Training Teams to Spot Phishing Emails: Best Practices

Phishing emails are responsible for 93% of cybercrime in the UK, with businesses losing an average of £3.8 million per breach. These attacks exploit human psychology, targeting employees with deceptive messages to steal sensitive data, distribute malware, or commit fraud. Marketing teams, often managing sensitive information, are frequent targets due to their public-facing roles.

To protect your organisation, train employees to spot phishing attempts by recognising key red flags, including unusual sender addresses, urgent language, mismatched URLs, and suspicious attachments. Simulated phishing tests, regular training sessions, and a no-blame reporting culture can reduce errors by over 50% and strengthen your defences.

Key Takeaways:

• Types of phishing: Standard phishing (mass emails), spear phishing (targeted attacks), and business email compromise (BEC).

• Common signs: Typosquatted domains, generic greetings, urgent requests, and unexpected attachments.

• Prevention tips: Enable multi-factor authentication, conduct regular training, and use simulated phishing tests to build awareness.

Phishing awareness fades within 4–6 months, so schedule training every four months and run simulations every 4–6 weeks. Equip your team with the tools and knowledge to act as a "human sensor" network, helping to protect your organisation from costly breaches.

Phishing Attack Awareness and Training with Josh Bartolomie

What Are Phishing Threats and How Do They Impact Businesses?

Phishing is a type of social engineering attack where cybercriminals craft scam messages to deceive recipients into sharing sensitive information, making payments, or unknowingly downloading malware [2][8]. Instead of exploiting technical flaws, these attacks prey on human psychology. In fact, 91% of UK companies experienced at least one successful phishing attack in 2022 [8].

The nature of phishing has evolved significantly. No longer limited to generic spam, attackers now employ three distinct methods, each varying in complexity and precision. For marketing teams - who often manage sensitive data and maintain visible online profiles - understanding these methods is crucial.

Phishing vs. Spear Phishing vs. BEC

Standard phishing is like casting a wide net. Attackers send out thousands of identical emails, often impersonating trusted brands such as banks, delivery companies, or software providers, hoping that at least a few recipients will fall for the scam [2][11]. These campaigns rely on sheer numbers rather than targeting.

Spear phishing, on the other hand, is far more targeted. Attackers dig into a victim's digital footprint - social media profiles, job roles, or public announcements - to craft highly personalised messages [2][11]. For example, a 2025 attack in Edinburgh disrupted systems for 2,500 pupils during exam periods [9].

Business Email Compromise (BEC) takes phishing to another level of sophistication. Criminals impersonate trusted individuals - like CEOs or vendors - to trick employees into making fraudulent payments or sharing sensitive data [11][12]. BEC has advanced through three stages:

• BEC 1.0: Use of fake email addresses resembling legitimate ones.

• BEC 2.0: Hijacking real, compromised accounts.

• BEC 3.0: Exploiting legitimate SaaS platforms like QuickBooks or SharePoint to send malicious notifications that bypass security systems [12].

In 2022, the FBI recorded over 20,000 BEC incidents in the US, leading to $2.7 billion in losses [12].

By recognising these methods, businesses can better prepare their teams - especially marketing departments - to spot and counter these threats.

How Phishing Attacks Damage Businesses

The impact of phishing extends far beyond the initial breach. 26% of UK businesses reported direct financial losses due to phishing, with the average data breach costing between £3.1 million and over £4 million [8][9]. For industries like finance or pharmaceuticals, the fallout can be even more severe.

Compliance penalties are a major concern. Phishing attacks often expose sensitive personal data, classified as "special category information" under UK GDPR. This triggers mandatory reporting to the ICO and could result in hefty fines [8].

Operational disruption is another significant risk. Phishing frequently serves as the gateway for ransomware attacks, which can encrypt critical databases and bring business operations to a standstill [8]. Marketing teams are particularly at risk due to the high volume of unsolicited emails they receive and their publicly visible roles, which attackers exploit for research [2].

The damage to reputation can be even harder to recover from. When attackers spoof a company’s domain, legitimate emails may be flagged as spam, and the business’s name could become linked to fraud [2]. For marketing teams, whose success relies heavily on trust, this kind of reputational hit can take years to mend. To make matters worse, AI-driven phishing has removed many traditional warning signs, such as poor grammar, making these scams nearly indistinguishable from genuine communication [9].

How to Identify a Phishing Email

Phishing remains a major cybersecurity threat. According to the Cyber Security Breaches Survey 2025, phishing accounted for a staggering 93% of all cybercrime in the UK, with 84% of UK businesses identifying it as their most common type of attack in 2024 [3][14][15]. Training teams to recognise the warning signs is crucial - continuous awareness programmes can reduce phishing-related errors by over 50% [13]. Below are some consistent indicators that can help separate genuine emails from malicious ones.

Common Warning Signs to Look For

One of the first things to check is the sender's email address. Legitimate organisations typically use official domains (e.g., @chase.com), while phishing emails often rely on public domains like @gmail.com or use typosquatted domains - slightly altered versions of real ones, such as replacing letters with similar-looking numbers.

The tone and greeting of phishing emails are another giveaway. They often use urgent or threatening language, such as "Your account will be closed" or "Immediate action required", to create a sense of panic. Additionally, generic greetings like "Dear Valued Customer" are a hallmark of phishing campaigns, as opposed to personalised messages [1][3][15].

Hyperlinks in phishing emails can be deceptive. The text you see might not match the actual destination URL. Hovering over the link (or pressing and holding on mobile) reveals where it truly leads. This is especially critical as 85% of users now check emails on smartphones, where only the sender’s name is displayed by default, making it easier to miss discrepancies [3][14]. Always tap the sender's name to view the full address.

Attachments should also raise suspicion, particularly if they’re unexpected or come with extensions like .zip, .exe, or .scr. For example, in March 2025, a phishing scam disguised as an IRS notice used ZIP files to distribute malware [3][14]. Even Word or PDF files can be dangerous if they contain malicious macros. Remember, legitimate organisations rarely ask for sensitive details - like passwords or credit card numbers - via email [1][15].

If an email contains an unusual request, such as asking for a wire transfer or password reset, verify it by reaching out to the organisation directly through a separate channel.

Comparison Table: Legitimate vs. Phishing Emails

Here’s a quick reference to help spot the differences between genuine and phishing emails:

The best defence is always verification. If an email seems suspicious, confirm its authenticity by contacting the organisation through a trusted method, like calling their official number or visiting their website. Additionally, enabling multi-factor authentication provides an extra layer of security. Even if your credentials are compromised, attackers won’t be able to access your account without the secondary authentication factor [10][15].

How to Build a Phishing Awareness Training Programme

Creating an effective phishing awareness programme requires more than a one-off presentation. It’s about designing a structured, ongoing strategy that delivers measurable results. In fact, such programmes can be highly effective with just under two hours of training per user annually [4]. Considering that 91% of UK companies faced at least one successful phishing attack in 2022 [8], and phishing awareness tends to fade within 4–6 months after training [4], maintaining consistent engagement is key. A strong foundation begins with initial assessments, which pave the way for targeted and continuous training.

Set Training Goals and Assess Current Risks

Start by defining clear training objectives that align with the critical phishing detection skills covered earlier. Your programme should empower employees to spot phishing attempts, understand reporting protocols, and verify suspicious requests through alternative channels. To gauge your organisation’s current vulnerability, conduct a baseline assessment using an unannounced simulated phishing test. This will help identify weak spots and knowledge gaps across your team [6].

The results can also highlight "Very Attacked People" (VAPs) - those individuals who are frequently targeted by sophisticated attacks [16][4]. These team members may need additional, tailored training beyond the standard curriculum. For example, marketing teams might require specific guidance on verifying unusual requests, such as changes to vendor bank details or urgent technical support prompts [5]. Documenting such procedures ensures clarity and preparedness.

Create Practical Training Materials

Develop training materials that address common phishing tactics, such as urgency cues and spoofed domains, while also providing clear instructions on how to report suspicious emails [6]. Use a mix of formats to keep employees engaged, including short video tutorials (2–3 minutes), interactive quizzes, and modules featuring real-world phishing examples [6][4]. Tailor your content to reflect current threats, such as tax season scams, pandemic-related alerts, or impersonations of brands like Microsoft, to make the training more relevant [4][7].

Incorporate gamification to deepen understanding - friendly competitions where employees create simulated phishing emails can help them think like attackers [2][7]. Use leaderboards and contests sparingly to avoid creating a punitive environment. The aim is to build a culture where employees feel safe reporting mistakes instead of fearing blame [2]. Engaging content sets the stage for simulated tests, which reinforce learning through practice.

Run Simulated Phishing Tests and Provide Feedback

To keep cybersecurity awareness sharp, run unannounced simulated phishing tests every 4–6 weeks. These exercises help employees develop "muscle memory" and keep security practices top of mind [6][16][4]. High-performing programmes typically achieve failure rates below 5% and reporting rates above 70% [4]. However, it’s important to approach these simulations thoughtfully. Collaborate with HR to ensure the tests don’t feel like entrapment, and avoid penalising employees who fail; fear of consequences can discourage the reporting of genuine threats [2].

When an employee clicks on a simulated phishing email, provide immediate, personalised feedback. This could be a short video or training module highlighting the red flags they missed [6][16].

Focus on tracking reporting rates rather than just click rates. When employees actively report suspicious emails, they act as a "human sensor" network, significantly strengthening your organisation’s security posture [2][4].

How to Maintain Awareness and Track Training Results

Keep Teams Alert with Regular Reminders

Phishing awareness tends to fade within 4–6 months [4][17]. To combat this, weave consistent security reminders into your team's daily workflow. Share monthly self-service videos, post weekly security tips on platforms like Slack or Microsoft Teams, and put up posters near workstations to keep security top of mind. Roundtable discussions where employees discuss recent suspicious emails can also help foster a culture of shared vigilance.

Adding a one-click reporting button in tools like Outlook or Gmail can turn your team into a proactive defence line. Encourage prompt reporting by rewarding accurate submissions and fostering a blame-free environment. If employees fear punishment for mistakenly clicking on malicious links, they may hesitate to report incidents, which can delay critical responses [2][9].

Once these reminders are in place, the next step is to evaluate how well your training is working.

Track Performance and Adapt to New Threats

Tracking performance metrics is key to understanding the effectiveness of your security awareness programme. Focus on three main indicators: click-through rate (aim for less than 5%), reporting rate (target above 70%), and time-to-response [4][9]. High-performing teams build strong reporting habits through frequent phishing simulations. Keep an eye on repeat offenders, as they may need additional, tailored training [9][16].

As phishing tactics evolve, particularly with the rise of AI-driven scams that create flawless emails and convincing website clones, training programmes must also adapt. Traditional signs like poor grammar or spelling mistakes are becoming less common. Instead, focus on helping employees recognise psychological manipulation and social engineering techniques [9][18]. Update your phishing simulations regularly to reflect current threats, such as scams related to tax deadlines, pandemic alerts, or impersonations of trusted brands like Microsoft [4].

Conclusion

Phishing continues to dominate as the primary method cybercriminals use to gain access, responsible for a staggering 93% of all cybercrime in the UK [3]. With human error driving 95% of cybersecurity breaches [19] and phishing-related incidents costing organisations an average of £3.8 million per breach [3], equipping your team to recognise phishing attempts isn’t just important - it’s essential.

Organisations that prioritise ongoing training see a dramatic improvement. Initial simulation failure rates, typically ranging between 20–40%, can drop to just 5–10% after six months of consistent testing [9]. Awareness initiatives have proven to reduce successful phishing attacks by 60% to 72% [9], effectively turning employees from potential risks into a strong line of defence. These numbers highlight how regular, focused training can make a real difference.

But here’s the catch: phishing awareness doesn’t last forever. Research shows it begins to fade within four to six months [4][17]. To combat this, organisations should schedule formal training sessions every four months, run simulated phishing tests every four to six weeks, and weave security reminders into everyday workflows. As CISA explains, "Phishing attacks are frequently preventable when you train employees to recognise and avoid suspicious messages" [20].

Creating a no-blame culture is equally important. When employees feel safe admitting mistakes without fear of repercussions, they become an invaluable early warning system for new threats [2]. Combine this with simple reporting tools and immediate feedback to help employees build the instincts needed to identify even subtle phishing attempts. These steps collectively strengthen your organisation’s defences.

Start applying these measures today. Regular training, easy-to-use reporting systems, and a supportive security environment will not only bolster your team’s confidence but also enhance your overall cybersecurity strategy. With these practices in place, your organisation can stay ahead of emerging threats and minimise risks effectively.

FAQs

How often should teams undergo phishing awareness training to stay effective?

Phishing awareness training works best when scheduled every four months. Studies reveal that employees maintain sharp phishing detection abilities with this approach, but their performance begins to drop significantly after six months.

Since human error contributes to most data breaches, organisations should embed phishing training into a broader, continuous security-awareness programme. Frequent refresher sessions help keep employees alert and ready to spot potential threats, rather than depending on a once-a-year session.

What’s the difference between phishing, spear phishing, and Business Email Compromise (BEC)?

Phishing, spear phishing, and Business Email Compromise (BEC) are all email-based scams that fall under the umbrella of social engineering. While they share similarities, their methods and goals set them apart.

Phishing casts a wide net, sending out generic emails to large groups of people. These messages often mimic trusted brands or services, aiming to steal login credentials, spread malware, or lure victims to fake websites.

Spear phishing takes a more focused approach. These scams are tailored to specific individuals or small groups, often including personal details like the recipient’s job title, recent actions, or familiar contacts. This level of personalisation makes these emails harder to spot and increases their success rate.

BEC is a more advanced and targeted form of phishing. Attackers pose as senior executives or trusted business partners, using highly convincing and professional-looking emails to deceive employees. The goal? To trick them into wiring funds or sharing sensitive company data. These attacks often bypass traditional security measures, leveraging fake domains that appear authentic, leading to potentially severe financial consequences.

What should an employee do straight away if they think they've received a phishing email?

If you think an email might be a phishing attempt, stop engaging with it right away. Don’t reply, click on links, or open any attachments. Instead, confirm its legitimacy by reaching out to the sender using a trusted method, like a phone number or email address you already know and trust.

After confirming, make sure to report the suspicious email to your organisation’s IT or security team without delay. Acting quickly can safeguard both your personal information and your company’s data from potential risks.

Related Blog Posts

• Building Trust in Financial Services: Proof Points that Reduce Risk Perception

• Legal Compliance After B2B Email Breaches

• Ultimate Guide to CRM Vendor Risk Management

• Email Compliance Audits: What Triggers Them