One Click Cost Them $100 Million

In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a phone call. A threat actor called the help desk, impersonated an employee found on LinkedIn, and gained access to internal systems. The resulting ransomware attack cost MGM an estimated $100 million in losses. No malware kit required. Just social engineering and a human who wasn't trained to spot it.

That's why you're here. You already know your firewalls and endpoint detection tools aren't enough. You need a phishing awareness program that actually changes employee behavior — not just a checkbox exercise that satisfies an auditor and collects dust. In this post, I'll walk you through exactly how to build one, based on what I've seen work across organizations of every size.

What Is a Phishing Awareness Program?

A phishing awareness program is a structured, ongoing effort to train employees to recognize and report phishing attempts, social engineering tactics, and credential theft schemes. It combines education, phishing simulations, measurement, and reinforcement to reduce the likelihood that your people become the entry point for a data breach.

The key word there is ongoing. A single annual presentation in the break room isn't a program. It's a ritual. Programs have goals, baselines, metrics, and iteration cycles. If yours doesn't, you don't have a program — you have a slide deck.

The $4.88M Reason You Can't Skip This

According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach hit $4.88 million. Phishing remained one of the top initial attack vectors, and breaches that started with phishing took an average of 261 days to identify and contain.

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — whether through social engineering, errors, or misuse. That number has hovered in the same range for years, which tells me something uncomfortable: most organizations still aren't getting the human side right.

I've seen mid-size companies with excellent technical controls get breached because a single accounts payable clerk opened a spoofed invoice PDF. The technology didn't fail. The training did.

Five Components of a Phishing Awareness Program That Actually Works

1. Executive Buy-In With Real Budget

Every effective program I've built or consulted on started the same way: a conversation with leadership where security got framed as a business risk, not an IT inconvenience. If your C-suite sees phishing training as a cost center, your program will be underfunded and ignored.

Present breach cost data. Show them the MGM example. Show them the FTC's enforcement actions against companies with inadequate security practices. When executives understand that regulatory liability and reputational damage are on the line, budgets appear.

2. A Baseline Phishing Simulation

You can't measure improvement without a starting point. Before you roll out any training content, run a baseline phishing simulation. Send a realistic — but safe — phishing email to your entire organization and measure three things: click rate, credential submission rate, and report rate.

In my experience, first-time simulation click rates typically land between 25% and 35% for organizations that haven't done this before. That's not unusual. It's your starting line, not your failure. What matters is what you do next.

The phishing awareness training for organizations at phishing.computersecurity.us includes simulation frameworks that help you establish this baseline and track progress over time.

3. Targeted, Role-Based Training Content

Generic training wastes everyone's time. Your finance team faces different phishing lures than your developers. Your HR department gets targeted with fake résumé attachments. Your executives get hit with whaling attacks that mimic board communications.

Segment your training. Build modules around the specific attack types each department is most likely to encounter. Cover the fundamentals — how to inspect URLs, how to verify sender identity, how to spot urgency manipulation — but tailor the examples.

The cybersecurity awareness training at computersecurity.us offers structured modules that cover these fundamentals and more, giving your team practical skills they can apply the same day.

4. Reinforcement Through Repetition (Not Punishment)

Here's what actually happens in most organizations: someone fails a phishing simulation and gets a scolding email from IT. They feel embarrassed. They resent the security team. They don't learn anything — they just learn to avoid IT.

Effective programs use positive reinforcement. When someone reports a simulated phish, acknowledge it publicly. When someone clicks, route them to a brief, non-judgmental training module that explains what they missed. Make reporting easy — a one-click "Report Phish" button in the email client drops friction to near zero.

Run simulations monthly, not annually. Vary the difficulty. Start with obvious red flags and gradually introduce more sophisticated lures — domain spoofing, thread hijacking, QR code phishing. Repetition builds pattern recognition, and pattern recognition is what saves you at 4:47 PM on a Friday when someone's guard is down.

5. Metrics That Drive Decisions

Track these numbers quarterly at minimum:

  • Click-through rate on simulated phishing emails (target: under 5% within 12 months)
  • Report rate — the percentage of employees who flag the simulated phish (target: over 70%)
  • Time to report — how quickly phishing emails get flagged after delivery
  • Credential submission rate — the percentage who not only click but actually enter credentials
  • Repeat clicker rate — individuals who fail multiple simulations and need additional intervention

These metrics tell you whether your phishing awareness program is working or just running. There's a difference. If your click rate isn't dropping after three simulation cycles, your training content needs to change — not your simulation frequency.

The Multi-Factor Authentication Safety Net

Let me be direct: even the best phishing awareness program won't stop 100% of clicks. Humans are fallible. That's why multi-factor authentication (MFA) is a non-negotiable companion to any awareness effort.

When an employee does fall for a credential theft phish, MFA is the safety net that prevents the attacker from logging in with just a stolen password. CISA has repeatedly emphasized MFA as one of the most impactful security measures any organization can implement. Their guidance at cisa.gov/MFA is worth reviewing if you haven't deployed it yet.

That said, MFA isn't bulletproof. Adversary-in-the-middle attacks and MFA fatigue bombing have been used to bypass it. Training your employees to recognize suspicious MFA prompts is a critical layer that many programs still skip.

Zero Trust and the Human Layer

If your organization is moving toward a zero trust architecture — and in 2026, you should be — your phishing awareness program is part of that framework. Zero trust assumes no user or device is trusted by default, and every access request is verified.

But zero trust isn't just a technology model. It's a mindset. When your employees internalize the idea that every email, every request for credentials, and every unexpected attachment should be verified before trusted, they're practicing zero trust at the human layer. Your training should explicitly connect these dots.

The FBI's Internet Crime Complaint Center (IC3) has consistently ranked phishing as the most reported cybercrime type by volume. In their annual reports, phishing and its variants (vishing, smishing, pharming) have dominated complaint counts for years running.

What's shifted is the sophistication. AI-generated phishing emails are now grammatically flawless. Deepfake voice calls have been used in business email compromise (BEC) schemes. The old advice of "look for typos" is dangerously outdated. Your phishing awareness program needs to train employees on behavioral indicators — unexpected urgency, unusual requests, out-of-band verification — not just visual red flags.

Common Mistakes That Kill Phishing Programs

Making It About Compliance Instead of Culture

If your employees view phishing training as something they endure once a year to keep HR happy, your program has already failed. The organizations I've seen with the lowest click rates treat security awareness as part of their culture — something that gets talked about in team meetings, reinforced by managers, and celebrated when done right.

Using the Same Simulation Template Every Time

I've seen organizations run the same "Your package couldn't be delivered" phish four quarters in a row and celebrate a declining click rate. Of course it declined — everyone memorized that one template. Rotate your lures. Use current events. Mimic the actual phishing emails your mail gateway is catching. Realism is the whole point.

Ignoring Your Privileged Users

System administrators, developers with production access, finance staff with wire transfer authority — these people are high-value targets for threat actors. They should get more frequent simulations, more advanced training, and more scrutiny. A standard employee clicking a phish is a problem. A domain admin clicking one is a catastrophe.

No Incident Response Integration

Your phishing awareness program should feed directly into your incident response process. When an employee reports a real phish, what happens? If the answer is "it goes into a shared mailbox that someone checks on Tuesdays," you have a gap that attackers will happily exploit. Reported phishing emails should trigger automated triage — URL detonation, attachment sandboxing, and a search for other recipients who received the same message.

A Realistic 12-Month Implementation Timeline

Here's a roadmap I've used successfully:

  • Month 1: Secure executive sponsorship. Define goals and success metrics. Select training and simulation platforms.
  • Month 2: Deploy the "Report Phish" button across all email clients. Run baseline phishing simulation.
  • Month 3: Launch foundational training covering phishing, social engineering, and credential theft. Make it role-based.
  • Months 4-6: Run monthly simulations with increasing difficulty. Route clickers to targeted micro-training. Begin tracking all five key metrics.
  • Months 7-9: Introduce advanced topics — BEC, QR code phishing, MFA bypass techniques, vishing. Recognize top reporters.
  • Months 10-12: Review annual metrics against baseline. Brief leadership on ROI. Adjust training content based on simulation data. Plan Year 2.

By the end of 12 months, a well-executed phishing awareness program should show measurable improvements in both click rates and report rates. If it doesn't, the data will tell you exactly where to adjust.

How NIST Frames Security Awareness

NIST Special Publication 800-50 and the updated SP 800-50 Rev. 1 provide a framework for building security awareness and training programs. The guidance emphasizes that awareness isn't training alone — it's the broader effort to shape attitudes and behaviors around security. NIST's Cybersecurity Framework also positions awareness and training under the "Protect" function, reinforcing that human factors are a core security control, not an afterthought.

If you need to justify your program to auditors, regulators, or board members, aligning with NIST gives you a credible, well-recognized foundation.

Start With What You Have

You don't need a six-figure budget to start a phishing awareness program. You need leadership support, a simulation tool, training content that respects your employees' intelligence, and the discipline to measure and iterate. Start with a baseline simulation this month. Deliver targeted training next month. Measure everything.

If you're looking for structured training content to anchor your program, explore the phishing awareness training at phishing.computersecurity.us for simulation-ready organizational programs, and computersecurity.us for foundational cybersecurity awareness modules your entire team can use.

The threat actors aren't waiting for your next board meeting. Neither should you.