TL;DR:
- 91% of successful data breaches start with a phishing email — your people are the target
- Free tools like Google’s Phishing Quiz and NCSC resources are a legitimate starting point
- Simulated phishing campaigns are the most effective way to build real-world skills
Phishing training is the single highest-return investment a small business can make in security. Attackers don’t need to break through your firewall — they just need one employee to click a convincing email. According to Verizon’s Data Breach Investigations Report, over 90% of successful breaches involve a human element. The NCSC’s UK data tells the same story. The good news: trained employees catch attacks that technology misses.
Why your employees are the biggest risk (and your best asset)
No spam filter is perfect. AI-generated phishing emails now pass basic grammar checks, impersonate real suppliers, and reference details scraped from LinkedIn. A well-crafted message asking an accounts team member to approve a supplier payment looks completely legitimate — and the technology won’t catch it.
Untrained staff aren’t careless. They’re simply not shown what to look for. The mental shortcuts that make people efficient at their jobs — trusting an email from the boss, acting on urgent requests — are exactly what attackers exploit.
The flip side: a trained employee who pauses on a suspicious email is the best possible defence. They catch attacks before the click happens, and they’re immune to the AI-polish that fools spam filters.
Common phishing red flags to teach your team: urgency and pressure (“confirm this payment in the next hour or the account will close”), a display name that doesn’t match the actual email address, domain lookalikes (“rn” instead of “m”, extra hyphens, added words like “invoice-supplier.co.uk”), and requests that skip normal process — a CEO asking you to buy gift cards, or a supplier suddenly changing bank details.
Free training platforms worth using
Google’s Phishing Quiz (phishingquiz.withgoogle.com) takes 10 minutes and shows examples of real phishing and legitimate emails side by side. It’s free, requires no account, and works well as an introduction for your whole team. Send the link at your next team meeting — it’s a genuinely good starting point.
NCSC’s free resources (ncsc.gov.uk) include tip sheets, training videos, and the excellent Exercise in a Box tool — a free, facilitated exercise that lets you simulate a cyber incident with your team. It’s government-produced, practical, and designed specifically for UK small businesses. Well worth an afternoon.
OpenPhish and PhishTank are community databases of known phishing URLs — useful for IT contacts who want to stay informed about current tactics.
Paid platforms that go further
If you want structured, ongoing training with tracking and reporting, paid platforms deliver significantly better outcomes.
KnowBe4 is the market leader for SMB security awareness training. It includes a large library of training modules, a built-in phishing simulator, and automated training assignment when someone fails a simulated attack. Pricing starts at around £20–30 per user per year. For a team of 10, that’s roughly £200–300 per year.
Proofpoint Security Awareness Training is particularly strong on email-based attacks and integrates well with Proofpoint’s email filtering products.
Curricula (now part of Huntress) targets small businesses with short, story-based training that employees actually complete. It’s designed for non-technical audiences and includes phishing simulations. Good option for teams where low engagement is the main concern.
For a team under 20 people, KnowBe4’s starter tier or Curricula will give you everything you need.
Simulated phishing campaigns: the most effective training
Reading about phishing is useful. Getting safely caught by a fake phishing email is far more memorable.
A simulated phishing campaign sends realistic-looking fake phishing emails to your team from your training platform. Anyone who clicks is immediately redirected to a brief training page explaining exactly what they missed. Data is anonymised for staff but reported in aggregate for management.
Why simulations work: they create a consequence-free real-world experience, the immediate feedback at the moment of the mistake is far more effective than classroom learning, and repeated simulations build a habit of pausing before clicking.
What to avoid: publicly shaming individuals who click. Aggregate reporting keeps training constructive. The goal is building a culture where people feel comfortable reporting suspicious emails — not a culture where they’re afraid to admit mistakes.
How often should you train?
A one-time training session fades quickly. The research is clear: monthly touchpoints outperform annual training by a wide margin.
A practical schedule for a small business: quarterly full training modules (20–30 minutes) for the whole team, monthly short reminders — a tip, a real-world example from the news, or a quick quiz (5 minutes), and if you’re on a paid platform, one or two simulated phishing campaigns per month.
You don’t need a dedicated IT team to run this. Most paid platforms automate the scheduling entirely once you set it up.
What else makes training stick
Training effectiveness depends on culture as much as content. Build habits that reinforce it: a dedicated email address or Slack channel where employees can forward suspicious messages without judgement, visible acknowledgement when an employee flags a real phishing attempt (it reinforces the behaviour you want), and participation from the top — when the owner takes the training, the team takes it seriously.
The single change that most improves outcomes: making it easy and safe to report suspicious emails without fear of looking foolish.
Bottom line
Phishing training doesn’t require a big budget or an IT department. Start this week with Google’s Phishing Quiz for your team and bookmark the NCSC’s free resources. If you’re ready to invest, KnowBe4 or Curricula give you automated simulations that build lasting habits. A trained team is the security layer no vendor can sell you.