Phishing Awareness That Actually Sticks

A just-in-time microlearning program that cut simulated phishing click rates by 52% in three months.

MicrolearningBehavior ChangeCompliance
🎣

Role

Instructional Designer

Timeline

3 months

Audience

~2,000 office employees

Format

Microlearning + simulations

The Challenge

The annual hour-long security course was something employees clicked through and forgot. Phishing simulations still showed a 25% click rate, and security was treated as a once-a-year checkbox rather than a daily habit. The goal: change behavior, not just complete training.

The Solution

I replaced the once-a-year course with short, well-timed lessons built around real behavior:

Two-minute lessons

One focused tactic per lesson — spoofed senders, urgent-payment scams, fake login pages — each ending with a quick spot-the-phish check.

Teachable moments

Anyone who clicked a simulated phish landed on a calm, blame-free 30-second explainer showing the exact cues they missed — feedback at the moment it matters most.

A reporting habit

A one-click "Report phish" button plus light recognition made reporting easy and visible, turning employees into an active line of defense.

Results

52%

Lower simulated click rate

3x

More phishing reports

94%

Lesson completion

What I Learned

  • Feedback in the moment of the mistake beats any amount of upfront content.
  • Blame-free framing made people more willing to learn — and to report.
  • Small, frequent touchpoints changed habits where a yearly course never could.