10 STEPSto Creating a Corporate Phishing Awareness Program

Phishing awareness programs help enterprises protect themselves from phishing scams and breaches. It’s a highly effective way of educating employees and helping them spot phishing attacks.

The ins and outs of such a program depend very much on the company, but here’s a basic outline of a typical program to give you an idea of what’s involved.

Write a phishing e-mail that is realistic, current, and relevant and isn’t psychologically damaging to your staff

Run that e-mail through the appropriate departments (such as HR and legal) to get approval, which will likely involve edits and new iterations

Ensure your lists are updated—adding new hires and removing those who have left the company

Prepare a proper educational landing page for people who click on the phish

Load the system you will use with the e-mail lists, phishing e-mail, and landing pages

Schedule and test the sending of the e-mail

Ensure the e-mail is sent without any problems

Collect all data, which might include number of clicks, number of people who report the phish, and so on

2615 8

Report on the data, giving information in regard to positive or negative trends

2615 8

Repeat the process each month or quarter

As you can see, this is not a part-time job. Maybe you can hire someone to help you run this program internally or you might have someone on staff that is perfect for the job. But if you don’t have the staff, skill, or desire to run a phishing program internally then a consultant will be able to run it for you.

For more on setting up and running a corporate phishing program, check out

PHISHING DARK WATERSThe Offensive and Defensive Sides of Malicious E-mails

by Christopher Hadnagy and Michele Fincher