Phishing 101

For phishing awareness training or just for a chat, get in touch with us at main@cybermonkey.net.au

Code Monkey Cybersecurity’s Phishing Awareness Training

The Basics $12.99 per person, per month $10.99 per person, per month (paid annually - save 15%) ✓ One simulated phishing email to each staff member approximately every 10 days ✓ Monthly reporting & analysis ✓ Free 1hr initial onsite education and introduction ✓ Simulated phishing attempts tailored to you based on publically

Code Monkey CybersecurityHenry Oliver

Phishing is a social engineering attack. It is a method of hacking which exploits human psychology rather than technical vulnerabilities.

The name itself is revealing - it's derived from "fishing" with a deliberate misspelling that was common in early hacker culture. Just like fishing involves casting a wide net or many lines hoping for a bite, phishing usually involves sending deceptive emails to many potential victims, hoping some will take the bait.

Here's my reasoning about what makes phishing effective: Humans are naturally helpful, we respond to authority, we fear missing out, and we react emotionally to urgency. Phishing attacks exploit these psychological tendencies by crafting messages that trigger these responses before our critical thinking kicks in.

The typical phishing attack follows this pattern: An attacker sends an email, text message, or other communication that appears to come from a legitimate source - maybe it looks like it's from your bank, your employer, Amazon, or Microsoft. Typically, the message creates urgency or fear ("Your account will be closed!" or "Suspicious activity detected!") and includes a call to action that seems reasonable ("Click here to verify your account"). But that link doesn't go where it appears to go. Instead, it leads to a fake website controlled by the attacker, designed to steal your credentials or install malware.

What makes phishing particularly insidious from a cybersecurity perspective is that it bypasses most technical defences. You can have the best firewall, the most sophisticated intrusion detection system, and robust encryption, but if a user voluntarily hands over their credentials to an attacker, those defences become irrelevant. It's like having an impenetrable fortress but then opening the gate because someone dressed as a delivery driver asked nicely.

Next, you'll want to know about Spear Phishing.

Spear Phishing 101

This builds on foundations which we covered in Phishing 101: Phishing 101Phishing 101. What is it? Why should you care? How can training help?Code Monkey CybersecurityHenry Oliver Now, let me build on that foundation to explain spear phishing. If regular phishing is like commercial fishing with a large net,

Code Monkey CybersecurityHenry Oliver

And, Whaling.

Whaling 101

If you haven’t read Phishing 101 or Spear Phishing 101, you’ll want to do that. Now for the apex predator of phishing attacks - whaling. Following our fishing metaphor, if phishing catches whatever swims by and spear phishing targets specific fish, whaling goes after the biggest catches of all: senior

Code Monkey CybersecurityHenry Oliver

Why should small business care?

On average, Australian small businesses lose $50 000 per cybercrime incident.

The most common vector for this is some form of phishing. On average, statistics for phishing are:

1. First email click rates are 30-50%
2. Follow-up or more targeted email click rates are 70-80%

Businesses consistently believe they understand cybersecurity better than they actually do.

Does phishing awareness training help?

Yes, continuous phishing awareness training works.

Training is not perfect, but it can be a safe, effective and high-quality layer in your cybersecurity controls. Unfortunately, the evidence shows that once training stops, the benefits largely disappear within 6 months.

Code Monkey Cybersecurity follows the facts of how to make our phishing training most effective, and we can make it effective for you too.

The evidence

There is some nuance, so if you want to know more please visit our Outline of the Current Best Evidence here:

Phishing Training Effectiveness: Evidence-Based Analysis

Summary Phishing awareness training vendors claim 40-86% reduction in susceptibility. Data shows skills begin to fade after 4 months without reinforcement. Despite measurable improvements in phishing recognition, 50% of successful attacks occur within 21 seconds of email arrival, with credential entry happening at 28 seconds. This is faster than conscious

Code Monkey CybersecurityHenry Oliver

You can also have a look at our look into What Works and Why:

Phishing Training: What Works and Why?

Phishing Training Effectiveness: Unpicking the apparent distance between academic evidence and vendor Marketing Claims Summary Academic research reveals a stark reality about phishing training effectiveness that contradicts vendor marketing claims. A groundbreaking 2025 study from UC San Diego analyzing 12,511 employees found that eight months of multi-modal phishing training

Code Monkey CybersecurityHenry Oliver

A deeper dive into timing and frequency of How Often We Send Training Emails:

How often do we send training emails?

When designing our evidence-based phishing awareness training program, we faced a critical question: how often should we test our clients’? Too frequent, and we risk alert fatigue and resentment. Too sparse, and the training loses its effectiveness. After extensive research and careful consideration of the available evidence, we landed on

Code Monkey CybersecurityHenry Oliver

For phishing awareness training or just for a chat, get in touch with us at main@cybermonkey.net.au

Code Monkey Cybersecurity’s Phishing Awareness Training

The Basics $12.99 per person, per month $10.99 per person, per month (paid annually - save 15%) ✓ One simulated phishing email to each staff member approximately every 10 days ✓ Monthly reporting & analysis ✓ Free 1hr initial onsite education and introduction ✓ Simulated phishing attempts tailored to you based on publically

Code Monkey CybersecurityHenry Oliver