What Should I Tell Employees About Phishing?
Phishing awareness should not simply tell employees to “be careful.” It should teach them what suspicious messages look like, what to do when they are unsure and how to report without fear.
The best phishing guidance gives people a simple pause-check-report habit they can apply across email, chat, SMS, social media and collaboration tools.
Tell employees to watch for urgency, unexpected attachments, payment changes, login links, unusual sender behaviour, credential requests, external file links and pressure. Most importantly, tell them exactly how to report phishing.
Phishing messages to repeat
- Phishing is not always obvious: Teach people to check context, not just spelling or design.
- Urgency is a red flag: Encourage people to pause before acting on urgent requests.
- Sender names can be misleading: Check email addresses, domains and unusual tone.
- Unexpected links need caution: Hover, inspect and avoid signing in through unexpected links.
- Attachments can carry risk: Be careful with unexpected invoices, documents and compressed files.
In this guide
- 1. Phishing is not always obvious
- 2. Urgency is a red flag
- 3. Sender names can be misleading
- 4. Unexpected links need caution
- 5. Attachments can carry risk
- 6. Payment changes need verification
- 7. MFA prompts can be abused
- 8. Reporting is the safe action
- 9. No one should be shamed for reporting
- 10. Phishing can happen outside email
What Should I Tell Employees About Phishing?
Use this as a practical founder checklist. Each section turns the question into a behaviour, record, owner or action your team can actually use.
1. Phishing is not always obvious
Modern phishing can look polished, familiar and urgent.
What to do: Teach people to check context, not just spelling or design.
2. Urgency is a red flag
Attackers often use time pressure to stop people thinking.
What to do: Encourage people to pause before acting on urgent requests.
3. Sender names can be misleading
A familiar display name does not prove the message is safe.
What to do: Check email addresses, domains and unusual tone.
4. Unexpected links need caution
Links can lead to fake login pages or malicious sites.
What to do: Hover, inspect and avoid signing in through unexpected links.
5. Attachments can carry risk
Files may be used to deliver malware or collect information.
What to do: Be careful with unexpected invoices, documents and compressed files.
6. Payment changes need verification
Finance and founder impersonation are common business risks.
What to do: Verify payment or bank detail changes through a trusted second channel.
7. MFA prompts can be abused
Unexpected MFA prompts may indicate someone has a password.
What to do: Report unexpected prompts instead of approving them.
8. Reporting is the safe action
Employees should not investigate risky messages alone.
What to do: Forward or report suspicious messages through the approved route.
9. No one should be shamed for reporting
A no-blame culture improves early warning.
What to do: Thank people who report, even if the message turns out to be safe.
10. Phishing can happen outside email
SMS, social media, calls and chat messages can also be used.
What to do: Apply the same pause-check-report habit across channels.
How to Turn This Into Evidence
Security awareness becomes easier to prove when every topic has an owner, a simple action, a review date and a record of what was communicated.
| Awareness Area | Action to Take | Evidence to Keep |
|---|---|---|
| Phishing is not always obvious | Teach people to check context, not just spelling or design. | Owner, date, reminder/training record and supporting evidence |
| Urgency is a red flag | Encourage people to pause before acting on urgent requests. | Owner, date, reminder/training record and supporting evidence |
| Sender names can be misleading | Check email addresses, domains and unusual tone. | Owner, date, reminder/training record and supporting evidence |
| Unexpected links need caution | Hover, inspect and avoid signing in through unexpected links. | Owner, date, reminder/training record and supporting evidence |
| Attachments can carry risk | Be careful with unexpected invoices, documents and compressed files. | Owner, date, reminder/training record and supporting evidence |
| Payment changes need verification | Verify payment or bank detail changes through a trusted second channel. | Owner, date, reminder/training record and supporting evidence |
Which Next Step Fits?
If you need clarity
Use the quiz to identify visible security gaps across awareness, access, vendors, risk and evidence.
Take the quiz →If you need awareness structure
Use the toolkit to turn awareness into onboarding, reminders, scenarios, records and repeatable team behaviours.
View the awareness toolkit →If you need judgement
Book a consultation if awareness is connected to audit readiness, customer pressure or unclear security ownership.
Book a consultation →Security awareness next step
Turn security awareness into behaviour your team can repeat.
Use practical prompts, onboarding, phishing guidance, evidence records and reminders so awareness becomes part of how your startup works.
Get the Security Awareness ToolkitFind the gaps first
Not sure where awareness fits into your security gaps?
Use the security quiz to identify visible gaps across awareness, access, vendors, risk and evidence before customer or audit pressure makes them harder to fix.
Take the security quiz to identify gapsFrequently Asked Questions
What is the main phishing message employees need?
Pause, check and report. The reporting route should be clear and repeated often.
Should employees be blamed for phishing clicks?
No. Blame discourages reporting and can make incidents worse.
What CTA fits this page?
The Security Awareness Toolkit fits because phishing awareness needs examples, reminders and reporting guidance.