While supporting a central bank in the APAC region during a cybersecurity transformation program, we conducted a phishing simulation to assess awareness. A treasury employee quickly flagged a simulated phishing email targeting sensitive systems. Instead of focusing on missed detections, we highlighted their success in a client-wide communication. This positive reinforcement fostered a culture of vigilance. To sustain this, we introduced scenario-based training as part of the program, ensuring the team was equipped to tackle evolving threats with confidence and collaboration.

Combating phishing tactics requires a proactive, supportive approach. I focus on regular, up-to-date training to ensure my team stays informed about evolving threats. Simulating phishing attacks allows them to practice identifying suspicious emails in a safe environment. Creating an open communication culture is essential—employees should feel comfortable reporting potential threats without fear of blame. By building awareness, reinforcing vigilance, and fostering trust, I empower my team to respond confidently and effectively.

Generate mock system alerts to test response to suspicious network activity. Develop scripts and step-by-step guides to ensure consistency in simulations.

There are a few things we can do: 1 - Awareness, awareness, awareness. Train the teams to detect, act, and report a fishing suspicion, providing the right tools and channels. 2 - Develop and implement a phishing test program. This should include targets and metrics. 3 - Make sure to use a strong, reliable anti-fishing tool and always update it. 4 - Discuss the results of the tests with all teams, showing them what is working well and what needs to be improved. This is not a one-man show task. 5 - Finally, if people keep pushing the wrong buttons after all these actions "just because", then it´s time to start enforcing disciplinary measure.