Knowledge base › Phishing training

Phishing training for employees: how it works

Phishing training for employees is the most direct way to reduce the chance of a successful cyber attack. This article explains how it works, what it costs and what results you can expect.

Why are employees the primary target?

91% of all cyber attacks begin with a phishing email. Technical defences catch most automated attacks, but targeted phishing - spear phishing, CEO fraud, clone phishing - regularly slips through. At that point, the employee is the only filter remaining.

Without training, employees click an average of 1 in 5 phishing messages in a first simulation. After targeted training this drops to 1 in 20 or fewer. That is the difference phishing training for employees makes.

How does phishing training for employees work?

  1. Baseline measurement (phishing simulation): Before training begins, CoBoo runs a phishing simulation. This establishes what percentage of employees would currently click, which departments are most vulnerable and which scenarios work best.
  2. Training (Lumyo e-learning): Based on the simulation results, relevant e-learning modules are offered. Employees complete these at their own pace, on any device, without downloads. Modules take 10 to 15 minutes.
  3. Repeat measurement: After three to six months, a new simulation follows. The difference in click rate demonstrates concrete improvement - for employees, management, auditors and insurers alike.

What do employees learn in the training?

Recognition

How a phishing email looks: deceptive senders, suspicious links, urgency language and unexpected attachments.

Assessment

A step-by-step process to quickly assess whether a message is trustworthy - even if it appears to come from a known name.

Response

What to do with a suspicious message: don't click, don't forward, do report. Practised through real scenarios.

Types of phishing

Mass phishing, spear phishing, CEO fraud, smishing and vishing - each with its own characteristics to recognise.

What does phishing training cost?

Costs vary considerably by provider and approach. Lumyo works on a project basis for organisations of 20 to 250 employees. The price depends on the number of employees, the number of modules and the reporting required.

Perspective: The average cost of a successful cyber attack on an SME is €70,000 to €150,000. A full training programme for your organisation costs a fraction of that.

Results: what does phishing training deliver?

  • 60-70% lower click rates after the first training round
  • Significantly more reports of suspicious emails by employees
  • Faster incident response by IT teams
  • Demonstrable compliance for NIS2, ISO 27001 and GDPR audits
  • A stronger sense of shared responsibility for cybersecurity
Request a quote Our approach