A finance employee at a multinational firm joined a video call with his CFO and several senior colleagues. They discussed a confidential transaction. He authorized 15 bank transfers. Total amount: $25 million. Every person on that call — the CFO, the colleagues, all of them — was a deepfake. The employee had no idea until the money was gone.
That 2024 case was headline news. What doesn't make headlines is the quiet proliferation of the same technology at a fraction of the scale: AI-generated emails targeting a 30-person accounting firm, voice-cloned "executives" calling AP departments, QR codes in PDFs that bypass every email security filter because there's no URL for the filter to check. A criminal can now send 50,000 personalized phishing emails for roughly $17. That is not a typo.
The training your employees received two years ago was designed to catch a different threat. This post covers what phishing looks like now — and more importantly, what training and technical controls actually reduce your risk.
How AI Changed the Threat Landscape
Traditional phishing was detectable because it was generic. Bad grammar, mismatched logos, implausible scenarios, pressure tactics that felt wrong. Security awareness training worked — when the examples being trained on matched the attacks people actually saw.
The core problem now isn't just that AI makes emails grammatically correct. It's that AI enables spear phishing — highly personalized, contextually accurate targeting — at mass scale. Previously, personalized attacks took 16 hours per target. With LLM tools, it takes five minutes and five prompts, with equivalent effectiveness.
Why Annual Compliance Training Doesn't Work
Most security awareness training programs share a structural flaw: they run once a year, last 45–90 minutes, and measure completion rather than behavioral change. There's a reason the industry calls it "check-the-box training" — it satisfies auditors without meaningfully reducing risk.
22% of organizations still train employees only once a year, leaving them eleven months to forget everything they learned. 38% of respondents in Fortinet's 2024 global survey said users often don't remember the security training they received. That's not a content quality problem — it's a delivery model problem.
Beyond retention, there's a more fundamental issue: old-style training showed old-style phishing. Employees learned to spot broken grammar, generic salutations, mismatched logos, and obvious urgency cues. That mental model doesn't help when an AI-generated email arrives that reads like it was written by a polished colleague, references a real project, and arrives from a convincing lookalike domain.
Long mandatory courses create another problem. Research from ETH Zurich found that for the most susceptible participants, poorly implemented embedded phishing training can actually increase susceptibility — the stress response from "gotcha" simulations can produce learned helplessness rather than reinforced vigilance.
What Actually Works: Building a Human Firewall
Frequency over depth
Monthly 5–10 minute microlearning modules outperform annual multi-hour sessions on every measurable metric: retention, click rate reduction, and reporting behavior. Organizations using monthly microlearning report a 23% increase in training material retention compared to annual sessions. Short and frequent beats long and rare.
The highest-impact single intervention is the just-in-time teachable moment: when an employee clicks a simulated phishing link, they're immediately redirected to a brief, non-punitive learning module explaining exactly what they missed and why. Best practice is to deliver this within 24 hours of the failed simulation, not immediately — the goal is learning, not humiliation.
Simulated phishing: the numbers that matter
Running regular simulated phishing campaigns — fake phishing emails sent to employees to test and reinforce vigilance — is the most validated training method in the industry. The data from KnowBe4's 2025 benchmark report covers millions of users:
any training
12 months of training
An 86% reduction in phishing click rate over 12 months, without any changes to technical controls. That's the human firewall in practice — transforming employees from the largest attack surface into an active layer of defense.
The reporting culture matters as much as the click rate
The ultimate goal isn't employees who never click — it's employees who report suspicious emails when they see them. When 10–15% of employees report a phishing campaign, the security team can identify and block the real attack before the remaining 85–90% can be reached. A single report from one alert employee can protect the entire organization.
Organizations with mature training programs achieve 4× improvement in phishing reporting rates (Verizon DBIR 2025). A one-click "report phishing" button in Outlook or Gmail is a prerequisite — if reporting requires forwarding to an alias and writing a description, most employees won't bother regardless of how well-intentioned they are.
Security Awareness Training Platforms — What's Worth Using
| Platform | Best For | SMB Pricing | Key Differentiator |
|---|---|---|---|
| KnowBe4 | Most SMBs — broad coverage, proven data | ~$15–$35/user/year (25-user minimum) | Largest template library; 86% click-rate reduction in 12 months; strong per-department reporting |
| Proofpoint SAT | Orgs already using Proofpoint email security | ~$12–$24/user/year standalone; $6–$12 as add-on | Threat-intelligence-driven content — modules reflect active campaigns targeting your industry |
| Cofense | Regulated industries (healthcare, legal, finance) | Quote-based (premium) | Managed phishing incident response — employees' reports get analyzed by real security analysts |
| Hoxhunt | Organizations focused on behavior change | Quote-based | Gamified and adaptive — difficulty adjusts per employee's performance history over time |
For most small businesses in the 10–75 person range, KnowBe4 is the most practical starting point. The benchmark data is public, the pricing is negotiable (expect 25–35% off list at the SMB tier), and the platform handles simulated phishing, training content, and reporting in one place.
Who Needs Extra Training — High-Risk Roles
Phishing training should be universal, but some roles are disproportionately targeted and warrant additional attention:
Finance and AP staff receive the highest volume of invoice fraud and BEC wire transfer attempts — the combination of high transaction authority and high email volume creates real statistical exposure. Executives receive 42× more QR code phishing attacks than non-executive employees and are the primary targets for deepfake vishing. HR handles W-2 data, payroll, and direct deposit changes — a single successful phish here can redirect paychecks company-wide.
What Employees Need to Recognize Now
The classic tells — poor grammar, unusual sender, obvious urgency — still appear and still matter. But AI-generated phishing eliminates most of them. Here's the updated playbook for employees:
- Hover before you click — always. Preview the destination URL in your browser's status bar. The display text of a link means nothing. What matters is where it actually goes.
rniicrosoft.comversusmicrosoft.com— "rn" mimics "m" at a glance. - Check the actual sending domain, not the display name."Microsoft Support" <billing@account-verify-ms.net> — the display name is meaningless. The domain after @ is what's real.
- QR codes in emails and PDFs should be treated as suspicious by default. Before scanning, ask: why is this a QR code instead of a normal link? Legitimate businesses rarely require QR codes for account verification or payment. If you scan one, read the full URL before tapping through.
- Any request to wire money, change banking details, or share credentials — verify by phone. Call the person back using a number from your company directory or the vendor's official website, not the number in the email. This one step prevents the majority of BEC losses.
- "Keep this confidential" is a red flag, not a reassurance. CEO fraud frequently includes a request for secrecy — "don't mention this to anyone, I'll explain later." Legitimate urgent requests don't require bypassing normal approval processes.
- Unexpected multi-factor prompts are worth pausing on. If you receive an MFA push notification you didn't trigger, don't approve it. Someone may be attempting to log in as you. Report it immediately.
- When in doubt, report it — don't delete it. Use the report phishing button. Being wrong is fine. Clicking "delete" and moving on means the security team never finds out the attack happened.
Technical Controls That Support Your Training Program
Training is the most impactful single control, but it works best alongside the technical layer. Here's what to have in place:
Email authentication: SPF, DKIM, and DMARC
These three DNS-based controls determine whether other mail servers trust email claiming to come from your domain. Together they prevent attackers from spoofing your domain to send phishing emails that appear to come from you — protecting your clients and vendors from attacks in your name.
- SPF lists the mail servers authorized to send from your domain. If an unauthorized server sends email claiming to be from you, it fails SPF.
- DKIM adds a cryptographic signature to outbound mail, verifiable by the recipient's server. Prevents tampering in transit.
- DMARC tells receiving servers what to do when SPF or DKIM fails — monitor only, quarantine, or reject — and sends reports back to you showing spoofing attempts.
nslookup -type=TXT _dmarc.yourdomain.comEmail security filtering
If your organization runs Microsoft 365, Microsoft Defender for Office 365 includes Safe Attachments (sandboxes attachments before delivery) and Safe Links (rewrites and re-checks URLs at click time, catching links that turned malicious after delivery). Default policies exist but should be tuned — CISA publishes specific configuration recommendations for M365.
Add DNS filtering as a second layer: if a user clicks a link that bypasses email filters, DNS filtering blocks the connection at the network level before the malicious page loads.
Phishing-resistant MFA for your highest-risk users
Standard MFA protects against credential stuffing and password spray attacks. It doesn't protect against AiTM phishing. For finance staff, IT admins, and executives — deploy FIDO2 hardware keys (YubiKey is the most widely used) or device-bound passkeys. These are cryptographically bound to the exact legitimate domain; an AiTM proxy on a fake domain receives nothing it can use.
A full FIDO2 rollout to your entire organization may not be realistic immediately. Prioritize the five to ten accounts with the highest authority — wire transfer approval, admin credentials, executive accounts — and work outward from there.
A 12-Month Training Plan for a Small Business
This is a starting framework. A good training platform like KnowBe4 will build this out and automate delivery — but here's what the sequence should cover:
The Bottom Line
The best phishing defense has always been people who recognize the attempt before they click. What changed is what "recognize the attempt" requires. A training program built around catching typos and suspicious grammar is now approximately as useful as a spam filter from 2010 — technically present, largely ineffective against what's actually arriving.
Building a team that's genuinely hard to phish isn't complicated. It's a monthly cadence of short, relevant training. Simulated phishing that reflects current tactics. A culture where reporting is rewarded, not ridiculed. And a technical layer — email authentication, filtering, phishing-resistant MFA — that removes the easy attack vectors so your training has to cover fewer scenarios.
The 86% click-rate reduction KnowBe4 documented isn't theoretical. It's what happens when you run a consistent program for 12 months and actually measure it. If you want help assessing where your organization stands today — or building out a training program — we run security awareness assessments as part of our managed cybersecurity services.