Cybersecurity

Training your staff to spot phishing in 30 minutes

By Amit Kothari December 10, 2024

Here’s a uncomfortable truth: the most sophisticated firewall in the world won’t help if someone in your front office clicks on a malicious link. Most successful attacks on schools don’t involve hackers breaking through technical defenses. They involve someone being tricked.

Phishing works. That’s why attackers keep doing it.

Why traditional security training fails

You’ve probably seen the standard approach. Annual compliance training. Hour-long video modules. Multiple choice quiz at the end. Check the box, move on.

It doesn’t work. Staff sit through the training, pass the quiz, and forget everything by the following week. When a convincing phishing email arrives, they click anyway.

The problem isn’t that people are stupid. The problem is that traditional training doesn’t change behavior. It’s designed for compliance documentation, not actual security improvement.

What actually works

Based on discussions with IT directors at ISSL schools, here’s what we’ve seen make a difference:

Keep it short and specific

Thirty minutes, once per quarter. That’s it. Don’t try to cover everything in one session. Focus on one or two specific techniques that attackers are currently using.

Teachers and staff are busy. Respect their time. A focused 30-minute session beats a comprehensive 3-hour training that nobody remembers.

Use real examples

Show actual phishing emails that have targeted schools. Not generic examples from a vendor’s slide deck - real attacks that hit real schools.

In the St. Louis area, we’ve seen phishing campaigns specifically targeting private schools. Gift card scams impersonating heads of school. Fake invoice requests targeting business offices. W-2 phishing during tax season.

When staff see examples that could actually appear in their inbox, the training becomes real.

Practice, don’t lecture

The most effective approach? Simulated phishing. Send fake phishing emails to your own staff and see who clicks.

This isn’t about catching people or punishing them. It’s about creating learning moments. Someone who clicks a simulated phishing link and immediately sees “this was a test - here’s what you missed” learns more than someone who sits through an hour of slides.

Several security vendors offer phishing simulation services. Some are expensive. Others are surprisingly affordable for school budgets. The investment is worth it.

Focus on the basics

You don’t need staff to understand the technical details of credential harvesting or man-in-the-middle attacks. You need them to develop simple habits:

Check the sender. Not just the display name - the actual email address. Does amit@tallyfy.com look different from amit@ta11yfy.com? Train people to look.

Hover before clicking. On desktop, hovering over a link shows where it actually goes. If the link text says “Microsoft Login” but the URL is something weird, don’t click.

When in doubt, verify. If an email asks for sensitive information or urgent action, verify through a different channel. Call the person who supposedly sent it. Use a known phone number, not one from the suspicious email.

Report, don’t delete. Create a simple way for staff to report suspicious emails. A shared mailbox or button in their email client. Reports help you identify attacks in progress.

The 30-minute session structure

Here’s a format that works:

Minutes 1-5: One real example. Show an actual phishing email. Walk through the red flags. Make it specific to roles in the room.

Minutes 6-15: The three checks. Teach the sender check, the hover check, and the verification call. Practice each one with examples.

Minutes 16-25: Interactive exercise. Show 5-10 emails. For each one, ask: real or fake? Why? Discuss as a group. Make it conversational, not lecture-style.

Minutes 26-30: What to do when you’re not sure. How to report suspicious emails. Who to contact. Reinforce that asking is always okay - nobody will be criticized for being careful.

What about that one person?

Every school has someone who keeps clicking. Despite training. Despite simulations. Despite everything.

Don’t give up on them. Extra training usually isn’t the answer. Instead:

  • Have a direct conversation about the risk
  • Consider technical controls for their account (stricter email filtering, limited access to sensitive systems)
  • Make reporting easier, not harder

Some people will always be more susceptible to social engineering. That’s human nature. Your security posture needs to account for it.

Beyond training

Training alone isn’t sufficient. It’s one layer in a defense strategy that should also include:

  • Email filtering to catch obvious phishing before it reaches inboxes
  • Multi-factor authentication so stolen passwords aren’t enough for access
  • Network segmentation so one compromised account can’t reach everything
  • Backup systems so ransomware isn’t catastrophic

But training is often the most cost-effective layer. A quarterly 30-minute investment in staff awareness prevents more incidents than most technical controls.

If you’re running IT at a St. Louis private school and want help developing an effective training program, we’re happy to share what’s worked at similar schools.