gov-3 High priority Governance and Training / Governance and Training

Employees are trained to recognize and report phishing attempts

Phishing is the most common initial access vector for ransomware, business email compromise, and credential theft. General security awareness training is not sufficient on its own; employees need specific, repeated practice identifying phishing emails and a clear, low-friction way to report them. Organizations with mature phishing programs see substantially lower click rates and faster detection of real attacks.

2h estimated effort

phishing awareness social-engineering email-security

Complete first: gov-2

Implementation steps

1

Run regular simulated phishing campaigns

Schedule simulated phishing campaigns at least monthly, using a variety of templates: credential harvesting, invoice fraud, IT helpdesk, and executive impersonation. When an employee clicks, immediately deliver a brief, non-punitive educational moment explaining what they missed. Track click rates by department and over time.

knowbe4 proofpoint-security-awareness cofense gophish microsoft-attack-simulator
2

Deploy a one-click phishing report button

Install a report phishing button in your email client so employees can flag suspicious emails in one click. The reported email should go to your security team for triage and be automatically checked against threat intelligence feeds. Make reporting feel safe: recognize and thank employees who report correctly.

knowbe4-phish-alert cofense-reporter proofpoint-report-phishing microsoft-report-message google-report-phishing
3

Track and respond to reported phishing in a defined SLA

Set a target response time for triaging reported phishing emails, such as one hour for business hours. If a real phishing email is confirmed, pull all copies from inboxes using your email admin tools, block the sender domain, and notify employees who received it. Document each incident and the actions taken.

microsoft-defender google-workspace-admin proofpoint mimecast splunk