Phishing training, without wasting their time.
Most security awareness programs are a quarterly video your team clicks through on mute. Here is what actually changes behaviour — backed by what we have seen across real customer environments.
The phishing-awareness industry is a multi-billion dollar business. Most of it is bad. Here is what we have learned running real programs for Ottawa customers.
The baseline
Per the CIRA 2024 Cybersecurity Survey, 92% of Canadian organisations now provide cyber-awareness training. The number that get it right is much lower. Bad programs share three traits:
- Annual, video-only training. A 30-minute compliance video once a year does not change behaviour. By month 4 it is forgotten.
- Punitive simulations. Naming and shaming people who click ensures nobody ever reports a real phish.
- Generic content. Training that talks about "Nigerian princes" instead of the actual lures hitting your inbox last week.
What works
1. Frequent, short, contextual
Monthly simulations with 2-minute coaching modules attached. Topics rotate: credential harvesting in March, invoice fraud in April, AI-voice impersonation in May. Each module is shorter than a coffee.
2. Coaching, not punishment
When someone clicks a simulation, they get a quick "here is what I should have spotted" page. No email to their manager, no public spreadsheet of click rates. The goal is a workforce that reports phishing to IT, not one that hides clicks out of fear.
3. Easy reporting
A "Report Phishing" button in Outlook (Microsoft Defender includes this; we configure it on rollout). One click, the email goes to the SOC, and the user gets a "thanks, we are looking" autoresponder. Simple ergonomics drive enormous reporting volume — which is the actual win.
4. Make leadership go first
Run the first quarterly simulation against the executive team. Publish results internally only after they have completed their own coaching. It changes the culture.
5. Pair with technical controls
Training is the last line of defence, not the first. Before the user has the chance to misjudge an email:
- Email gateway has filtered the obvious.
- MFA blocks the credential-harvest payoff.
- Conditional Access flags the impossible-travel sign-in from Belarus.
- DNS filtering blocks the link before the browser loads it.
Training catches the residual. If your training is doing all the work, your stack is wrong.
What 4UIT runs
For managed customers we deploy Sophos Phish Threat (or the customer's preferred platform — KnowBe4, Hoxhunt) integrated with M365. Monthly automated simulations, role-based content, manager dashboards, no shaming. We measure click rate and report rate together — you want the latter going up faster than the former goes down.
More on our email-gateway service or talk to us.
Sources: CIRA 2024 Cybersecurity Survey · Sophos 2025 Active Adversary Report.
// Frequently asked questions
Does phishing training actually work?
Yes — when it is continuous, contextual, and includes simulated phishing. Click rates on simulations consistently drop after the first 6–12 months of a sustained program. The CIRA 2024 Cybersecurity Survey reports 92% of organisations now provide some form of cyber awareness training to staff.
How often should we run phishing simulations?
Monthly is the sweet spot — frequent enough to keep awareness current, infrequent enough not to feel like surveillance. Quarterly is the minimum. The Sophos 2025 Active Adversary Report found phishing accounts for ~6% of root causes — small but rising.
What should we do when someone clicks?
Coach, do not punish. The fastest way to ensure no one ever reports a real phish again is to humiliate the first person who fell for a simulation. Coaching content shown immediately after a click is the standard approach, and it works.
What are the most common phishing tactics in 2025?
In our customer base: credential-harvesting pages disguised as Microsoft 365 login (often hosted on legitimate but compromised domains), invoice-redirection fraud (BEC), HR-themed lures ("updated payroll info"), and AI-generated copy that no longer has the grammar tells of older phishing.
How do we stop phishing technically, not just with training?
Layered: an email gateway in front of M365, MFA on every account, Conditional Access blocking sign-ins from anomalous locations, DNS filtering blocking known phishing infrastructure. Training is the last layer — not the first.