoints. Just as you would need those tools to ensure you're on the right path, your training program also needs regular check-ins to ensure it's effectively serving its purpose.

Here's how you can keep a tab on how well your program is doing and what you can do better:

  • Testing: Regularly test your employees' understanding of the training material. This could be in the form of quizzes, practical exams, or even live drills (more on that shortly!). The goal is to measure how well they're absorbing and applying the information. if scores are low across the board, that's your cue to mix things up.
  • Surveys and Feedback Forms: After each training session, consider whipping up a quick anonymous survey or feedback form after each training session. Ask about the content, pace, and relevance of the sessions, and always leave space for suggestions. You'll be surprised at the gems you might find!
  • Discussion Groups: Host regular informal team discussions where employees can talk openly about their experiences with the training material. Think of it like a coffee break where you get to learn more about your team's views on the training program. Keep it light to encourage honest feedback.
  • Phishing Simulation Results: Keep track of how your team is doing in the simulated phishing drills. If they're still falling for the bait, it's time to switch gears and revamp your training approach.Remember, every check-in, every piece of feedback brings you one step closer to a more secure and phishing-proof workspace. Keep your ears open and your program flexible because no one organisation is the same as the next.

Now, the fun part…

Phishing Drills

Cyber-security doesn’t have to be dull - in fact, engaging and fun phishing drills can be the secret ingredient to keeping your employees alert, committed, and engaged. Here are some ideas you can put into practice at your organisation.

The Phishing Olympics

Instead of sending out a routine mock phishing email, turn it into an Olympic event, complete with opening and closing ceremonies.

  • Opening Ceremony: Start with an all-hands meeting (virtual or physical) to announce the start of the Phish Olympics. Describe the event and its purpose, emphasizing the importance of staying vigilant about cybersecurity. You can even design a special logo for the event and use it in your communications.

  • Event Details: Over the next 4 weeks, send out the phishing emails. These will be your equivalent of Phishing Olympic events. Make sure to spread out the emails to make things less obvious! It's a good idea to ramp up the difficulty as the weeks go by so the true phish spotting athletes can shine through!

Employees competing in the Phishing Olympics
  • Scoring: Employees are awarded points based on their actions. Spotting a phishing email and reporting it? Gold points! Clicking on a suspicious link? No points, but a friendly reminder of the correct action. You can even introduce bonus rounds where employees who spot the most sophisticated scams get extra points.

  • Closing Ceremony: Once the Phish Olympics are over, gather everyone again. Announce the winners - those who scored the most points and give out prizes (think fun items like custom 'Phish Olympics Champion' mugs or medals).

But remember, the real prize here is a safer, phishing-aware workplace. Also, make sure to discuss some of the trickier examples from the event, reinforcing the learning points and highlighting the clever tactics used by cyber criminals.

The Phish Olympics not only breaks the monotony of typical training but also encourages healthy competition and camaraderie among your employees while improving their phishing detection skills. It's a win-win!

The Cyber Cops and Robbers challenge

Think of it as a classic cops and robbers game but with a cyber twist! Who will be victorious, the robbers (IT Team) or the Cyber Cops (employees)..

  • Briefing: Kick-off the challenge with a team-wide meeting (online or offline) to announce the "Cyber Cops and Robbers" game. Here, you'll outline the details of the game and its significance in enhancing cybersecurity awareness. For extra immersion, create an engaging presentation with a cops and robbers theme.

  • Gameplay: Over a week or two, send out a series of mock phishing emails to your employees. These could vary in complexity from the obvious (emails riddled with spelling errors and dodgy addresses) to the subtle (well-crafted emails mimicking a high-level executive or trusted vendor).

An open bank vault
  • Points System: Players earn 'Cop points' for correctly identifying and reporting phishing emails, with extra points for spotting the more sophisticated scams. If a player falls for a phishing attempt, they lose points and the 'Robbers' gain points.

  • Engagement: To keep the excitement going, send out regular updates about the scores. Who's leading the pack of Cyber Cops? How successful are the Robbers? This not only fuels a healthy competitive spirit but also keeps the challenge front-of-mind for all employees.

  • Wrap-up: Once the challenge is over, call everyone back for a debriefing. Announce the top 'Cyber Cops' and hand out rewards like 'Top Cop' certificates or badges.

But don't forget to highlight the learning from the game too. Discuss some of the tactics used in phishing emails sent out during the challenge, explaining why they were used and how to spot such attempts in the future.

This game-like setting of 'Cyber Cops and Robbers' creates a fun, competitive environment that boosts participation and learning, strengthening your first line of defence against phishing - your employees!

Now that the fun and games are over, lets talk about getting into action!

DIY or ‘Get Someone In’

Now, you might be thinking, "Surely, this is going to break the bank." But that's where you'd be pleasantly surprised. CanIPhish offers extremely competitive and transparent pricing for larger/mid-size businesses and free tiers for smaller organisations and those looking to ‘dip a toe in’. There are also open-source solutions that offer some of these features for free and if you have the time and expertise, these tools are a great way to train your employees on phishing at no cost.

Check out our market analysis on the cost of security awareness training platforms and what they offer!

So, regardless of your budget or business size, there's a suitable solution that will transform your employees into cybersecurity experts.

Avatar profile photo
Written by

Gareth Shelwell

An Operations Manager dedicated to helping you safely swim amongst the internet of phish!