// Blog / Guide

Phishing: how to train a small team to spot it

Cybersecurity 7 min read intrasec

Phishing is still how most attacks start, and your people, not your firewall, are the ones who meet it first. The good news is that spotting a phish is a teachable skill, and you don't need a budget or a fancy training platform to build it.

This is a practical plan for a 1 to 50 person team: the handful of tells worth teaching, a 30-day rollout that costs nothing, how to run a test without wrecking trust, and what "working" actually looks like.

Why training beats tools here

Almost every breach we write about starts the same way: one person, one convincing email, one click. The Microsoft 365 phishing kit that steals session tokens, the payroll-pirate scam that reroutes salaries, both begin with someone typing their password into a page that looked exactly right. You can buy every security product on the market and still get compromised if a staff member hands their login to a fake sign-in screen. Training is the one control that sits exactly where the attack actually lands.

The five tells to teach

Keep the list short enough that people remember it under pressure. These five catch the large majority of phishing:

  • Urgency and fear. "Your account will be closed in 24 hours," "payment failed, act now." Pressure is the point; it's there to stop you thinking.
  • A link that doesn't match. Hover over it (or long-press on mobile) and read the real address. If the email claims to be Microsoft but the link isn't microsoft.com, stop.
  • An unexpected request to log in, pay, or change banking details. Especially anything about direct deposit, invoices, or "update your payment info."
  • Slightly-off senders and domains. micros0ft.com, intrasec-support.com, a colleague's name on a stranger's address. Attackers count on you reading the display name and ignoring the rest.
  • A nudge to skip the normal process "just this once." Real urgency rarely requires you to bypass how things are normally done.

The single most useful habit to drill is to slow down and verify through a second channel before acting: a quick call or a message on a number you already have beats trusting the email in front of you.

A 30-day plan that costs nothing

You can stand up a real program in a month using tools you already pay for:

  • Week 1, teach the tells. Run one 20-minute session on the five signs above and hand out a one-page cheat sheet people can pin up or save.
  • Week 2, make reporting easy and safe. Give everyone one button or one address to forward a suspicious message, and state the rule plainly: nobody is ever in trouble for reporting, even if it turns out to be nothing.
  • Week 3, run one safe test. Send a harmless internal fake-phish, or use the built-in attack-simulation tools in Microsoft 365 or Google Workspace. Note who clicks, quietly.
  • Week 4, review as a team. Share the results without naming names, celebrate the people who reported it, and re-teach whichever tell tripped people up.

Run a phishing test without wrecking trust

A test is for learning, not for catching people out, and how you run it decides whether your program helps or backfires. Announce that simulated phishing will happen (just not when), never publicly name the people who clicked, and treat a click as a coaching moment rather than a disciplinary one. A program that makes people afraid to admit a mistake is worse than none at all, because the whole goal is that someone who clicks tells you within a minute so you can cut off access before any damage is done.

What "good" looks like

You'll know the program is working when three things happen:

  • Reports go up. More people flagging suspicious mail is a win, not noise. A flood of forwarded "is this real?" messages means people are paying attention.
  • Click rates on tests fall over a few rounds, and the same handful of mistakes stop repeating.
  • People who slip tell you immediately instead of hiding it, because speed of reporting is what actually limits the damage.

The teams that handle phishing well aren't the ones who never click. They're the ones where the person who clicks says so right away.

The technical backstops training needs

Training is one layer, not the whole wall. A trained team makes far fewer mistakes, but you still want a safety net underneath them:

  • Phishing-resistant MFA (passkeys or security keys), so a stolen password alone isn't enough to get in.
  • Email authentication (SPF, DKIM, and DMARC) to cut down how much spoofed mail reaches inboxes in the first place. You can check yours with our Email Security Checker.
  • Fast access revocation, so that when someone does get caught, you can reset the account and kill active sessions in minutes.

Want a phishing program your team will actually use?

Talk to us

Related

News Cybersecurity Jun 9, 2026

Payroll pirate attacks are hijacking Canadian paycheques

A real phishing campaign that starts with a fake Office 365 login and ends with a rerouted salary.

Read article →
Guide Cybersecurity Jun 1, 2026

Cybersecurity basics for Canadian small businesses

The handful of controls, including MFA and email security, that training sits on top of.

Read article →
Service

Managed Security

We run the training and safe tests, and put phishing-resistant MFA and email controls behind them.

Learn more →