Preparing your people for attack is not just about telling them! An artist wouldn't be able to paint a masterpiece after watching a couple of YouTube videos. These things take time and practice which is why I believe exposing your people to phishing attacks in a safe environment best prepares them to recognise an attack and teaches them how to report it safely so that that the threat can be removed for everybody.
Sometimes simulated phishing can be used as a big stick to hit people with and force them to do training modules if they click the link. Whilst there might be some merit in it I prefer a different approach that actually changes behaviours. There are three steps to this...
1. TELL PEOPLE THEY ARE BEING PHISHED!
Inform people that a phishing campaign is about to begin and give them very clear instructions about what you want them to do when they suspect they have received the phishing attempt - report it! Anybody who correctly identifies every email in the campaign is rewarded.
The 'game' is now set!
2. PHISH LIKE YOU ARE JOHN WILSON!
Over the course of 2 or 3 weeks send a number of phishing emails to your people and start to see how many of these are reported. Remind people about the campaign and keep phishing.
Report the successes back to people and call out the top 'reporters'. Make them 'special agents' and reward them!
3. WATCH BEHAVIOURS CHANGE!
In the first two steps you have:
Taught people how to spot a phish
Told people how to report a phish
Created a lasting habit of reporting
Created a buzz around the office
Identified your future champions!
And nobody was made to feel naughty and punished in the process! Voila!