Are You Absolutely Sure Your Phishing Training is Working?

man stealing data

Are your employees prepared to handle phishing attacks?

Be warned: you may not like the answer.

A recent study of 19,000 people found that 97% couldn’t identify phishing emails correctly (1).

And that was when they were actively looking for them.

What happens when they aren’t? When they’ve got a million other things on their mind? When that phishing awareness training was a few months ago, and the details are kind of hazy?

Phishing can happen to anyone.


We all make mistakes. It’s human.

But ongoing training can lessen the number of mistakes employees make, and reduce the chance they’ll fall victim to a phishing email.

That is, when it’s done well.

The Trouble With Current Phishing Awareness Training

The majority of organizations only cover phishing prevention during their annual security awareness course (2). It gets lumped in with a variety of other topics during a jammed pack 1-2 day course.

There are some significant problems with this approach.

For starters, critical information gets lost when you cram a bunch of different topics into a short course. There is simply too much to learn all at once.

In fact, multiple studies have shown that this kind of compressed training doesn’t correspond with how we learn.

Researchers found that retention rates drop significantly when learning is done all at once (3). Training needs to be done over time so employees can practice recalling and applying information.

The second problem with annual training courses is you can’t respond to problems as they emerge.

You have no idea whether or not employees are actually applying what they learn. And there’s no way to address risky behaviour before it causes a serious security issue.

You Might Think You’re Prepared, But Do You Know For Sure?

You might be thinking, “Okay, I’ll just increase the frequency of awareness courses.”

And you could. But even if you ran a training course every month (which would be insanely costly) you’d still have no idea whether your employees were actually applying that information.

You wouldn’t know you had a problem until you’d already lost millions of dollars in company information and suffered the humiliation of a data breach.

At that point, it’d be too late to do anything. Your company would lose millions. And you’d definitely be in hot water with your boss for not adequately preparing employees.

A Simple Solution

The answer to the phishing awareness training conundrum is actually astonishingly simple:


When you “phish” your employees, you can see exactly how they’d handle an attack. You’ll know whether they can spot a phishing email when they aren’t expecting it, and instantly train anyone who falls victim.

But to actually improve your employee’s knowledge of phishing prevention, you can’t just use more of the same ineffective training courses. You have to improve them.

Most companies think that because phishing is a serious problem, training itself needs to be serious. But “serious training” in practice often means “boring.” And when employees are bored they don’t pay attention -- and they certainly don’t retain information.

People learn by practicing. And that’s where game-based training can help.

Game-Based Training + Phishing Simulations

When you combine the power of game-based training with a phishing simulator, you end up with a solution that lets you test and train employees simultaneously, instantly correcting any risky behaviour and reinforcing key concepts.

Game-based training can teach employees about phishing awareness through different game modules, repeating the same content in various formats to reinforce learning concepts. The repetition of content lets employees practice recalling key information, which improves retention rates after they finish the course.

And game-based modules are more engaging for employees, which means they pay closer attention, improving their knowledge and further increasing retention rates post-training.

This approach to phishing training also means you can easily measure the efficacy of your program -- even Level 3 Behavior on the Kirkpatrick Model.

Because you can test individual employees and track their improvements over time, it’s simple to measure whether or not their behaviour has changed as a result of your training program.

And that lets you evaluate not only if your program is effective, but whether or not your employees are applying what they learn -- and thus protecting your organization against phishing attacks.

With Millions of Dollars Potentially at Stake, Don’t You Want to Know Your Employees are Prepared?

The way I see it, you’ve got two options:

  1. You can sit back, run the same annual security awareness course, and hope your employees can spot the next phishing attack that makes its way into their inbox

  2. OR you can take one simple step and know for sure.

Don’t wait until it’s too late.

Make sure your employees are prepared -- before your company gets phished.


Give It A Try

With Phishing Derby:

The World’s First Gamified Phishing Simulator

Easily test, train, and track your employees’ ability to handle phishing attacks.

(Plus it’s fun -- for them and you!)

Click here to claim your FREE trial