Talked to my sister who works at a clinic in Portland about their new patient portal.

She mentioned they had to do a full security audit because one employee clicked a phishing link in a training email. It made me realize how much a single click can cost a whole business, not just one computer. What's the best way to run a fake phishing test for a small team without freaking everyone out?

3 comments

3 Comments

sagecooper7d ago

Ugh, that's so real. We did a simple one with a fake "free lunch sign-up" email from our own domain. The key was making the training after feel helpful, not scary. Just show people what to look for next time.

kimfisher7d ago

Totally agree about making the training feel helpful. The shame spiral after someone clicks a fake test email is REAL and it just makes people hide their mistakes. We always frame it as "here's how that email tricked you, and here's the one thing to check for next time." It turns a failure into a useful clue for the future.

claire_davis317d ago

Our IT team found that follow-up training within 24 hours of a click works best. People remember the specific email and the lesson sticks way better. It turns a quick mistake into lasting awareness.