How to Train your Users Right Before They Get Phished

This is the third in our five-part series evaluating anti-phishing tools. To start at the beginning, read “Automated phishing response tools: 4 things to consider”.


When organizations consider their anti-phishing strategy, they typically bucket their requirements into one of three buckets:

  1. Getting an email security tool that’s better at detecting business email compromise and other phishing threats (stay tuned – we’ve got a blog post coming on this topic)
  2. Training their users on best security practices and how to spot phishing attacks
  3. Improving incident response speed and results

In our last post, we covered point 3 (“Email Threat Remediation: The Secret Weapon to Fighting Phishing”), but promised to highlight the importance of user engagement tools – and the in-the-moment training they can provide – into your phishing response plan. (Itching to talk about threat detection? Stay tuned – that’ll be our next post.)

The tremendous effort of security awareness training

A few weeks ago, we talked about the challenges of security training with an all remote workforce, but the truth is that security training can be challenging even in the best of times. For many organizations, security awareness training involves periodic sessions conducted either live or via computer-based training platforms. They happen when an employee onboards, and then are typically refreshed on a regular schedule to meet compliance or insurance requirements. They often come bundled with some level of phishing simulation training so you can measure and monitor improvements over time.

In short, for many companies, they’ve become checkbox-style compliance. While these are important activities and must have in many cases, they often fail to adequately protect users.

The impact of distraction on user vigilance

Meanwhile, the reality is that your users are often overworked, distracted, and on their mobile devices – now more than ever. They’re moving fast, reacting to urgency and authority – and that’s exactly what cyber criminals are counting on.

Mobile devices make it difficult to “double-check the sender’s address” or “hover over the link,” and as your employees juggle the demands of their daily job, remote working, and family obligations, expecting them to remember all the tips and techniques you’ve trained them on probably isn’t realistic.That’s where “in-the-moment” phishing education comes in.

The importance of “now” in phishing awareness

First, what do we mean by “in-the-moment” phishing education? It can come in a variety of different forms, but some of the most impactful are tools like email banners, email “report phish” plug-ins, and warning pages – all of which can reduce employee engagement with dangerous phish.

Such tools aren’t meant to replace security awareness training but rather to augment it – reinforcing good email hygiene habits and warning users when there’s something suspicious going on. They effectively analyze emails for suspicious traits and can tap your users on the shoulder to say, “Hey! Remember that security training you went through? Now might be a good time to use it, and here’s why.”

As a result, instead of relying on your employees to review each email they receive with great care (we can hope, but probably best not to expect it!), you’re providing them tools that can make them stop and think – right before they engage with a potential threat.

Think of it as a personal alarm system with customized warnings: “There’s smoke in the kitchen. You should check it out.”

Advanced email security solutions can surface these warnings up to the user in a digestible way that helps make users a part of the process rather than a crack in the armor. Some forms of such engagement might include:

  • Customized email banners – these CANNOT be generic warnings (those fade in the background and also can be replicated), but rather highly specific to each given threat, ideally branded with the company logo, that helps users understand what to look for, why it’s a threat, and what to do now
  • Email plugin – this includes not only “report phish” functionality that’s integrated into the email security back-end, but also simple stop-light level analysis of the nuances of any given email, giving employees a way to judge for themselves if an email is suspicious.
  • Suspicious link previews – Many link protection tools focus only on malicious links or provide generic suspicious URL warnings that users just ignore and bypass. By providing a preview of a suspicious URL as part of the warning, email security tools can give users the context they need to make better decisions.

No matter how good your training, it comes to nothing if your employees don’t use it when it matters most.

Shutting down false positives

All this talk about training and teaching users not to engage begs the question: how do we stop them from getting such threats at all? And of course, that’s a core goal of email security solutions everywhere.

But many email security and anti-phishing tools stop at threat detection, failing to recognize that combatting phishing effectively requires multiple layers of protection to reduce not only exposure, but also false positive rates.

As with every security layer, email security requires a balance between tight controls and the flexibility to conduct business without friction. Advanced phishing techniques such as door knocks (short, impersonating emails that have neither a link nor an attachment) are virtually indistinguishable from regular email, but often have subtle clues that indicate suspicion.

By integrating in-the-moment education tools into your phishing protection program, security teams typically find they can loosen some of their quarantine levels, catching fewer false positives (and reducing friction with the business!), without increasing their corporate risk. Dynamic, context-aware warnings provide a layer of defense the allows security teams a way to not only warn users that an email is suspicious, but also why it’s suspicious and what they should be looking for. It introduces a level of nuance to your security program that minimizes risk without hindering the pace of business.

Through the use of user engagement tools, security teams create a culture of support and collaboration whereby their employees become an integral and important weapon against phishing attacks rather than weakest link in your security strategy.

In the next post in our anti-phishing evaluation series, we’ll discuss how to evaluate email security solutions based on their detection capabilities – so you can limit the threats your users see to begin with.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.