5 things you need to know when choosing a phishing staff awareness training course

Phishing staff awareness is a core requirement of information security training.

But with so many courses out there, it’s hard to know which one to choose. We help you make that decision in this blog, outlining five things you should know when selecting a phishing staff awareness training course.

1. There are many different types of phishing attack

Most phishing discussions focus on bogus emails, but this is only one type of attack. Scammers also target people over the phone, via text messages and, increasingly, on social media.

Although your organisation should be primarily concerned with email-based threats, you cannot overlook the other forms of attack – particularly with the rise of homeworking and the blurred lines between our personal and professional lives.

Employees may be more tempted now than ever to browse Facebook or Twitter during quiet periods at work, which could result in a scammer compromising a work device.


Phishing staff awareness training should cover different types of fraudulent messages


Likewise, some employees use their mobile phones to provide two-factor authentication for sensitive apps. If a scammer compromises the device, they will have access to vital information that could jeopardise your organisation’s security.

An effective phishing staff awareness training course will acknowledge all forms of phishing and the ways they affect your organisation rather than focusing on email-based threats alone.

2. In 2020, 75% of organisations experienced a phishing attack

Phishing staff awareness training isn’t simply a tick-box exercise to demonstrate regulatory compliance. It has a real-world effect in protecting your organisation.

According to Verizon’s 2021 Data Breach Investigations Report, 75% of organisations experienced a phishing attack in 2020.

Meanwhile, HMRC found that UK organisations received more than 45,000 scam emails on average each month between March and September 2020 – with the numbers increasing dramatically since the start of the pandemic.

It also reported almost 200,000 cases of phone scams, and more than 58,000 instances of smishing.

The chances are, therefore, that your employees are being targeted regularly. As such, you must take the threat seriously and invest resources appropriately – after all, it only takes one mistake for your organisation to be compromised.

3. Your employees are your most important line of defence

Although technologies such as spam filters and anti-malware software can mitigate the threat of phishing attacks, they are never one hundred percent effective. When a scam email slips through, staff must be able to step up.

To help them do that, your staff awareness training course must emphasise employees’ importance in protecting the organisation. This should include a discussion of the ways cyber criminals exploit human weaknesses as well as technological ones.

For example, cyber criminals increase their chances of success by sending scams at times when we are more easily fooled – whether that’s because we’re in a rush and don’t properly read the message or because we have time on our hands and may be tempted by an intriguing message.

By bringing this to your employees’ attention, you can help them recognise scammers’ tactics and stay one step ahead.

4. There are simple tricks for spotting a scam email

As sophisticated as phishing emails often are, there are a few relatively easy ways to identify one. And with the right training, your staff can become adept at spotting the signs.

For example, employees should keep an eye out for emails sent from a public email address, messages that contain generic greetings (such as ‘Dear customer’), and spelling and grammatical errors.



Employees should also be suspicious of emails that suggest something bad will happen unless they act urgently. Likewise, links to websites that don’t match the context of the email and contact details that don’t match the organisation’s registered details are also red flags.

5. Training must be performed regularly

Did you know that the benefits of staff awareness training wear off over time?

According to research presented at the 2020 USENIX SOUPS security conference, employees will only remember what they learned for up to six months.

That’s why security experts recommend that staff awareness training should be repeated regularly rather than a one-off exercise.

It’s also why GRC eLearning updates its Phishing Staff Awareness E-learning Course quarterly, adding fresh content and examples.

The course also contains knowledge checks at the end of each section and a final assessment upon completion of the course. This ensures that staff understand the course content, and gives them clarity on anything they may have misunderstood.

The course addresses each of the points we’ve outlined in this article, so if you’re looking for an e-learning training provider, why not join the 800 organisations that are already using our courses?