Email hygiene and phishing awareness training

You can configure perfect SPF, DKIM, and DMARC. You can deploy the best email security gateway. And someone on your team will still click a phishing link because the email looked exactly like a password reset from Slack.

Technical controls catch a lot. But the final line of defense is always human judgment. This chapter is about building that judgment across your team — without making everyone hate security training.

Why most security training fails

Traditional security awareness training looks like this: once a year, everyone watches a 45-minute video about passwords and phishing, clicks through some slides, passes a quiz, and forgets everything within a week.

This doesn't work because:

It's abstract — Generic examples don't feel relevant. "Someone might send you a fake email" doesn't prepare people for a convincing email that looks exactly like it came from your CEO.

It's infrequent — One training per year means 364 days without reinforcement. Skills decay fast.

It's passive — Watching videos doesn't build instincts. People need practice.

It feels like punishment — Mandatory compliance training that interrupts real work just annoys people.

The goal isn't to check a compliance box. It's to actually change behavior.

The fundamentals: what everyone needs to know

Before diving into training methods, here's the core knowledge every employee needs.

What is phishing?

Explain it simply: "Phishing is when someone pretends to be someone else to trick you into giving them access or information. They might pretend to be IT, your bank, a vendor, or even your CEO."

The goal is usually:

• Stealing login credentials (via fake login pages)
• Installing malware (via attachments or downloads)
• Getting money (via fake invoices or wire transfer requests)
• Stealing data (via requests disguised as legitimate)

Why would anyone target us?

Small companies often think they're not worth targeting. Explain the reality:

"Attackers don't always target specifically. Phishing campaigns go out to thousands of companies. If 1% of employees at 1% of companies click, that's still thousands of victims. We're not being personally targeted — we're being swept up in mass campaigns."

And sometimes you are specifically targeted: "Our vendors, our customers, and anyone we do business with could be used against us. If someone compromises our email, they can impersonate us to our customers."

The basic rules

Give people simple, actionable rules:

1. Verify unexpected requests

Any email asking you to:

• Send money or change payment details
• Share sensitive data
• Click a link and enter credentials
• Download and run something

...should be verified through a separate channel. Call the person using a known number. Walk to their desk. Slack them. Don't reply to the email.

2. Check the sender carefully

Look at the actual email address, not just the display name. Attackers use:

• [email protected] (zero instead of 'o')
• [email protected] (wrong TLD)
• [email protected] (different domain entirely)
• [email protected] (personal email impersonating work)

3. Hover before clicking

Before clicking any link, hover over it to see where it actually goes. The text might say "Click here to view your invoice" but the link goes to malicious-site.com/invoice.

4. Be suspicious of urgency

Phishing emails create panic: "Your account will be suspended!" "Respond immediately!" "This is urgent!" Real IT problems don't require you to click a link in the next 10 minutes.

5. When in doubt, report it

If something feels off, report it. Better to report 10 legitimate emails than miss 1 phishing attempt. Make reporting easy and never punish people for reporting.

How to recognize phishing: the detailed guide

Go deeper for people who want to understand the mechanics.

Red flags in the sender

Display name doesn't match email address

From: "Microsoft Support" <[email protected]>

The name says Microsoft, but the address is a random Gmail.

Lookalike domains

From: [email protected]  (rn looks like m)
From: [email protected]  (1 instead of l)
From: [email protected]  (extra words added)

Free email for business purposes Legitimate companies don't send official communications from @gmail.com or @yahoo.com.

Red flags in the content

Generic greetings "Dear Customer" or "Dear User" instead of your name. Legitimate services usually know your name.

Spelling and grammar errors Not always present in sophisticated attacks, but common in mass campaigns. "You're account has been compromized."

Mismatched URLs The link text says one thing, the actual URL is different:

<a href="http://malicious-site.com/fake-login">https://accounts.google.com/login</a>

Threats and urgency "Your account will be terminated in 24 hours unless you verify your identity immediately."

Requests that bypass normal process "I need you to buy gift cards for a client meeting" — since when do we do that?

Attachments you didn't expect Unexpected invoices, contracts, or documents from people you don't know.

Red flags in the context

Timing Phishing often comes at busy times (end of quarter, Friday afternoon) when people are rushing and less careful.

Out-of-character requests The CEO suddenly asking an intern to wire money? The IT department emailing from a Gmail address? Trust your instincts.

Replies to emails you didn't send "Per your request, here's the document" — but you never made a request.

Running effective phishing simulations

Simulations are the best way to build real skills. Reading about phishing doesn't compare to experiencing it.

Setting up simulations

Choose a tool:

Free/Open source:

• Gophish — Most popular, self-hosted
• King Phisher — Feature-rich

Commercial:

• KnowBe4 — Largest provider, has free test
• Cofense
• Proofpoint

For most small companies, Gophish is sufficient and free.

Create realistic scenarios:

Don't make them obvious. Use scenarios that match your environment:

• Fake password reset from tools you actually use (Slack, GitHub, Google)
• Fake shipping notification (everyone orders things online)
• Fake shared document from a coworker's name
• Fake IT request that sounds plausible

Start easy, increase difficulty:

First simulation: obvious red flags (wrong sender, spelling errors) Second simulation: more subtle (correct branding, plausible content) Later simulations: highly targeted (reference real projects, real colleagues)

What to measure

Click rate — What percentage of people clicked the link?

Report rate — What percentage reported the email as suspicious?

Time to click — How quickly did people click? (Faster = less thought)

Data submission rate — If you used a fake login page, how many entered credentials?

Track these over time. You're looking for:

• Click rate going down
• Report rate going up

Handling results

Don't publicly shame people who clicked.

This destroys trust and makes people hide mistakes instead of reporting them. Security requires psychological safety.

Do provide immediate education:

When someone clicks, redirect them to a training page explaining:

• What they missed
• How to recognize similar attacks
• That this was a test and no harm was done
• How to report suspicious emails in the future

Follow up with individuals who need help:

If someone repeatedly clicks, provide one-on-one training. Some people need more help — that's fine, help them.

Frequency

Run simulations quarterly at minimum. Monthly is better if your tool makes it easy.

Vary the scenarios. If people expect "fake password reset" every time, they'll spot it. Mix up the attack types.

Training formats that work

Short, frequent touchpoints

Instead of one annual marathon, try:

• 5-minute monthly tips in team meetings
• Weekly "Phishing Friday" email with a real example
• Brief reminders before high-risk periods (tax season, holidays)

Show real examples

Collect phishing emails that actually targeted your company. Anonymize if needed, then show:

• Here's what the attack looked like
• Here's what gave it away
• Here's what would have happened if someone clicked

Real examples stick better than hypothetical ones.

Interactive workshops

Skip the slides. Try:

• Show an email on screen, ask "Real or phishing?" — have people vote
• Analyze headers together
• Practice hovering over links
• Role-play the verification process

Make it a game. Competition keeps people engaged.

Just-in-time training

Deliver training when it's relevant:

• New employee onboarding: Cover phishing basics
• After a simulation fail: Provide specific guidance
• After a real phishing attempt: "Here's what we saw this week"
• Before major events: "Watch out for tax-related phishing in April"

Building a reporting culture

The goal isn't zero clicks — it's 100% reporting. People will make mistakes. What matters is that they recognize and report quickly.

Make reporting trivially easy

Email button:

• Google Workspace: Enable "Report phishing" in Gmail
• Microsoft 365: Add "Report Message" button to Outlook

One click. No friction.

Dedicated email address: Set up [email protected] or [email protected]. Tell everyone: "If you're unsure, forward it here."

Slack/Teams channel: Create #security-reports where people can post screenshots of suspicious emails. This also educates others who see the posts.

Respond to reports

Acknowledge every report. "Thanks for reporting! This was indeed a phishing attempt" or "Thanks for checking — this one was legitimate."

If you don't respond, people stop reporting.

Celebrate reporters. In team meetings: "Sarah caught a phishing attempt this week that could have been bad. Thanks Sarah!" Make reporting a positive thing.

Never punish false positives. If someone reports a legitimate email, thank them anyway. "Better safe than sorry" should be the culture.

Track reporting metrics

Monitor:

• Number of reports per week
• Percentage of reports that are actual threats
• Time from receipt to report
• Who's reporting vs. who's not

If certain teams never report anything, they might need extra training (or might not know how).

Communicating with employees

How you talk about security matters as much as what you say.

Avoid fear and blame

Bad: "If you click a phishing link, you could destroy the company." Good: "Phishing is common and increasingly sophisticated. Here's how we protect ourselves."

Fear makes people hide mistakes. You want people to feel safe reporting.

Be practical, not preachy

Bad: "Security is everyone's responsibility and we must all be vigilant at all times." Good: "Here are three things to check before clicking any link in email."

Specific, actionable advice beats vague principles.

Explain the why

Bad: "You must verify wire transfer requests by phone." Good: "Wire transfer fraud costs companies millions. Attackers are good at impersonating executives. A 2-minute phone call prevents this."

When people understand why a rule exists, they follow it.

Admit that security is hard

"Phishing emails are getting better. Some of them are really convincing. If you get tricked, it doesn't mean you're stupid — it means the attackers are good at their job. What matters is that you report it immediately."

This is honest and reduces shame.

Training materials template

Here's content you can adapt for your own training.

New employee email security briefing (15 minutes)

Intro (2 min): "Email is how most attacks start. You'll receive phishing emails — everyone does. Here's how to handle them."

The basics (5 min):

• What phishing looks like
• The three questions before clicking any link:
  1. Did I expect this email?
  2. Does the sender address look right?
  3. Does the request make sense?

Our reporting process (3 min):

• How to report suspicious emails (show the button/address)
• What happens when you report (we investigate and respond)
• It's always better to report and be wrong than not report and be right

Demo (5 min):

• Show 3 emails: 2 phishing, 1 legitimate
• Walk through what to look for
• Have them identify which is which

Monthly security reminder email

Subject: Security tip: [specific topic]

Hi team,

This month's security tip: [topic]

[2-3 paragraphs with specific, actionable advice]

Example: [real or realistic example of the threat]

What to do: [specific action items]

Questions? Reply to this email or message me directly.

— [Security Champion name]

Keep it short. People won't read long emails.

Post-simulation communication

For people who clicked:

Subject: About the email you clicked earlier...

That was a simulated phishing email from our security team. No harm was done — this was just training.

Here's what the email looked like: [screenshot]

The red flags were:
- [specific red flag 1]
- [specific red flag 2]

For future emails like this:
- [specific advice]

Questions? I'm happy to walk through this with you.

For the whole company (after simulation):

Subject: Results from this month's phishing simulation

Hi team,

We ran a phishing simulation this week to test our awareness and help everyone practice spotting attacks.

Results:
- X% of people clicked the link (down from Y% last time)
- Z people reported it as suspicious (great job!)

The simulated email was: [brief description]

Here's what gave it away:
- [red flag 1]
- [red flag 2]

Remember: if you're ever unsure about an email, forward it to [email protected] or click the "Report phishing" button.

— [Security Champion]

What to do when someone clicks a real phishing link

This is the section everyone hopes they never need. Someone clicked a link, entered credentials, or opened an attachment — and it wasn't a simulation.

For employees: the immediate response

If you clicked a suspicious link or entered your password:

1. Don't panic. Quick action matters more than panicking.

2. Disconnect from the network (if possible). Turn off WiFi, unplug ethernet. This limits what malware can do.

3. Report immediately. Message or call your Security Champion, IT, or manager. Don't wait. Don't try to fix it yourself.

   • Slack/Teams: Message the security channel or Security Champion directly
   • Email: Send from your phone (not the possibly-compromised computer) to [email protected]
   • Phone: Call IT or Security Champion

4. Write down what happened:

   • What did the email say?
   • What link did you click?
   • Did you enter any credentials?
   • Did you download or open any files?
   • What time was this?

5. Don't use that computer for anything else until IT clears it.

6. Change your passwords from a different device:

   • Start with email (the master key to everything)
   • Then any accounts you may have entered credentials for
   • Use your password manager on a phone or different computer

If you opened a suspicious attachment:

Same steps, but assume malware may be running. Disconnecting from the network is even more important. Don't try to close or delete the file — you might trigger more actions.

If you sent sensitive information:

Report immediately. If you sent financial data, credentials, or personal information, the company may need to take additional steps (reset accounts, notify affected parties, monitor for fraud).

For Security Champions: the response playbook

When an employee reports clicking a phishing link, here's your process:

First 15 minutes:

1. Thank them for reporting. Seriously — this is exactly what you trained them to do. "Thanks for letting me know right away. You did the right thing by reporting."

2. Gather information:

   • What was the email? (Get a copy if possible)
   • What did they click/download/enter?
   • What device were they on?
   • What time did this happen?
   • Are they still connected to the network?

3. Isolate the device:

   • Have them disconnect from WiFi/ethernet if not already done
   • Remote wipe capability if it's a mobile device and company-managed
   • For laptops, have IT physically collect if needed

4. Reset credentials:

   • Force password reset for their account
   • Terminate all active sessions
   • Check for MFA bypass (app passwords, OAuth tokens)

Next hour:

5. Analyze the threat:

   • What was the phishing campaign? Credential harvest? Malware? BEC?
   • Check the URL/attachment with VirusTotal
   • Check if others received the same email

6. Check for spread:

   • Search email logs for the phishing email
   • Alert others who received it
   • Block the sender domain/URL if possible

7. Investigate the account:

   • Check login history for unauthorized access
   • Check sent folder for attacker activity
   • Check for forwarding rules or mailbox rules added
   • Check OAuth/app connections

8. Clean the device:

   • If malware suspected, don't try to clean — reimage the machine
   • For credential-only phishing, change passwords and monitor
   • Check browser saved passwords (might need to rotate more)

Following days:

9. Monitor for impact:

   • Watch for unusual logins
   • Check for data exfiltration attempts
   • Monitor for the attacker using stolen credentials

10. Document the incident:

    • What happened
    • How it was detected
    • What actions were taken
    • What was the impact
    • What can prevent this next time

11. Communicate appropriately:

    • To the affected employee: "Here's what we found and what we did"
    • To leadership: Brief summary if significant
    • To the company: If widespread campaign, alert everyone

The no-blame follow-up

After the incident is handled, have a short conversation with the employee:

"Thanks again for reporting quickly. That's exactly what we want people to do. Let me show you what the red flags were in this case, so you'll recognize similar attacks in the future."

Walk through:

• What made this email convincing
• What the red flags were
• What you did in response
• How to prevent similar incidents

This is training, not punishment. If people fear punishment, they'll hide clicks instead of reporting them — and that's much worse.

Quick reference card for employees

Create a simple card (digital or physical) that employees can reference:

I CLICKED A SUSPICIOUS LINK — WHAT NOW?

1. STOP - Don't click anything else
2. DISCONNECT - Turn off WiFi or unplug network
3. REPORT - Message [Security Champion name] or [email protected] immediately
4. WAIT - Don't use the computer until IT checks it
5. CHANGE PASSWORDS - From a different device

DON'T: Try to fix it yourself, ignore it, or wait until tomorrow

Report to:
- Slack: #security-reports or @security-champion
- Email: [email protected]
- Phone: [Security Champion phone]

Post this in Slack, include it in onboarding, put it on office walls. When someone's panicking, they need simple steps.

Security Champion conversation guide

When you need to talk to employees about email security — whether in a group session, one-on-one, or after an incident — here's a structured approach.

Opening the conversation (2-3 minutes)

Don't start with rules or threats. Start with connection.

"I want to talk about something that affects all of us. Email attacks are how most security incidents start — not because people are careless, but because attackers are really good at their jobs. I'm not here to lecture you. I'm here to share some practical stuff that will help protect you personally and protect our company."

Why this works: You're not positioning yourself as the security police. You're a colleague helping everyone.

Making it real (5-7 minutes)

Share a concrete example. Ideally something that happened to your company or industry:

"Last month, a company similar to ours got hit. Someone in finance received an email that looked exactly like it came from their CEO, asking to wire payment for an urgent vendor invoice. It looked legitimate — correct signature, professional language, the right internal references. They wired $40,000. It was fraud."

If you don't have a real example, use a well-known case. Make it vivid:

"Or think about the attack on [Company X]. One employee clicked a link in what looked like a DocuSign email. Within 48 hours, attackers had access to customer data, sent phishing to all their clients, and the company had to disclose a breach."

Then personalize it:

"This could happen to any of us. I've seen phishing emails that I almost clicked on myself. The attackers are getting better every day."

The core knowledge (10-15 minutes)

Cover the three questions to ask before any email action:

"Before you click any link, open any attachment, or respond to any request, ask yourself three questions:

1. Did I expect this email? If you didn't initiate something, be suspicious. Random invoices, unexpected shared documents, password resets you didn't request — all red flags.

2. Does the sender look right? Not just the name — the actual email address. [email protected] is different from [email protected] or [email protected].

3. Does the request make sense? Would the CEO really email an intern about a wire transfer? Would IT ask for your password by email? If something feels off, it probably is."

Walk through the verification process:

"When something seems suspicious but might be legitimate:

• Don't reply to the email
• Contact the person through a different channel — Slack, phone, walk to their desk
• Use a phone number or contact you already have, not one from the suspicious email"

Show the reporting process:

"If you're not sure, report it. Forward the email to [email protected] [or your channel]. I'd rather check 100 legitimate emails than miss one real attack. You will never get in trouble for reporting something that turns out to be safe."

Interactive practice (5-10 minutes)

Show 3-5 emails on screen. For each one, ask:

"Real or phishing? What makes you think so?"

Let people discuss. Walk through the red flags together. Use emails that mix obvious and subtle cues.

Example set:

1. Obvious phishing (bad grammar, suspicious sender)
2. Legitimate email that looks slightly suspicious
3. Sophisticated phishing (good branding, subtle domain issue)
4. Legitimate automated email (password reset they did request)
5. BEC attempt (impersonating executive)

The action items (2-3 minutes)

End with specific asks:

"Here's what I need from you:

1. Before clicking any link — hover first, check the URL
2. Before entering credentials — verify you're on the real site
3. When something feels off — report it to [channel/email]
4. If you click something and realize it's bad — tell me immediately, no judgment"

Questions and close (5 minutes)

"What questions do you have? What situations are confusing?"

Common questions to prepare for:

• "What if I'm in a hurry?"
• "What if it really is from an executive and I ignore it?"
• "Can I get in trouble for clicking?"
• "How do I know if the site I'm on is real?"

Close with:

"Remember: attackers count on you being busy and distracted. Taking 10 seconds to verify can save us massive problems. And if you ever mess up, just report it fast — that's the most important thing."

Conversation guide: quick reference

Phase	Duration	Key Points
Opening	2-3 min	Build connection, not fear
Making it real	5-7 min	Concrete example, personalize
Core knowledge	10-15 min	Three questions, verification, reporting
Practice	5-10 min	Interactive email review
Action items	2-3 min	Specific asks
Q&A and close	5 min	Handle concerns
Total	30-45 min

Employee knowledge test

Use this test after training to verify understanding. Employees who score below 70% (miss more than 3 questions) should get additional one-on-one training.

The test (10 questions)

Share this as a Google Form, Typeform, or whatever survey tool you use.

---

Email Security Awareness Test

Answer all questions. You need to get at least 7 out of 10 correct.

---

Question 1: Scenario

You receive an email from "IT Support" asking you to verify your account by clicking a link and entering your password. The email address is [email protected]. What should you do?

• A) Click the link and enter your password to verify your account
• B) Reply to the email asking if it's legitimate
• C) Report the email as suspicious and contact IT through a known channel (Slack, phone)
• D) Ignore it and hope it goes away

Correct answer: C

---

Question 2: Scenario

The CFO emails you asking to urgently wire $15,000 to a new vendor. The email address looks correct. What should you do first?

• A) Process the wire transfer immediately — it's from the CFO
• B) Reply to the email asking for more details
• C) Call the CFO using a phone number you already have (not from the email) to verify
• D) Forward the email to your manager and let them decide

Correct answer: C

---

Question 3: Knowledge

What is the most important thing to do if you accidentally click a suspicious link?

• A) Try to close the browser and forget about it
• B) Run antivirus and hope it catches anything bad
• C) Report it immediately to the Security Champion or IT
• D) Wait until the end of the day to mention it

Correct answer: C

---

Question 4: Skill

You hover over a link in an email. The link text says "https://drive.google.com/share/document" but the URL shows "http://drive-google.malicious-site.com/doc". What does this indicate?

• A) The link is safe — it mentions Google
• B) This is a phishing attempt — the actual URL is different from what's displayed
• C) This is normal behavior for shared documents
• D) The email system is having technical issues

Correct answer: B

---

Question 5: Scenario

You receive an email from your colleague Sarah sharing a document. You weren't expecting this. The email address is [email protected], but Sarah's work email is [email protected]. What should you do?

• A) Open the document — you know Sarah
• B) Ask Sarah via Slack or in person if she sent this email
• C) Reply to the email asking if it's really Sarah
• D) Delete the email without telling anyone

Correct answer: B

---

Question 6: Knowledge

Which of these is NOT a common red flag for phishing emails?

• A) Urgent language demanding immediate action
• B) A sender address that doesn't match the company
• C) An email sent during business hours
• D) Unexpected attachments or requests

Correct answer: C

---

Question 7: Scenario

You clicked a link in an email and entered your password on what you now realize was a fake login page. What should you do? (Select all that apply)

• A) Report to Security Champion/IT immediately
• B) Change your password from a different device
• C) Wait to see if anything bad happens
• D) Disconnect from the network if instructed

Correct answers: A, B, D

---

Question 8: Skill

An email claims to be from Microsoft about your account. Which sender email address is most likely legitimate?

• A) [email protected]
• B) [email protected]
• C) [email protected]
• D) [email protected]

Correct answer: A

---

Question 9: Knowledge

Why is it important to report phishing attempts, even if you didn't click anything?

• A) So security can block the sender for everyone
• B) To help track attack patterns
• C) Others might receive the same email
• D) All of the above

Correct answer: D

---

Question 10: Scenario

You receive what looks like a password reset email from a service you use. You didn't request a password reset. What should you do?

• A) Click the link just to be safe
• B) Ignore the email — someone probably typed the wrong email address
• C) Don't click the link, go directly to the service by typing the URL yourself, check your account
• D) Reply asking who requested the reset

Correct answer: C

---

Scoring and follow-up

7-10 correct (70%+): Pass. Employee understands the basics.

4-6 correct (40-69%): Needs additional training. Schedule 15-minute one-on-one to review missed concepts.

0-3 correct (below 40%): Requires focused attention. Schedule 30-minute one-on-one, go through scenarios in detail.

One-on-one follow-up for low scorers

Don't make this punitive. Frame it as help:

"Thanks for taking the test. I noticed a few areas where you could use some extra practice. I want to make sure you feel confident handling these situations. Can we spend 15 minutes going through some scenarios together?"

During the session:

1. Review the questions they got wrong
2. Explain why the correct answer is correct
3. Let them practice with additional examples
4. Ask them to explain back to you: "So what would you do if..."
5. Schedule a follow-up test in 2 weeks

For repeated low scorers:

Some people genuinely struggle with this. Consider:

• More frequent one-on-ones
• Simpler reference materials they can check
• A buddy system (pair them with a security-aware colleague)
• Limiting their access to high-risk actions (if appropriate)

Never give up on someone. Keep training, keep practicing.

Special training for high-risk roles

Some people need extra attention.

Finance team

They're the primary target for wire fraud. Train specifically on:

• Payment change requests must be verified by phone
• New vendor setup requires verification
• Urgency is a red flag, not a reason to skip verification
• It's okay to slow down and verify, even for executives

Run simulations specifically targeting finance with fake payment requests.

Executives

They're impersonated in attacks and targeted for high-value access. Train on:

• Attackers will impersonate them to trick employees
• Their accounts are high-value targets — extra caution needed
• They set the tone — if they take shortcuts, others will too

Executives often skip training. Make it brief and relevant.

New hires

Onboarding is the best time — they're learning processes anyway. Include:

• Email security basics in day-1 orientation
• How to report suspicious emails
• Who to contact with security questions
• First phishing simulation within first month

IT and admins

They have elevated privileges and are specifically targeted. Train on:

• Spear-phishing that references internal systems
• Attackers doing reconnaissance (asking about systems, versions)
• Social engineering via phone/chat, not just email
• Never give credentials over any channel, ever

Measuring training effectiveness

Phishing simulation metrics

Track over time:

• Click rate per campaign
• Report rate per campaign
• Time to first click vs. time to first report
• Repeat clickers (same people clicking multiple times)

Look for trends, not individual data points. One bad simulation doesn't mean failure.

Qualitative indicators

• Are people asking security questions? (Good sign)
• Are reports increasing? (Good sign)
• Are people sharing suspicious emails with each other? (Good sign)
• Are people complaining about security training? (Might need to adjust approach)

Goal setting

Reasonable targets for a small company:

• Phishing click rate under 10% (under 5% is excellent)
• Report rate over 30% (over 50% is excellent)
• 100% of new hires trained within first week
• Quarterly simulations running consistently

Tools and resources

Phishing simulation platforms

Free/Open source:

• Gophish — Best free option, full featured
• King Phisher — Good alternative

Commercial:

• KnowBe4 — Market leader, extensive library
• Cofense — Good reporting integration
• Proofpoint Security Awareness — Enterprise-focused
• Hoxhunt — Gamified approach

Training content

Free resources:

• NIST Phishing Guidance — Government resources
• Google Phishing Quiz — Interactive quiz, good for training
• SANS Security Awareness Resources — Free posters and tips
• Cofense Free Resources — Infographics and guides

Phishing examples:

• PhishTank — Database of real phishing sites
• VirusTotal — Check suspicious URLs and files

Email analysis tools

• MXToolbox Header Analyzer
• Google Admin Toolbox

Workshop: launch your training program

Block 3-4 hours to set up the foundation.

Part 1: Create training materials (60 minutes)

1. Write your new employee security briefing (adapt template above)
2. Create a monthly security tip email template
3. Set up the #security-reports Slack/Teams channel
4. Document your reporting process

Part 2: Set up phishing simulations (60 minutes)

1. Install Gophish or sign up for commercial tool
2. Create 3 phishing templates of varying difficulty
3. Import your employee email list
4. Schedule your first simulation for 1-2 weeks out

Part 3: Prepare response materials (45 minutes)

1. Write the "you clicked a phishing link" email
2. Write the company-wide post-simulation summary template
3. Create a simple tracking spreadsheet for metrics

Part 4: Launch and communicate (45 minutes)

1. Announce the security training program to the company
2. Explain that simulations will happen and why
3. Share how to report suspicious emails
4. Run the first simulation

Deliverables:

• New employee training materials
• Monthly tip email template
• Reporting process documented and communicated
• First phishing simulation scheduled
• Metrics tracking set up

Talking to leadership

If someone asks why you're spending time on training:

"Technical email security catches a lot of attacks, but sophisticated phishing still gets through. Training employees to spot and report phishing is our last line of defense. We're running simulations to measure and improve. Our current click rate is X%, and we're working to get it under 5%. Each person who doesn't click is one less potential incident."

Short version: "I'm training the team to recognize phishing — the attacks our technical filters don't catch."

Self-check: did you actually do it?

Training materials

• New employee security briefing created
• Monthly security tip template ready
• Post-simulation communication templates created
• Reporting process documented

Infrastructure

• Phishing simulation tool set up (Gophish or commercial)
• At least 3 phishing templates created
• Report button enabled in email client
• Reporting email address or Slack channel set up

Process

• First simulation scheduled or completed
• Metrics tracking started
• Simulation calendar set (quarterly minimum)
• Finance team has specific training on wire fraud

Culture

• Reporting is encouraged and acknowledged
• No-blame policy communicated
• Leadership supports the program

If you can check off at least 10 of these 14 items, you're ready to move on.

What's next

You've covered email from every angle: technical authentication, security controls, and human training. That's one of the most important attack vectors handled.

Next chapter: backup strategy — because no matter how good your security is, you need to be able to recover when things go wrong.