Phishing Prevention. PHOTO: Cybercrime Magazine.

How To Outsmart Phishing And Social Engineering Attacks

Cybersecurity training for employees should focus on behavioral change

Barbara Babati, Marketing Manager at Hoxhunt

Helsinki, Finland – Nov. 18, 2020

An employee who does not receive continuous practical training or decides to ignore what is taught during awareness training can create an enormous risk for the company. However, if they do not have the right training, you can’t blame them for making a mistake.

To prevent problematic incidents, cybersecurity training must focus on behavior change with the following two goals: Employees must know how to identify online threats, and they must report potential threats or errors that have been committed. 

How behavior change helps with reducing risk

It’s not a surprise that people fall victim to phishing. Social engineering attacks utilize human psychology in their campaigns. When people are not aware of the persuasion techniques attackers use, they can easily fall for phishing emails.

A people-centered training using behavioral science can teach people to spot and report threats and prevent them from falling victim to social engineering. Motivating people to support your defenses by reporting threats is the best solution and will reduce human risk.

When people report phishing emails, they supply the incident response team with valuable intelligence on threats that get through the email filters. With the data you gather around people’s performance in the training and the real threat reports, you can draw a correlation between people’s behavior development and the reduction in organizational risk.

Psychology of behavior change

To successfully implement a program that results in behavior change, it’s good to understand the psychology of how people behave, what motivates them, and how to influence them.

Integrating psychology strategies such as influencing, shaping, and positive reinforcement into awareness training will teach employees appropriate online behavior and will diminish high-risk behavior.


Influencing people works in training when it uses positivity. Cybersecurity playbooks often employ fear as the primary influencing technique. Fear is a negative emotion, and it is likely to create resistance. Other persuasion techniques, such as humor, expertise, repetition, intensity, and scientific evidence, are more useful in influencing people.

Besides these, the training needs to consider the effects of motivation, individualism, and culture on engaging people with the training so that they can adopt the correct cybersecurity behavior. 

Good communication also matters when you try to get people to understand why they need to commit to participating in the training.


To develop a habit, it’s not necessary to change people’s thinking.

Shaping uses a series of small steps and actions to modify the learner’s behavior. The goal is to teach people how to perform a particular action (in this case, reporting a threat) by following specific processes. In this case, through continuous, frequent practice, people start spotting dangerous emails, and they will learn how to report them.

Positive reinforcement  

Positive reinforcement is pivotal for training; it is powerful and effective in the long term. Shaping works best in training when paired with positivity, like awards, rewards, scores, competition, leaderboards, recognition, or feedback.

Feedback plays a vital role in positive reinforcement. People can learn from additional training moments about what they did right and what the clues were. They will then be motivated to report a threat again the next time.

The necessary elements of behavior-changing training

Go beyond the traditional awareness training and compliance-based training. Instead, add a layer of continuous practical training that is impactful in behavior change and minimizing risk.

There are at least seven elements to behavior-changing training:

1. Practical training

Practice is a must so that employees can start spotting and reporting threats getting through the email filters. Using simulations that mimic real threats can prepare people to face actual attacks.

2. Continuous and frequent practice

A few simulations a year won’t make a difference in how people retain learning. People need to receive simulations frequently to emphasize the correct security habit.

3. Personalized and relevant content

Training must be personalized and relevant to fit the needs, skills, and knowledge of the individuals. Other factors such as language, geography, culture, department, role in the organization, time spent in the organization, or even teams, collaborators, and tools used should be considered to make the training experience as engaging and realistic as possible.

4. Up-to-date attack simulations

Attackers keep coming up with new attack types all the time. New phishing emails can be hard to identify. Make sure that people are up to date with the latest attack types. This will help to keep people informed and more determined to spot and report an actual attack.

5. Positive reinforcement

Integrating positive reinforcement into the training can have a meaningful effect on people’s emotions and motivation toward the training. 

Small steps, such as adding recognition, feedback, and micro-learning mechanisms, can motivate people to keep participating.

6. Integrated into the employee’s workflow

Employees often feel frustrated that security measures interfere with their workflow. It doesn’t need to be like that. Make the experience as seamless as just spotting an actual threat in the inbox.

7. Simple reporting process

The reporting process must be easy and effortless, like a reporting plugin or add-on in the inbox. Even when people know they should report a threat, they may not do it if the process is as complicated as calling the service desk. 

Build a strong cybersecurity culture for creating a resilient workforce

Building a strong cybersecurity culture is challenging. It’s a fine mixture of training and communication. With the right training and communication, you can impact your employees’ behavior, knowledge, and attitude. When people understand why it’s important to practice safe online habits, protect the company, and themselves in their personal life, they will be more motivated to participate in the training and look out for threats.

Hoxhunt Archives

Barbara Babati is Marketing Manager at Hoxhunt.

Sponsored by Hoxhunt

Our mission at Hoxhunt is to enable everyone to protect themselves from cybercrime. We want you to be able to protect yourself, your family and your company.

To this date, changing employee behavior to a secure one has been incredibly hard. Organizations have tried pushing information to their employees in classrooms and in e-learning solutions. They’ve tested the results of these awareness campaigns with phishing tools and penetration tests, giving extra training only when an employee fails. While some of these methods are great for other purposes — like e-learning is for regulatory compliance. The actual results in changing employee behavior to a more cyber-secure point out otherwise, the traditional methods to patch the human component do not work.

That is why we built Hoxhunt. We want to turn employees from a company’s weakest link into the strongest asset against cyber attacks. Our gamified platform trains employees against phishing attacks in a fun and engaging way.