Phishing Recognition & Response: Employee Security Training

Why employee training matters for phishing defence

Technical controls — email gateways, spam filters, DMARC enforcement — are essential but imperfect. Security vendors are clear that some phishing will always reach the inbox. The final defence is the person receiving the email. An employee who pauses before clicking, knows what to look for, and knows how to report a suspicious message closes the gap that technology cannot.

This is not about blaming employees when they are deceived — phishing attacks are designed by professionals to exploit psychological triggers. It is about systematically improving the probability that suspicious emails are caught before they result in harm, and reducing the impact when they are not.

What to look for: indicators of phishing

Sender address

The display name of an email can be set to anything. The actual email address — visible by clicking or hovering on the sender name in most email clients — reveals the true origin. A display name of "HMRC Refunds" with an email address of refund@hmrc-gov-uk.com is clearly fraudulent. Lookalike domains (amvla.co.uk instead of amvia.co.uk) are more subtle but detectable if you look carefully.

Urgency and pressure

Phishing emails create urgency to override careful thinking: "Your account will be suspended within 24 hours", "Immediate action required to avoid a penalty", "This offer expires today". Legitimate organisations do not create pressure to act without time to verify. Urgency in an unexpected email is a strong indicator that closer scrutiny is warranted.

Unusual requests

Any email requesting credentials, personal information, payment outside normal processes, or changes to bank details should be treated with scepticism regardless of who it appears to come from. Criminals frequently impersonate senior staff (whaling) or known suppliers to make requests seem credible. The correct response to any unusual financial instruction received by email is telephone verification through a known number.

Links and URLs

Hovering over a link in most email clients reveals the actual URL destination. If the displayed link text says www.microsoft.com but the underlying URL shows a different domain, the link is fraudulent. Shortened URLs (bit.ly, tinyurl) conceal the destination and should be treated with caution. Legitimate services rarely use URL shorteners in transactional or security emails.

Attachments

Unexpected attachments — especially macro-enabled Office documents, compressed archives (.zip, .7z), or executable files — should be treated with caution. A PDF requesting you to enable editing to view the content is a social engineering trigger for a malicious macro. If you are not expecting an attachment from a contact, verify before opening.

Building a reporting culture

The most important organisational characteristic for phishing resilience is a culture where employees feel comfortable reporting suspicious emails without fear of judgment or embarrassment. An employee who deletes a suspicious email without reporting it — because they are worried about looking foolish — removes the opportunity for the IT team to investigate, warn others, and potentially prevent a wider attack.

Management should model reporting behaviour, including openly sharing when they have received and reported suspicious emails. Reporting should be easy — a phishing report button in Outlook (available through Microsoft Defender and third-party tools) reduces friction to a single click.

Simulated phishing exercises

The most effective training method is simulated phishing — sending controlled phishing emails that test employees' recognition and response. Employees who interact with a simulated phishing email receive immediate, contextual education: an explanation of what made the email suspicious and what they should have done. Research consistently shows that this real-time, experience-based approach is more effective than awareness presentations alone.

Simulated phishing programmes should be calibrated to be challenging but not demoralising. The goal is learning, not a test to be passed or failed. Click rates above 30-40% suggest a need for more foundational training. Most organisations see significant improvement within two to three simulation cycles.

What to do when an attack gets through

When a phishing email is clicked or credentials are entered on a phishing page, speed matters. Employees should know immediately to:

• Stop using the affected device and disconnect it from the network if malware may have been installed
• Report to the IT team immediately using a non-email channel if email may be compromised
• Change passwords for any account whose credentials may have been entered
• Revoke active sessions on affected accounts (Microsoft 365 allows sign-out of all sessions from the account security settings)

The IT team should then: review email access logs for signs of forwarding rules or unusual access, check for OAuth applications granted access to the account, and assess whether a UK GDPR data breach report to the ICO is required.