The Click That Cost One Company $47 Million

In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a single social engineering phone call that led to credential theft. The resulting breach caused an estimated $100 million in damages. And it started with a human being who didn't recognize a threat actor's tactics. That's the gap a phishing awareness program is supposed to close.

I've been building and evaluating security awareness programs for over a decade. Most of them fail. Not because the content is bad, but because they're treated as a checkbox exercise — a once-a-year video followed by a quiz nobody remembers. If your phishing awareness program doesn't change behavior, it's just theater.

This post breaks down what actually works: the components, the cadence, the metrics, and the mistakes I see organizations repeat year after year. Whether you're starting from scratch or rebuilding a stale program, you'll walk away with a practical blueprint.

What Is a Phishing Awareness Program?

A phishing awareness program is a structured, ongoing initiative designed to train employees to recognize, report, and resist phishing attacks — including email phishing, spear phishing, SMS-based smishing, and voice-based vishing. It typically combines education, phishing simulation exercises, and measurable performance tracking.

The goal isn't just knowledge. It's reflexive behavior. When your accounts payable clerk gets a spoofed invoice from a "vendor," you need them to pause, inspect, and report — not click and comply.

Why Most Programs Fail Before They Start

I've audited phishing awareness programs at organizations ranging from 50 employees to 50,000. The failure patterns are remarkably consistent.

The Annual Training Trap

Once-a-year training does almost nothing. The Ebbinghaus forgetting curve is real — people forget roughly 70% of new information within 24 hours. If your entire program is a 45-minute module every January, your employees are essentially untrained by March.

No Simulations, No Muscle Memory

You wouldn't train a pilot with only textbooks. Phishing simulations are the flight simulator of cybersecurity. Without them, employees never practice the actual decision they'll face in their inbox. The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. Simulations are how you shrink that number.

Shame-Based Cultures Kill Reporting

If employees who click a phishing simulation get publicly embarrassed or punished, they stop reporting real threats. I've seen organizations where employees deleted suspicious emails instead of reporting them — because they were afraid of getting in trouble. That's the opposite of what you want.

The 6 Components of a Phishing Awareness Program That Actually Works

Here's the framework I've seen produce real, measurable results. Every effective program includes these six elements.

1. Executive Sponsorship

If your CISO or CEO doesn't visibly support the program, employees treat it as low priority. The best programs I've seen feature a brief executive message explaining why phishing is the organization's biggest risk — because it is. According to the FBI's IC3, phishing and its variants have been the top reported cybercrime category for years running.

2. Baseline Measurement

Before you train anyone, run a baseline phishing simulation. You need to know your current click rate, credential submission rate, and report rate. Without a baseline, you can't prove your program works — and you can't identify your highest-risk departments.

3. Continuous, Role-Based Training

Monthly micro-trainings outperform annual marathons every time. Keep modules short — five to ten minutes — and tailor content to roles. Finance teams need to recognize business email compromise. HR teams need to spot fake résumé attachments. IT teams need to understand OAuth consent phishing.

If you're looking for a structured training curriculum that covers these scenarios, our cybersecurity awareness training program is designed for exactly this kind of role-based, continuous approach.

4. Regular Phishing Simulations

Run simulations at least monthly. Vary the attack types — credential harvesting pages, malicious attachments, QR code phishing, and even vishing calls. Rotate difficulty levels. Employees who consistently pass easy simulations should get harder ones.

Our phishing awareness training for organizations includes simulation frameworks and practical exercises that map to real-world threat actor tactics — not generic templates.

5. Immediate, Constructive Feedback

When someone clicks a simulated phish, don't wait three weeks. Show them immediately what they missed — the spoofed sender, the suspicious URL, the urgency cues. This just-in-time learning is when retention peaks. Frame it as coaching, not punishment.

6. Metrics and Reporting

Track these four metrics over time:

  • Click rate — percentage of employees who click the simulated phish
  • Credential submission rate — percentage who enter actual credentials
  • Report rate — percentage who use the phishing report button
  • Time to report — how quickly employees flag the suspicious message

Your goal isn't a 0% click rate. That's unrealistic. Your goal is a consistent downward trend in clicks and an upward trend in reporting speed.

How Long Does It Take for a Phishing Awareness Program to Show Results?

In my experience, organizations that run monthly simulations paired with continuous training see a measurable reduction in click rates within three to six months. Most programs achieve a 60-75% reduction in phishing susceptibility within the first year if they maintain consistent cadence. The key is consistency — programs that pause or go quarterly lose momentum fast.

Integrating Your Program Into a Zero Trust Architecture

A phishing awareness program doesn't exist in a vacuum. It's one layer in a defense-in-depth strategy. Even well-trained employees will occasionally make mistakes — that's why you pair awareness with technical controls.

Multi-Factor Authentication Is Non-Negotiable

If a threat actor steals credentials through a phishing page, multi-factor authentication (MFA) is your last line of defense. CISA strongly recommends MFA for all accounts, and so do I. Phishing-resistant MFA methods like FIDO2 hardware keys are the gold standard.

Assume Breach, Verify Everything

Zero trust principles complement phishing training perfectly. Even authenticated users shouldn't have unrestricted access. Segment your network. Enforce least privilege. Monitor for anomalous behavior post-authentication. When credential theft happens — and it will — zero trust limits the blast radius.

The Ransomware Connection Most People Miss

Here's something that doesn't get enough attention: the majority of ransomware attacks begin with phishing. A single clicked link leads to malware deployment, lateral movement, and eventually, encrypted systems and extortion demands. Your phishing awareness program isn't just about preventing data breach events — it's your front line against ransomware.

Every dollar you invest in training employees to spot a phishing email is a dollar you don't spend negotiating with a ransomware gang.

Common Objections and How to Handle Them

"Our Employees Are Too Busy for Monthly Training"

Five minutes a month. That's what effective micro-training takes. Compare that to the days or weeks of downtime a successful phishing attack causes. This isn't a time problem — it's a priority problem.

"We Have Email Filters — We Don't Need Training"

Email security gateways catch a lot. They don't catch everything. Threat actors constantly evolve their tactics to bypass filters. The messages that reach inboxes are the most sophisticated ones — and those are the ones your people need to recognize.

"We Tried Simulations and People Got Angry"

That's a culture problem, not a simulation problem. Reframe phishing simulations as practice, not tests. Celebrate employees who report. Share anonymized team-level results instead of individual callouts. The best security cultures make reporting a badge of honor.

Building the Business Case for Leadership

If you need to justify budget, here are the numbers that matter. IBM's Cost of a Data Breach Report 2024 pegged the global average breach cost at $4.88 million. Organizations with security awareness training and incident response planning consistently show lower-than-average breach costs. That's your ROI argument — not the cost of the program, but the cost of not having one.

Frame it this way for your board: a phishing awareness program is the lowest-cost, highest-impact control available to reduce your most likely attack vector.

Your Next Step

Stop treating phishing training as compliance theater. Build a real program with baselines, monthly simulations, role-specific content, and metrics your leadership can track. Start by assessing where your organization stands today — then build the cadence that keeps your people sharp all year.

If you need a structured starting point, explore our organizational phishing awareness training and our broader cybersecurity awareness training curriculum. Both are built for the threats your employees actually face — not the ones they faced five years ago.