-
Duration
60 minutes
-
Medium
Interactive-Video
-
Suitable for
Private User / Employee
How to detect and mitigate phishing attacks.
What's Included
How to Detect and Mitigate Phishing Threats
Real-Life and Up-to-Date Examples
Get a broadened risk radar of what can actually happen
Learning Outcomes of this phishing prevention course. Employees will learn:
-
the personal and business ramifications of a cyberattack or data breach.
-
why phishing is the most prevalent form of cyberattack.
-
how cybercriminals spoof email addresses and phone numbers to make their attacks more credible.
-
why phishing does not always happen over email.
-
about the link between malware and email account takeover.
-
the psychological tricks of cybercriminals to get you to act impulsively and trust them.
-
how cybercriminals use techniques similar to house burglars' in their phishing campaigns to evade detection.
-
how even ultra-vigilant users can get caught out by the phishing techniques that cybercriminals use.
-
about the dangers of malspam and how seemingly harmless marketing emails can get them phished.
-
how hackers can defeat two-factor authentication with one simple trick.
-
how internal phishing works.
-
how impersonation or Vendor Email Compromise phishing works.
-
how multi-stage phishing works.
-
how some seemingly harmless online behaviours can result in you getting phished.
-
the limitations of technical defences such as anti-virus, EDR, secure email gateways, and network firewalls in keeping threat actors and their data-stealing malware software out. and why personal responsibility in using IT resources is now more important than ever.
DEFINING PHISHING AND PHISHING THREATS
What is Phishing?
Phishing occurs when a user is persuaded to take an action that results in the inadvertent disclosure of sensitive or confidential information such asr passwords, VPN access details or MFA codes. Phishing can happen via email, SMS, WhatsApp, telephone, or QR code.
Why is phishing such a big concern?
Phishing is a big concern for organisations because it’s often the first step in attacks such as crypto-ransomware, identity theft, CEO fraud, and business email compromise.
Why does phishing still work?
Phishing still works because many cybercriminals use a clever combination of psychological and technical tricks in their campaigns. For example, they might use a curiosity lure to entice a computer user to open a malicious attachment or link (URL). They also exploit user familiarity with platforms like Microsoft 365 or Google Workspace to garner trust. Their technical tricks include using telephone number spoofing and website (URL) cloning to dupe users into opening links or complying with requests made over the telephone.
What’s the difference between phishing and spear-phishing?
Phishing attacks tend to target a general audience. However, a spear-phishing attack targets a specific individual, group, or industry. For example, a spear-phishing email might target people working in finance departments of organisations (small and large).
What’s the link between phishing and malware?
According to Sophos, 66% of malware is spread via malicious email attachments. A substantial number of malware variants can be delivered through email. These include crypto-ransomware, infostealers, spyware, banking trojans and keyloggers.
THE MAIN PHISHING THREATS IN 2025
What are the main phishing methods of hackers in 2025?
Malicious-file sharing links (e.g. Dropbox phishing, OneDrive phishing, Google Docs phishing, SharePoint phishing, BOX phishing and WeTransfer phishing).
Malicious attachments (e.g. infected Office macros or malicious JavaScript in PDF files)
Malicious phishing URLs (e.g. malvertising and click-jacking websites)
Website Domain Spoofing (e.g. typosquatting and homograph attacks)
Fake internal or external “IT support” telephone calls or SMS messages.
Reverse Phishing (aka Callback Phishing)
PHISHING TRAINING AND ITS EFFECTIVENESS
What is phishing training?
Phishing training prepares employees to spot and mitigate phishing threats, such as Microsoft 365 phishing, invoice fraud or CEO impersonation. Several of these threats evade detection by network firewalls, email gateways, and end-point detection and response software. When employees have seen examples of existing threats and what cybercriminals are capable of, they develop a much more questioning attitude. This security-aware culture means your employees substantially lower your organisation's risk.
How effective is phishing awareness training?
Phishing training can effectively reduce employee susceptibility to fake emails and other communications. One academic study showed that 80% of organisations reported a significant risk of phishing susceptibility after implementing such training. One study showed that even a minimally effective training programme could yield a seven-fold ROI. In contrast, average programmes can achieve a return of 30 times the investment – such is a cyberattack's financial, operational and reputational cost. Even one prevented attack might justify the costs associated with training.
What should the goal of employee phishing awareness training be?
The ultimate goal of phishing awareness training is to change employee risk attitudes and behaviours when interacting with suspicious communications over electronic channels. This means the employee is less likely to open a suspicious attachment (or link) or divulge confidential or secretive information, such as passwords or MFA codes, with a third-party caller over the phone.
WHY PHISHING TRAINING IS IMPORTANT
Unfortunately, telling your staff not to open anything suspicious is not enough. This often does not provide enough context to the problem. “Telling” usually does not prepare staff to recognise or handle sophisticated phishing or social engineering scams. Our training uses an “active learning” methodology where participants must actively engage with the content instead of passively listening or watching. For example, in our CyberGame – Phishing Edition, participants are actively involved in hands-on phishing scenarios to foster critical thinking, deeper understanding and retention.
Why is phishing awareness training important for employees?
There are many reasons why your employees need to be trained in cyber security awareness or anti-phishing awareness training. These include:
-
To lower the risk of a highly disruptive event, such as a ransomware attack or data breach, which could impact your organisation financially, operationally and reputationally.
-
To satisfy the security requirements of stakeholders such as your investors or key customers.
-
To lower the risk of Business Email Compromise attacks. You might have processes in place already to thwart such an incident, but canny cybercriminals have devised some very clever strategies to circumvent these controls.
-
To lower the risk of a supply chain attack. For example, your customers may be concerned that if, for example, your email system is compromised, it will be used as a backdoor to launch an attack on one of their staff.
-
To protect your client or members information (PII). Under GDPR, if you store confidential information belonging to a third party, you have a duty of care to protect it. More than 90% of cyberattacks or data breaches start with phishing. Doesn’t it make perfect sense to train your employees to lower the human risk element in your organisation as much as possible?
-
To comply with cyber security insurance requirements.
-
To stay compliant with GDPR, ISO27001 and PCI DSS standards.
-
To protect sensitive data. Many phishing attacks culminate in sensitive or confidential information being exfiltrated from your organisation. This can end up for sale on the Dark Web and can result in your organisation getting negative publicity in the media.
Should all employees undergo phishing awareness training?
In short, yes! Every employee with an email address or phone number is a potential target. Cybercriminals in 2025 will use sophisticated OSINT techniques, making it very easy for them to obtain employee contact details. So, phishing awareness is needed for every employee, from the C-suite to the shop floor. The mindset of “everyone is a possible target” helps foster a cyber security culture while making your employees more proactive in their IT security behaviours.
CYBER INSURANCE AND PHISHING AWARENESS TRAINING
Why do cyber security insurance companies require that our staff be trained in phishing awareness?
Insurance companies selling cyber insurance know that phishing is statistically the most likely starting point for a cyberattack or data breach. They also know that the human risk factor is lowered for staff trained in identifying and spotting threats. More cyber-resilient and proactive users make cyber insurance claims less likely.
What types of phishing should employees be educated in?
A substantial number of phishing attempts are conducted over email. However, cybercriminals increasingly use SMS (smishing), voicemail (vishing), WhatsApp, URL spoofing (for credential harvesting) and telephone pretexting.
DELIVERING THE BEST EMPLOYEE PHISHING TRAINING
What is the best way to teach employees about phishing?
-
Start with a risk assessment. Identify the most common or likely phishing threats to your organisation. A threat intelligence-led approach can work best here rather than simply subjectively speculating on your biggest phishing risks.
-
Conduct an employee phishing awareness baseline assessment. This could be a combination of a learner survey (such a Cyber Risk Beliefs survey) and a phishing simulation.
-
Devise some KPIs to measure the success of your phishing awareness programme. Some of these might include “click rate failure”, “incident reporting rates” or “credential submission rates”.
-
Devise relevant and engaging content with plenty of real-life phishing samples.
-
Deliver your phishing awareness training on-site, virtually, or via e-learning. Better yet, blend all these mediums and try to make them as interactive as possible.
-
Re-run your phishing assessment and notice how attitudes and awareness towards information security risks like phishing have changed for the better.
-
Run an email or SMS phishing simulation.
-
To reinforce training, running ongoing cybersecurity and phishing awareness programs can be a good idea. These can be conducted via microlearning or refresher webinars.
CUSTOMISED PHISHING AWARENESS TRAINING
What industry sectors do you offer customised phishing prevention training for?
We offer customised cyber security / anti-phishing training for sectors such as construction, local government, life science companies, healthcare tech (SaaS) companies, financial services, education sector, healthcare, pharmaceutical companies, professional service firms and energy firms. This customised phishing training uses real-life examples of peer organisations which have experienced cyber-breach events involving phishing. These custom modules include customised core content and customised assessment modules. The delivery format is usually SCORM, which allows easy upload onto LMS platforms such as LearnUpon, Totara, Docebo, and Moodle. Phishing awareness PPT slides can also be arranged.
TARGETED PHISHING TRAINING FOR REPEAT CLICKERS, NEW HIRES and REMOTE WORKERS
Do you offer targeted phishing training for “repeat clickers” or “repeat offenders”?
We offer remedial training for “repeat clickers” or “repeat offenders.” This can be offered on a one-to-many or one-to-one basis over Zoom, MS Teams or WebEx.
What is the best way to deal with repeat offenders or “repeat clickers?”
Many organisations face the problem of “repeat clickers.” Your first step should often be to discreetly take these users aside and try to ascertain the root cause of their behaviour. Sometimes, asking them for the possible reasons can uncover the underlying causes. Once you’ve diagnosed the problem, you provide “repeat clickers” with remedial phishing training. This targeted training should furnish them with strategies to process emails more carefully.
Why are new hires (recruits) more at risk from phishing?
New hires are typically unfamiliar with their new organisation's protocols and culture. They are also eager to please their colleagues and management, making them more susceptible to attacks such as impersonation. Moreover, some cybercriminal groups specifically target new hires. (They harvest information from social media sites like LinkedIn to find these recruits).
Do you offer phishing prevention workshops for remote workers?
We offer online (elearning) and live instructor-led interactive anti-phishing workshops for remote workers. Remote workers are at an elevated risk of phishing because they can sometimes be out of the loop with developments in your organisation, making them more susceptible to phishing. Common phishing threats targeting remote workers include business email compromise, SMS phishing, tech support impersonation, and phishing via shadow IT tools (e.g., fake Citrix Receiver apps). Our Human DTECTR training system uses real-life examples of such attacks to show your employees what can happen. It also provides them with best-practice actionable information on how to spot and mitigate such threats.
Does your training use real-life examples of phishing and case studies?
Our training extensively uses real-life examples of phishing and case studies of compromised organisations. We endeavour to make these examples as relevant and up-to-date as possible to make the learning experience impactful, memorable and behaviour-changing.
Aside from email phishing, what other types of phishing does your online or virtual phishing training include?
Our training covers SMS, phone, QR code phishing. This is important because cyber criminals now use multi-channel and multi-stage elements in their social engineering attacks.
Do you offer social engineering awareness in your training?
Our training covers pretexting and the psychological tricks hackers use in phishing attacks via email, SMS, and phone. We teach your employees to detect the telltale signs of phishing emails, malicious links and emotional triggers. We do this by deconstructing real-life phishing emails.
Does your online course cover impersonation phishing emails?
When cybercriminals pose as trusted entities, such as management or existing suppliers, this is known as impersonation phishing. It is becoming a prevalent attack vector. Our training presents real-life examples of impersonation phishing scenarios to your employees. We educate your team on how to detect this type of attack by looking out for signs of email address spoofing, caller ID spoofing, or AI-generated vishing. Our online assessment tests understanding by using realistic scenarios.
Does AI mean more sophisticated phishing emails?
Or course! Hackers have adopted AI with gusto. This has resulted in even more persuasive and nuanced phishing messages, which are usually free from spelling and grammar mistakes. Moreover, AI makes the mass customisation of phishing emails, SMS messages (smishing), voice cloning, etc., much easier.
Does your phishing course cover ransomware prevention?
Phishing is an entry point for a substantial number of ransomware attacks. Email is commonly a malware loader or dropper to the victim's computing device. A link between the victim's computer and a “C2 server” is established. After that, the crypto-ransomware payload is delivered to the victim’s device—all because one email attachment or weblink was clicked! This is a favourite tactic of ransomware groups such as LockBit 3.0. Having employees trained in phishing awareness dramatically reduces the risk of a ransomware attack. We also educate your employees on how password re-use can lead to credential theft, culminating in a ransomware attack.
What is the best way to teach employees about email phishing and other threats?
Here at SecureClick, we use an active learning methodology. In this method, participants must actively engage with the training content. For example, phishing scenarios are presented to participants and they must select the safest action. This means the content is more likely to be remembered and used in their daily workflows.
Do you provide onboarding training focused on phishing awareness?"
We offer anti-phishing training to assist you with your new employee onboarding process. This helps you lower the risk of one of your recruits getting phished.
Does your training come with an online assessment?
Our online assessment includes multiple-choice and scenario-based questions. These questions try to mimic the real-life phishing threats in circulation as closely as possible.
ONLINE ANTI-PHISHING COURSE WITH REPORTING
Does your training come with reporting?
Our e-learning training modules include extensive reporting on user interaction with the training content and assessment scores. This information can be easily exported to SCORM, Excel, or CSV formats for further analysis or recordkeeping.
EASY COURSE SIGN-UPS, TRACKING COMPLETION AND SCORM FORMAT DELIVERY
Is a certificate of course completion offered?
Upon completing our anti-phishing course and attaining a minimum score in the online assessment, the participant is eligible for a certificate of completion. This is tangible proof for auditors, key customers and cyber insurance companies that your team has successfully completed the training.
Does your online /web-based phishing awareness training course offer SSO sign-in?
Our online training platform offers Single Sign-On. This means you can use Azure Active Directory as an authentication provider, allowing users to log in to the training portal with minimum fuss.
OTHER FREQUENTLY ASKED QUESTIONS ABOUT OUR PHISHING AWARENESS TRAINING
Why is cyber and phishing awareness training so boring?
Cyber and phishing awareness can be perceived as boring (some would say painful…) for many employees because they are not engaged with the subject matter either before or during the training. Compounding this problem is that the training content is delivered as isolated chunks of information only have tenuous connections to each other. However, the latest research for neurobiology indicates that the brain learns best in narrative formats. This happens to be the same format which SecureClick uses. We have “storified” the content where possible using a fictitious organisation called “Atlantic Point”. This makes our phishing training content much more engaging than disjointed generic chunks of information thrown at learners by cartoon characters. And a real-life human delivers our training!
Do you offer real-time online instructor-led phishing training for businesses?
We offer self-paced training via our e-learning platform or live (real-time) interactive anti-phishing training over Zoom, WebEx, or Microsoft Teams.
Are your instructors qualified?
All our instructors have an IT background and are SANS-certified Human Risk Management instructors.
What is the best medium to teach employees about phishing?
SecureClick offers online (e-learning), on-site, and virtual security awareness training delivered over Teams or Zoom. Each client will have different requirements. Sometimes, online self-paced training works best, while other times, live virtual interactive training works best.
Should we incentivise employees with gift cards if they report phishing emails?
This is a very common question we get asked. SecureClick does not encourage the giving of gift cards to employees who are reporting phishing emails. The main reason is this: in general, monetary or gift card rewards do not encourage intrinsic motivation, and such an action might encourage quick wins over a long-term sustainable security culture in your organisation. Instead, you can incentivise your employees with recognition. For example, you can encourage your IT support or security teams to thank users who report phishing emails. And for users who continually report suspicious IT security events in your organisation and help others report, consider rewarding them with the title of “security champion”. A high-visibility gift like a coffee mug or lanyard (branded with your organisation's logo) to denote this status will be appreciated. Such a reward scheme can be much more effective and sustainable than gift cards.
How to make your phishing training more effective by avoiding these 10 pitfalls
There are several pitfalls of phishing awareness courses which can lead to less-than-effective training programmes.
1) Too Easy – Phishing awareness training that feels overly simple may fail to keep the audience engaged, as it lacks the necessary challenge. In some cases, phishing awareness programmes can even come across as condescending, which may further reduce engagement
2) Too Difficult – At the other end of the scale, some phishing content can overwhelm the audience, causing frustration and disengagement as they struggle to understand or keep up with the material.
3) Overly Technical Language—Such language can create confusion and disengagement, preventing learners from fully understanding and retaining the material. For example, not every user knows what a “domain” is, and it can be a mistake to assume that every participant already knows what “two-factor authentication” is. Our phishing awareness training uses Plain English that non-technical users can understand.
4) Too Boring—With self-paced learning, your phishing training is often competing with mediums such as TikTok, YouTube, and Netflix for attention. Good phishing awareness training sparks participants' intrinsic motivation, so they’ll actually want to log in and do the course. You can enhance up your phishing awareness training by using real-life case studies, preferably of peer organisations that have experienced cyber-breach incidents where phishing was involved. You can also run tabletop exercises. For example, here at SecureClick, we run an interactive tabletop exercise where employees have to assume the role of a phisher. We provide participants with prompt sheets containing various tactics they can deploy. This exercise gets them thinking about phishing in a whole new light. At the end of this exercise, it’s common for non-technical staff employees to talk about phishing kits and cunning social engineering pretexts in a very fluent and matter-of-fact way!
5) Not Enough Real-World Context—Bamboozling learners with information security content is easy. Our phishing training for employees uses real-world examples wherever possible. This engages users, making the subject matter more relatable and memorable.
6) Not Relevant—Learners want content that is relevant to their workflows. If your content on phishing is seen as irrelevant, learners may disengage from the training.
7) Not Interactive Enough—Active engagement is essential for effective learning. Learners who only watch videos passively may miss key information. Incorporating quizzes, multiple-choice, and scenario-based questions that tests knowledge directly after each segment can help reinforce learning and ensure better retention.
8) Not Enough Actionable Advice—It’s easy to tell users what “not to do.” Users want to be armed with actionable information on how to spot and mitigate phishing techniques. They do not want to be taught the technical intricacies of how Visual Basic Application scripts can be maliciously embedded into Office documents.
9) Not Measurable—Establishing a baseline measurement of your employees' attitudes and beliefs about specific information security behaviours before training is essential. Since attitudes and beliefs often closely influence behaviours, measuring them again post-training can demonstrate the programme’s effectiveness.
10) Too Much Information – Having hundreds of elearning videos can overwhelm learners, leading to cognitive overload and engagement fatigue. Without a structured learning path and interactive elements, learners may struggle to retain information or apply it meaningfully.
Very Informative
Participant
Recommended
CEO, Cultural Exchange Association, Belfast
Very Helpful
Compliance Officer, Software Development Company, Dublin
Created and Hosted by
Robert Scanlon B.Sc SSAP
Useful Links
Contact Details
-
info@itsecurityawareness.ie
-
+353 1 687 5795
-
Tara Suite, 7 Trinity Street, Dublin 2, Ireland.
Copyright © 2025