One of the best "training" examples I've seen is this:
The company's IT department sends everyone an email that looks like it's from a shipping company. The message says the person needs to click the link asap to ensure their package will be delivered. (Or the email has another phishing-type message.)
- If you click the link, it goes to a company page that lets you know you just fell for a typical phishing email. And, of course, it reminds you about cybersecurity protocols.
- The company has an option embedded in Outlook for reporting a suspicious emails. If you do that, you get a message congratulating you for spotting the phish (with a quick reminder about cybersecurity protocols).
- I don't know what happens if a person doesn't click the link and doesn't report the email. Ideally, they would get a follow-up message at some point that reminds them about the report-phishing button.
In other words, they provide practice in a safe environment.
