Why phishing works so well on small teams
Most cyber incidents that hit UK small businesses start with an email, not a sophisticated hack. Attackers do not need to break your firewall; they need one distracted person to click a link, open an attachment or approve a payment. Small teams are attractive targets precisely because there is no security department, one person often controls the bank account, and everyone is too busy to scrutinise every message.
The traditional fix, an annual slideshow about spotting suspicious emails, does not work. People forget within weeks, and the examples are usually nothing like the phish they actually receive. What does work is little and often: short, realistic simulated phishing drills followed by a two-minute lesson at the exact moment someone slips up. The National Cyber Security Centre (NCSC) consistently ranks phishing among the most common attacks on UK organisations, so this is the highest-value security training a small firm can run.
Set the ground rules before you send anything
A phishing drill run as a gotcha destroys trust and teaches people to hide mistakes, which is the opposite of what you want. Before your first campaign, agree the rules in writing and get sign-off from whoever runs the business.
- Tell the team that simulations will happen as part of normal training. Do not say when.
- Never publish or discuss who clicked. Report team-level numbers only.
- Praise every report of a suspicious email, whether it turns out to be real, simulated or harmless.
- Ban cruel lures. Fake bonus announcements, redundancy notices or health scares generate resentment that outlasts any lesson.
- Make it clear nobody will be disciplined for clicking. The goal is a faster-reporting team, not a fearful one.
That last point is not softness; it is strategy. In a real attack, the person who clicked is your earliest possible alarm. If they are scared to speak up, malware gets hours of free run time.
Need a hand with this?
Our team delivers IT & Cyber Security for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Free and low-cost tools that do the job
You do not need an enterprise security budget. These options cover most small teams:
- Gophish. A free, open-source phishing framework you can self-host. It handles email templates, landing pages, scheduling and per-campaign statistics, and a technically confident person can be running campaigns within an afternoon.
- NCSC Exercise in a Box. Free tabletop exercises from the UK's national cyber authority, including phishing scenarios. Ideal for a team discussion rather than a live test.
- Microsoft Attack Simulation Training. Built into Microsoft 365 for tenants with Defender for Office 365 Plan 2, delivering realistic simulations straight into Outlook with follow-up training attached.
- Google's Jigsaw phishing quiz. A free, browser-based quiz that makes a good ten-minute warm-up in a team meeting.
- Small-business tiers from commercial platforms such as KnowBe4 or usecure, if you would rather pay a modest monthly fee than run your own tooling.
Whichever you choose, warn your email provider or IT support first so simulations are allow-listed properly and your domain does not end up flagged for sending phish.
Design drills people might genuinely fall for
Generic prize-draw emails teach nothing because nobody falls for them. Base your scenarios on messages your team really receives.
- A supplier invoice with updated bank details attached.
- A missed parcel delivery notification with a tracking link.
- A Microsoft 365 or Google Workspace password-expiry warning.
- A message that appears to come from the owner asking for an urgent payment or gift cards, sent from a lookalike address.
- A shared-document link from a familiar-sounding client name.
Start with easier lures and increase difficulty over months. One campaign every four to six weeks is plenty; more than that and people tune out. Stagger send times across the team so one early spotter does not skew the numbers, and vary the scenario each round.
Micro-training at the moment of failure
The training that sticks is the lesson delivered seconds after the mistake. Anyone who clicks should land on a short page that says, without judgement, that this was a simulation, then shows the three clues they missed with a marked-up screenshot of the email. Two minutes, done.
Back this up with a five-minute slot in a monthly team meeting where you show one real phishing email the business received that month and walk through the tells. Real examples from your own inbox beat any stock training library.
Finally, make reporting effortless. Enable the built-in report button in Outlook or Gmail, and remind the team that suspicious emails can be forwarded to the NCSC's Suspicious Email Reporting Service at report@phishing.gov.uk, with scam texts forwarded free to 7726.
Measure the trend, not the person
Click rate is the metric everyone fixates on, but it is the least useful on its own. A more complete picture comes from tracking three numbers per campaign, always at team level.
- Click rate: what share of the team interacted with the lure. Expect it to bounce around; the trend over six months matters more than any single result.
- Report rate: what share reported the email as suspicious. This is your best indicator of a healthy security culture, and you want it climbing.
- Time to first report: how quickly the first person raised the alarm. In a real incident this determines how fast the email can be purged from everyone else's inbox.
If the same person clicks repeatedly, offer quiet, kind coaching rather than escalation. Often they are simply the busiest inbox in the business.
Key Takeaway
Announce that simulations will happen, then run one realistic drill every four to six weeks using a free tool such as Gophish or the training built into Microsoft 365. Follow every click with a two-minute, judgement-free lesson, and track team-level report rate and time to first report rather than naming clickers. A team that reports suspicious email quickly is far safer than one that is merely afraid to click.
Make the clicks matter less
Drills reduce the number of dangerous clicks; controls limit the damage when one happens anyway. Pair your training programme with multi-factor authentication on every account, a password manager for the team, and SPF, DKIM and DMARC records on your own domain so criminals cannot easily spoof you. Add a hard rule that any change to payment details is verified by a phone call to a known number, and consider Cyber Essentials certification, which formalises these basics and can reduce insurance friction.
None of this needs a big budget, but it does need setting up correctly. If you would like a hand configuring email security or running your first drill, our team can help.
