American View: When is a person “fully trained” in phishing defence?

Responsible Business08 Apr 2025

Sometime last year — don’t remember exactly when — I got into a friendly argument with another security awareness professional about the desired “end state” for phishing defence training. We both agreed that there really isn’t any such thing; even after a user has mastered the fundamentals, phish continue to evolve with new lures, new technical tricks, and new ways of sneaking past perimeter defences. My pal proposed that phishing training can never end, and (most importantly for argument purposes) that it’s crucial to keep pounding on the basics. I countered that phishing defence training must evolve as the user’s skill and experience grow to keep pace. We never reached a mutually acceptable conclusion.

This disagreement came to mind over the weekend on a surprisingly personal level. I was keeping my puppy warm on the couch Saturday afternoon when my mother phoned out of the blue. Seemed I’d missed her “urgent” email and follow-on text messages (whoops!) so she was escalating direct to Tier 2 support like a good corpo.

Caught off guard, I asked for a moment to get up to speed. A quick glance at my inbox revealed the following:

An hour prior, my mother had received an “antivirus subscription” billing notification email that she thought looked suspicious.
Mum called her bank to validate that the charge had been made on her card.
Her bank’s fraud department confirmed that the charge had been made, but agreed that the payment processor seemed squiffy based on other clients’ complaints.
Mum agreed to the bank agent’s recommendation that her affected credit card be cancelled and a replacement provisioned just to be safe.

I’d really hate to hear that her teacher’s pension was going to pay for some h@x0r’s Elden Ring DLC. I already bought her that last Christmas.

Mum was anxious about the event and wanted to know if she’d done the right thing. I was proud to tell her that she’d done exactly the right thing. We went through the screenshotted email and checked off the parts that were suspicious:

The listed antivirus vendor and product were 100% correct on what application she used on her desktop. That product does have an annual subscription.
That said, the payment processor listed in the email was wrong. Mum should have been billed directly by the antivirus publisher, not by a third party.
The fact that mum had never dealt with anyone from the sender’s address or domain before set off warning bells.
The fact that mum hadn’t been warned or alerted before the subscription renewal went through was also a warning sign.
The fact that the “subscription renewal” email directed the recipient to contact the payment processor rather than the antivirus company itself also raised alarms.

All told, mum’s trained instincts were dead on. This subscription notice was flying too many red flags to trust at face value. She’d handled the situation exactly right: double check everything, don’t interact with the sender, report her concerns to her bank through known channels, and be prepared to endure a few weeks of annoying account updates for automated payments. She didn’t panic, didn’t respond to the scammer’s lure, and kept her cool. Good work, mum!

It would’ve been epic if she’d delivered a 1980s action movie hero quip after reporting the scam. Like “Go phish, %^&er!” Ah, well. Maybe next time…

What makes this delightful for me is that my mother isn’t an IT worker; she’s a retired history teacher. She had above-average computer skills compared to her pensioner friends since she’d used PCs at work and at home going back to the 1990s … but she’s not and has never been a “power user.” Fortunately, mum remembered what she’d been taught by her school district’s IT department and what we’d discussed about online safety during family dinners.^[1]

From a corporate trainer’s perspective, mum demonstrated her proficiency at this foundational security task. She recognized, disengaged from, and reported a suspicious email like it was her full-time job. In most any business, that would be evidence of the security department’s desired end state for phishing defence. Once the user demonstrated their capability to defend themselves, the awareness department could either continue to remind them of the fundamentals (my mate’s opinion), start teaching them advanced recognition content (my opinion), or both. What we’d never do is consider mum — or anyone else performing at her level — to be trained “enough.” There’s no such thing.

Cyber defence is a perishable skillset. More than that, though, it’s a skillset that requires constant refinement, not just reinforcement. Sure, there are new scam techniques to teach, but I feel strongly that’s only one part of the mission. Ultimately, I strongly believe that we should be regularly validating our users’ good performance and encouraging them to remain vigilant. Build our users’ confidence while we’re building their skill. We want our users to trust their instincts and to react defensively. We want them to stay engaged with security; to trust that we’ll always be there to support them. We want our users to view scam detection as a challenge instead of a futile struggle.

I’m happy for my mother’s handling of what might have been a well-crafted spearphish. Sure, it could have been legit (despite its unapologetic squiffyness) but the risk of assuming it was legit wasn’t worth further charges on a compromised credit card. I told her I was proud of her and did my best to encourage her to share her experience with her friends. To help bring their skill up to her level. Hopefully she will.

In the meantime, I’m going to send mum a few fun articles about phish designs. There’s always more to learn.

^[1] Yes, I bring up phishing and scams at the dinner table. Be warned if you were thinking of inviting me over.