Phishing awareness training for UK SMEs

Most cyber attacks against UK SMEs start with a person, not a system. Phishing emails, impersonation calls and payment diversion fraud succeed because staff are targeted directly, bypassing technical controls entirely. However, this is not inevitable. With realistic simulation, role-specific training and a clear reporting process, your people become your strongest line of defence rather than your biggest vulnerability.

Why human layer security matters

Additionally, the results are measurable. Organisations running structured phishing awareness training programmes typically see click rates fall by up to three times over twelve months compared to training-only approaches. Furthermore, reporting rates increase significantly, giving security teams early warning of real attacks. As a result, Human Layer Security delivers behaviour change that your insurer, auditors and clients can see evidenced.

What the service covers

The service combines phishing simulation, social engineering assessment, targeted role-specific training and process controls. Moreover, it includes a clear reporting culture programme so staff know exactly what to do when something feels wrong. In contrast to generic annual compliance training, this programme is designed around the specific threats your sector and role types face. Consequently, behaviour changes in weeks rather than years.

Who this is for

Human Layer Security is designed for UK SMEs with 10 to 500 staff where a successful phishing attack or business email compromise would cause real operational or financial damage. Nevertheless, no prior security programme is required to get started. Instead, we begin with a baseline assessment that establishes your current susceptibility before any training is delivered.

Human Layer Security · Service

Your people are the target.
Make them your strongest defence.

Phishing awareness · Social engineering · Simulation · Behaviour change · Insider risk

Technology controls can filter, block and detect. But when an attacker calls your finance team pretending to be the CEO, or crafts a phishing email that bypasses every filter, your people are the last line of defence. Human Layer Security builds the habits, awareness and decision-making that technical controls cannot replace.

See where people fail What we cover How it works

NCSC-aligned awareness approach Realistic simulation, not checkbox training Behaviour change, not blame

Phishing simulation Awareness training Social engineering Vishing Business email compromise Insider risk Incident reporting culture

What we see in SME environments

Human-targeted attacks succeed not because staff are careless, but because attackers are skilled and training has been generic, infrequent or ineffective.

Annual compliance-style training that staff click through in 10 minutes and forget within a week
No recent phishing simulation, so nobody knows how staff actually respond to realistic attacks
Finance and HR teams with no specific training on payment diversion, invoice fraud or impersonation calls
No clear process for reporting suspicious emails, calls or messages, so staff stay silent when something feels wrong
Leadership exempt from training or simulations, creating an inconsistent culture around security expectations
New starters onboarded without meaningful security context before they have access to systems and data

Any sector 10 to 500 staff Remote and hybrid teams

74% Of data breaches involve the human element, including social engineering, errors and misuse. Technical controls alone cannot close this gap. Source: Verizon DBIR 2024.

60 seconds The median time for a phishing recipient to click a malicious link after delivery. Most incidents begin long before IT has had a chance to detect anything. Speed of human response matters.

3x Organisations with regular simulated phishing programmes see click rates drop by up to three times over 12 months compared to training-only approaches. Repetition builds instinct.

Reality check

How attackers exploit people, not just systems.

Modern social engineering is sophisticated, targeted and increasingly difficult to distinguish from legitimate communication. These are the patterns we see used most consistently against UK SMEs.

Key reality:
A single credential phished from one staff member can give an attacker access to email, cloud storage, finance systems and HR data simultaneously.

Spear phishing and credential theft

Targeted emails crafted using publicly available information about your business, staff and suppliers. Not mass spam, but personalised messages that reference real context. Designed to harvest credentials or deliver malware through a single click.

Generic awareness training does not prepare staff for this level of targeting.

Business email compromise

Attackers impersonate the CEO, a supplier or a trusted partner to redirect payments, change bank details or request urgent wire transfers. Often initiated by email, sometimes followed up by phone to add pressure. Finance teams are the primary target.

UK SMEs lose millions annually to BEC. Most incidents are preventable with the right processes and awareness.

Vishing and impersonation calls

Phone-based social engineering where attackers pose as IT support, HMRC, banks or senior colleagues. Used to extract credentials, approve transactions or bypass security controls. More effective than most people expect, particularly under time pressure.

Staff rarely receive any training on how to handle or verify unexpected calls requesting action.

Pretexting and manipulation

Long-form social engineering where attackers build a fabricated scenario over time: a fake supplier relationship, a new colleague onboarding, a regulatory enquiry. Used to build trust before making a request that would otherwise raise suspicion.

This approach is increasingly used against professional services, legal and finance firms.

Insider risk and over-sharing

Not always malicious: staff sharing files to personal cloud storage for convenience, forwarding sensitive documents to personal email, or misconfiguring permissions without realising. Accidental data exposure is far more common than deliberate insider threat.

Without clear policy and awareness, well-intentioned shortcuts create real data protection exposure.

Reporting gap and silence culture

Staff who click something suspicious often say nothing for hours or days out of embarrassment or fear of blame. Early reporting is critical: the difference between a contained phishing incident and a full breach is often measured in how quickly someone spoke up.

Building a reporting culture is as important as teaching staff to spot attacks in the first place.

Aware vs unaware

The same attack, two very different outcomes.

Awareness and process changes are the difference between a phishing email becoming a contained report or a full-scale incident. The attacker's effort is the same. The outcome is not.

Aware organisation

Finance manager receives an email from "CEO" requesting an urgent payment to a new supplier. The email address has one transposed letter. Staff member pauses, notices the domain mismatch, and calls the CEO directly using a known number to verify. Payment not made. Email reported to IT.

Staff member receives a call from "IT support" asking them to install remote access software. They recognise this as a known social engineering pattern from a recent awareness session, refuse the request, and report it within five minutes. IT confirms no such call was made.

New starter clicks a link in what looks like a DocuSign email. Lands on a credential harvesting page, notices the URL does not match, closes it and reports immediately. IT responds within 20 minutes. No credentials entered. Incident closed.

Unaware organisation

Finance manager receives the same email. Under pressure from end-of-month workload, processes the payment without calling to verify. Funds transferred to attacker account. Discovered three days later when the real supplier chases the outstanding invoice. Recovery unlikely.

Staff member receives the same "IT support" call. Installs the software as instructed. Attacker has remote access to the machine, harvests credentials, and uses them to access email and cloud storage over the following weekend. Breach discovered 12 days later.

New starter enters credentials on the fake DocuSign page. Stays silent for two days, hoping it was fine. By the time IT is informed, the attacker has used the credentials to access the company Microsoft 365 tenant, read email and exfiltrate a client data file.

The attacker did nothing different. The awareness and process did.

Human Layer Security is not about making staff infallible. It is about building the habits and processes that turn a potential incident into a report, and a full breach into a near miss.

Service scope

What Human Layer Security covers.

The service combines realistic simulation, targeted training and process improvement across the human attack surface. Not a compliance tick-box. A programme that changes behaviour.

Design principle:
Relevant, realistic and repeated. Generic annual training does not build instinct. Contextual, scenario-based programmes do.

Workstream 01

Phishing simulation programme

Realistic simulated phishing campaigns tailored to your organisation, sector and current threat landscape. Not off-the-shelf templates, but scenarios that reflect how attackers actually target businesses like yours. Campaigns run quarterly with increasing sophistication. Results benchmarked and tracked over time to show genuine behaviour change.

Discuss scope →

Workstream 02

Targeted awareness training

Short, scenario-based training sessions focused on the specific threats relevant to your sector and role types. Finance and HR teams receive targeted business email compromise and payment diversion content. Technical staff receive credential security and social engineering content. Leadership receive executive impersonation and pretexting scenarios. Not the same session for everyone.

Discuss scope →

Workstream 03

Social engineering assessment

Controlled vishing and pretexting exercises to test how staff respond to phone-based and multi-channel social engineering attempts. Conducted with full management authorisation and a clear debrief process. Findings used to identify specific role groups or processes that need targeted follow-up, not to name or blame individuals.

Discuss scope →

Workstream 04

Reporting culture and process

Design and implementation of a clear, low-friction process for staff to report suspicious emails, calls and messages. Includes a defined response workflow so staff receive acknowledgement and feedback when they report. Removes the silence culture that delays incident detection by hours or days. Metrics tracked to show reporting rate improvements over time.

Discuss scope →

Workstream 05

New starter and onboarding security

Security context built into the onboarding process before new staff have access to sensitive systems. Includes understanding of social engineering, acceptable use, and how to verify unexpected requests. Designed to be completed in the first two days, not as a standalone compliance module weeks after joining. Includes a specific module for staff with privileged access or financial authority.

Discuss scope →

Workstream 06

Payment and process controls review

Review of the specific processes most targeted by business email compromise: payment authorisation, supplier bank detail changes, payroll amendments and urgent transfer requests. Identification of missing verification steps, dual-authorisation gaps and escalation paths. Recommendations documented with clear ownership and implementation guidance.

Discuss scope →

How it works

From baseline assessment to measurable behaviour change.

A structured programme, not a one-off event. Human Layer Security is designed to build instinct over time through repetition and relevance, with clear metrics at each stage.

Baseline phishing assessment

We run an initial simulated phishing campaign before any training is delivered, to establish a genuine baseline click rate and reporting rate. This gives you a real picture of current susceptibility, not one skewed by prior awareness. Results are anonymised at individual level and reported by role group and department.

Risk profiling and programme design

Using the baseline results alongside your sector, role structure and any known prior incidents, we design a targeted programme. Finance, HR, leadership and technical staff receive different content. Simulation scenarios are drawn from real attacks against organisations in your sector, not generic templates.

Delivery: training, simulation and process

Role-specific training delivered in short sessions that can be completed in 20 to 30 minutes. Followed by quarterly phishing simulations with increasing sophistication. Social engineering assessment conducted if in scope. Reporting process designed and communicated to all staff. Payment process controls reviewed and documented.

Measurement and ongoing programme

After 6 and 12 months, click rates, reporting rates and assessment results are compared against baseline. You receive a clear picture of what changed and what still needs work. For organisations that want ongoing support, we offer a retained human layer programme covering quarterly simulations, refresher training and new threat briefings as the landscape evolves.

A typical engagement

From 34% click rate to 6% in twelve months.

A composite of UK SME engagements across professional services and transport sectors. Numbers are representative of real programme outcomes.

Profile:
80-person professional services firm, finance team of 6, no prior phishing simulation, annual compliance training only.

Month 1: baseline assessment

34% of staff clicked the simulated phishing link
4% reported the email as suspicious before clicking
Finance team had the highest click rate at 58%
No staff had received BEC-specific training
No formal process existed for reporting suspicious emails
Leadership were not included in prior training or simulations

Month 12: after the programme

6% click rate on quarterly simulations, down from 34%
41% reporting rate: staff proactively flagging suspicious emails
Finance team received targeted BEC training and process changes, including dual-authorisation for bank detail changes
Leadership completed the same simulations as all staff
One real phishing email caught and reported within 8 minutes of delivery
Reporting culture embedded: staff ask questions rather than staying silent

The numbers matter. But the culture change is what actually reduces risk.

A 41% reporting rate means the security team sees real attacks in near real time. That early warning is worth more than any reduction in click rate on its own.

What you get

Measurable outputs, not awareness theatre.

Every engagement produces concrete artefacts and metrics. Not a certificate of completion. Evidence of actual change in how your people think and respond.

Baseline and progress metrics

Click rates, reporting rates and assessment results tracked over time. You can demonstrate measurable improvement to insurers, auditors and clients.

Role-specific training content

Targeted sessions for finance, HR, leadership and technical staff. Short, scenario-based and immediately applicable. Not a generic module everyone clicks through.

Social engineering assessment report

Findings from vishing and pretexting exercises, anonymised at individual level, reported by role group. Identifies specific gaps to address with targeted follow-up.

Reporting process and playbook

A clear, documented process for staff to report suspicious activity, with defined response steps. Removes the ambiguity that leads to silence when something feels wrong.

Payment process controls

Documented improvements to payment authorisation, supplier bank detail change processes and urgent transfer workflows. Specific, implementable recommendations with clear ownership.

Board and insurer summary

Plain-language summary of programme activities, baseline versus current metrics, and forward programme. Suitable for cyber insurance renewal, board reporting and client due diligence requests.

Who this is built for

Right for your business if any of these are true.

Human Layer Security is most valuable where staff are regularly targeted, where a successful social engineering attack would cause real damage, and where existing awareness has been generic or infrequent.

Fit 01

Annual compliance training is your only awareness activity

If your current programme is a once-a-year module that staff complete in 10 minutes, it is not building the instinct needed to resist targeted phishing or social engineering. This service replaces it with something that actually changes behaviour.

Relevant if: No phishing simulation has been run in the last 12 months

Fit 02

Finance, HR or leadership handle high-value transactions or sensitive data

These roles are the most targeted by business email compromise and payment diversion fraud. Generic awareness training does not address the specific scenarios these teams face. Targeted content and process controls do.

Relevant if: Payment authorisation or payroll is handled by a small team

Fit 03

You have had a phishing incident or near miss in the last two years

A prior incident is a strong signal that current controls are insufficient. Whether credentials were compromised or an attack was narrowly avoided, a structured human layer programme addresses the root cause rather than hoping it does not happen again.

Relevant if: A phishing email was clicked or a suspicious call was acted on

Fit 04

Cyber insurance or client contracts require demonstrable awareness activity

Insurers increasingly ask for evidence of phishing simulation and awareness training, not just confirmation that something exists. A documented programme with tracked metrics provides the evidence needed for renewal, client security questionnaires and regulatory requirements.

Relevant if: Insurance renewal or client security audit is approaching

Related services and resources

Proactive Cyber Defence → Incident Response → IR readiness checklist →

Human Layer Security · DefendVista

Ready to make your people your strongest defence?

If your current awareness programme is a compliance exercise rather than a genuine behaviour change programme, Human Layer Security is where to start. Realistic simulations, role-specific training and measurable outcomes. No blame culture. No generic modules. Security awareness that actually sticks.

Book a scoping call Download IR readiness checklist

Designed for UK SMEs with 10 to 500 staff where social engineering, phishing or business email compromise is a realistic and costly threat. Or call: +44 (0)33 0122 4448

Your people are the target. Make them your strongest defence.

How attackers exploit people, not just systems.

Spear phishing and credential theft

Business email compromise

Vishing and impersonation calls

Pretexting and manipulation

Insider risk and over-sharing

Reporting gap and silence culture

The same attack, two very different outcomes.

What Human Layer Security covers.

Phishing simulation programme

Targeted awareness training

Social engineering assessment

Reporting culture and process

New starter and onboarding security

Payment and process controls review

From baseline assessment to measurable behaviour change.

Baseline phishing assessment

Risk profiling and programme design

Delivery: training, simulation and process

Measurement and ongoing programme

From 34% click rate to 6% in twelve months.

Measurable outputs, not awareness theatre.

Baseline and progress metrics

Role-specific training content

Social engineering assessment report

Reporting process and playbook

Payment process controls

Board and insurer summary

Right for your business if any of these are true.

Ready to make your people your strongest defence?

Your people are the target.
Make them your strongest defence.