Educating your employees about how to avoid phishing attacks

Version 2

    Hi all,

    Today's blog post is on the topic of how to educate your employees about how to avoid phishing attacks.

    Weak or stolen login credentials are the top cause of data breaches. According to research done in 2013 approximately 80% of security breaches came from getting someone's password - (see full article here). Eran Feigenbaum who is our Google for Work Director of Security says that this is mostly this is due to poor authentication.


    I’m going to make an assumption that the majority of readers of this blog already understand what phishing is and how to avoid it (if not check out this Google help centre article on the subject) and instead focus this post on a few simple tips for how to educate your employees to avoid such attacks.


    Many employees within your organisations might have heard the term ‘phishing’ but I bet that a lot of them haven't. Those that have heard the term might not understand what it means or that it is even something that could happen to them.


    If your organisation has not provided information or training to employees on this topic - I’d suggest that this is something that you along with people from your L&D or internal comms teams (if applicable) should consider doing sooner rather than later.


    Before you create your communications and training plan for your employees, firstly make sure you (as an IT administrator) have done the following:

    1. Enable and enforce 2 step authentication for the domain (instructions here)
    2. Ensure the workforce is using Chrome as the default browser (instructions here, reasons why here)

    Once you’ve done the above, it’s time to create a basic communications and training program for employees.


    I suggest creating a simple customised one page ‘cheat sheet’ that is going to resonate with the employees at your organisation. Keep the language simple and ‘non-techy’ and make it relevant to them in their day job.

    1. Explain the risk to the organisation and to them as individuals - e.g. What the impact would be if their usernames + passwords were exposed
    2. Show examples of strong vs. weak passwords, and remind people to never use their work password for other websites
    3. Explain how to set up 2-step authentication, and how to use it
    4. Highlight watchpoints employees should look out for e.g. requests via email for usernames, passwords, pin numbers or other personal information
    5. Show what employees should do if they think they have received a phishing email or document e.g. ‘report spam’, ‘report phishing’, contact their internal IT Team

    The best way to have people read and follow such instructions is if you tell a story and make the cheat sheet personal and customised for your organisation and users. You might do this by creating a persona or using a character that tells a story and shows what a real life example might be in the context of your organisation. You’ll also ensure more people pay attention to the communications if they are sent by company executives with a personal request from them to be vigilant about online security.

    Be creative about the channels that you use to distribute the cheat sheet:

    • Create posters and put them up in the lunch-room, in the elevators, in the bathrooms
    • Print it and drop a copy on each employees desk
    • Post on the intranet, G+ communities and blogs
    • Send via email (have either managers or company executives send the email for maximum chance of having people read it)
    • Have company executives and managers reference it during meetings and in their written communications


    1. Ensure that your IT team members know how to help employees set up 2-step authentication and how to troubleshoot and respond to FAQ's
    2. Ensure that training on how how to create secure passwords and how to set up 2-step authentication is made a part of new employees onboarding experience / training
    3. Make sure that people managers understand the importance of online security as well as how to setup and use 2-step authentication - so that they can help their team members work safely
    4. Consider establishing a ‘Security Champions’ program so that they can be the point person for education and answering questions from other employees within their part of the business. Have the champions do regular Q&A sessions for their peers and make sure they are trained up on all the latest news on the topic so they can respond to questions and provide guidance.

    Below are a couple of additional video resources which are available on this topic to help you educate your employees. Share these directly with your employees if you don’t have the time or resources to create something a bit more customised and personal - or use them for some inspiration so that you can package up a cheat sheet that is really tailored to your employees.

    It is essential that all employees at your organisation understand the importance of keeping both their personal and company data safe, and that this is their responsibility. The risks of not educating employees on this topic are very real so please do consider taking the above steps to improve your organisations chances of staying safe.


    I’d be very interested to hear from anyone who has run a communications or training program for their employees on this topic. What did you find worked well? What challenges did you face? What tips would you share with others who are considering how they are going to educate their employees on this topic?