In March 2025, a mid-size healthcare provider in the Midwest lost 1.4 million patient records because one employee in accounts payable clicked a link in a fake DocuSign email. The organization had antivirus software, a firewall, and an email gateway. What they didn't have was a phishing awareness program. That single click led to credential theft, lateral movement across the network, and a ransomware payload that encrypted every server in the building within four hours. I've seen this pattern repeat across dozens of industries — and the fix isn't another appliance. It's training your people to recognize the threat before they click.

This post walks you through how to build a phishing awareness program that actually changes behavior. Not a checkbox exercise. Not a once-a-year slideshow. A program grounded in data, measured by outcomes, and designed to make your organization genuinely harder to compromise.

Why Most Phishing Awareness Programs Fail

Let me be blunt: most organizations that claim to have a phishing awareness program actually have a phishing awareness event. They run one training session during onboarding, maybe a refresher in October for Cybersecurity Awareness Month, and call it done. That's not a program. That's a liability.

The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — whether through social engineering, errors, or misuse of credentials. That number has hovered above 60% for years. The threat actors haven't changed their playbook because they don't need to. Phishing still works because organizations still treat awareness as a one-time event instead of an ongoing discipline.

Here's what I see in post-breach investigations: the organization had training records. They could prove employees watched a video. But nobody could demonstrate that employees actually changed their behavior. The click rate on simulated phishing emails was never measured. The training content hadn't been updated in two years. The program existed on paper but not in practice.

The $4.88M Reason to Get This Right

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector. Organizations with security awareness training and phishing simulations in place saw breach costs that were meaningfully lower than those without.

That's not a theoretical savings. That's the difference between staying in business and facing regulatory fines, class-action lawsuits, and the kind of reputational damage you can't buy your way out of. If you're a CISO or IT director reading this, you already know the board wants ROI. A well-built phishing awareness program is one of the highest-ROI security investments you can make.

What a Real Phishing Awareness Program Looks Like

A program — not an event — has five core components. Miss any one of them and you're leaving gaps that threat actors will exploit.

1. Baseline Measurement

Before you train anyone, you need to know where you stand. Run a baseline phishing simulation across your entire organization. Don't warn anyone. Don't make it easy. Use a realistic lure — a fake password reset, a shipping notification, a shared document link.

Track three metrics: click rate, credential submission rate, and report rate. The click rate tells you who's vulnerable. The credential submission rate tells you who's dangerously vulnerable. The report rate tells you whether your culture encourages employees to flag suspicious messages or just delete them and move on.

In my experience, first-time baseline simulations at untrained organizations typically see click rates between 25% and 45%. That means roughly one in three employees will interact with a phishing email. That's your starting point.

2. Role-Based Training Content

Generic training is barely better than no training. Your finance team faces different phishing lures than your IT team. Your executives are targeted with business email compromise (BEC) attacks that look nothing like the mass-market phishing your frontline employees see.

A strong phishing awareness program segments training by role, department, and risk level. High-value targets — anyone with wire transfer authority, admin credentials, or access to sensitive data — get more frequent and more advanced training. Our phishing awareness training for organizations is built around this exact principle: scenario-based content tailored to the threats each role actually faces.

3. Ongoing Phishing Simulations

One simulation per year is a snapshot. Monthly simulations are a trend line. You need the trend line.

Run simulations at least monthly, rotating through different lure types: credential harvesting, malware attachment, CEO impersonation, vendor invoice fraud, MFA fatigue attacks. Vary the difficulty. Some should be obvious. Some should be nearly indistinguishable from legitimate email. The goal is to build pattern recognition, not to trick people for the sake of tricking them.

After each simulation, provide immediate feedback. If someone clicks, show them exactly what they missed — the spoofed domain, the urgency language, the mismatched reply-to address. This just-in-time learning is far more effective than a 45-minute video they'll forget by lunch.

4. Positive Reinforcement and Reporting Culture

Here's where most programs go sideways: they punish clickers instead of rewarding reporters. Shaming employees who fall for simulations creates a culture of silence. People stop reporting real phishing emails because they're afraid of getting written up. That's the opposite of what you want.

Build a culture where reporting a suspicious email is celebrated. Publicly recognize departments with the highest report rates. Make your phish reporting button easy to find and easy to use. Every reported email is a data point your SOC can use to identify active campaigns targeting your organization.

CISA's guidance on building a security culture reinforces this approach. Their cybersecurity best practices emphasize that awareness programs succeed when they're embedded in organizational culture, not bolted on as compliance requirements.

5. Metrics, Reporting, and Continuous Improvement

If you can't measure it, you can't improve it. Track these metrics quarterly and report them to leadership:

  • Simulation click rate — trending down over time is the goal
  • Credential submission rate — this is the metric that matters most for actual risk reduction
  • Report rate — trending up means your culture is working
  • Time to report — how fast do employees flag suspicious emails to your security team?
  • Repeat clickers — identify individuals who need additional coaching

Organizations that run consistent monthly simulations paired with role-based training typically reduce click rates by 60% or more within 12 months. That's not a guess — that's what I've observed across dozens of program deployments.

What Is a Phishing Awareness Program?

A phishing awareness program is a structured, ongoing initiative that combines employee education, simulated phishing attacks, and measurable outcomes to reduce an organization's susceptibility to phishing-based threats. It goes beyond a single training session to include regular simulations, role-based content, incident reporting mechanisms, and continuous improvement based on data. The goal is to turn every employee into a human sensor capable of recognizing and reporting social engineering attempts before they result in a data breach or credential theft.

Integrating Your Program with Zero Trust and MFA

Training alone isn't a silver bullet. A phishing awareness program works best when it's layered with technical controls. Zero trust architecture assumes that no user, device, or network is inherently trusted. Multi-factor authentication makes stolen credentials less useful. Together with a trained workforce, these controls create defense in depth.

But here's the reality: MFA isn't unbreatable. Adversary-in-the-middle (AiTM) phishing kits can intercept MFA tokens in real time. The 2022 Uber breach started with MFA fatigue — a threat actor bombarded an employee with push notifications until they approved one. Technical controls buy you time. Trained employees buy you detection. You need both.

NIST's cybersecurity framework (available at nist.gov/cyberframework) explicitly includes awareness and training as a core function under its "Protect" category. This isn't optional guidance — it's foundational to the framework that most federal agencies and many private-sector organizations use as their security baseline.

The Compliance Angle: Regulators Are Watching

If the risk-reduction argument doesn't get your budget approved, the compliance argument will. Virtually every regulatory framework now mandates some form of security awareness training:

  • HIPAA requires covered entities to implement a security awareness and training program
  • PCI DSS 4.0 mandates security awareness training with specific phishing components
  • CMMC 2.0 requires awareness and training practices for DoD contractors
  • SOC 2 auditors routinely examine training records and simulation results
  • FTC enforcement actions have cited inadequate employee training as a contributing factor in data breaches

The FTC's enforcement record is particularly instructive. In multiple consent orders, the Commission has required organizations to implement comprehensive security awareness programs as part of their remediation. You can review their enforcement history at ftc.gov. The message is clear: regulators consider untrained employees a foreseeable and preventable risk.

Getting Started This Week

You don't need a six-month planning cycle to launch a phishing awareness program. Here's a realistic timeline for getting meaningful results fast:

Week 1: Run Your Baseline

Deploy a baseline phishing simulation. Don't announce it. Use a realistic lure template. Measure click rate, credential submission rate, and report rate. This gives you your "before" picture.

Week 2-3: Deploy Initial Training

Roll out foundational training to all employees. Cover the basics: how to identify phishing emails, what to do when they spot one, and how to use your reporting mechanism. Our cybersecurity awareness training covers these fundamentals with practical, scenario-based modules that employees actually remember.

Week 4: Establish Your Simulation Calendar

Set up monthly simulations with varying difficulty and lure types. Assign additional training modules to anyone who clicks. Schedule quarterly metric reviews with leadership.

Month 2 and Beyond: Iterate

Analyze your data. Which departments have the highest click rates? Which lure types are most effective? Are repeat clickers improving after additional training? Use this data to refine your content, adjust your simulation difficulty, and target your interventions.

The Human Firewall Isn't a Cliché — It's a Strategy

I've spent years watching organizations pour millions into endpoint detection, SIEM platforms, and network segmentation — then lose everything because someone in marketing opened a fake invoice. Technology is essential. But the 2024 Verizon DBIR keeps telling us the same story year after year: humans are the primary attack surface.

A phishing awareness program isn't about making your employees feel bad for clicking. It's about giving them the knowledge, practice, and confidence to recognize threats in real time. It's about building a culture where reporting a suspicious email is as natural as locking the front door.

The threat actors are running their own training programs — refining their lures, testing their pretexts, iterating on what works. Your program needs to evolve just as fast. Start with a baseline. Build role-based content. Run monthly simulations. Measure everything. Reward the right behaviors.

If you're ready to build a phishing awareness program that produces measurable results, start with our organizational phishing awareness training or explore the full cybersecurity awareness training curriculum. The next phishing email is already in someone's inbox. The question is whether they'll click it or report it.