Stop Cyber Attacks with Employee Phishing Training
Quarterly phishing simulations against your real users, short role-based training when they fall for one, and reporting that shows trend lines instead of vanity metrics. Insurers ask for this. Most clients don't have it.
Everything you need, none of the upsell.
Real deliverables, with the boundaries written down. So you know what you're paying for and what counts as extra.
Realistic, varied, scheduled.
Quarterly campaigns with templates that match real phishing seen in the wild. Localized to Canadian context.
Short, role-based.
Five to seven minute modules triggered when someone clicks. Finance, ops, and exec teams get different content.
Trend lines, not gotchas.
Click rate, report rate, time-to-report. Tracked quarter over quarter. Improvement targets set and reviewed.
Insurer-friendly.
Most cyber insurance policies now require documented training. Our reporting maps directly to questionnaire fields.
The order we work in.
A clear sequence so you can budget time, money, and risk against the work.
Baseline.
First campaign with no warning, to establish a real starting click rate. We expect 15 to 30%. So do insurers.
Train.
Click + train flow: anyone who falls gets a short module immediately. No public shaming.
Iterate.
Quarterly campaigns with rising difficulty. Trend reporting shows whether training is sticking.
Report.
Quarterly written summary plus annual board-ready output. Maps to insurance and audit questionnaires.
Get a quote on phishing & awareness training.
Tell us a bit about your environment and we'll come back with a scoped proposal in two business days. No obligation, no pressure.
Request a Quote Back to CybersecurityReal behaviour change, not an annual checkbox.
Security awareness training has a reputation for being ineffective because most programs are: a 45-minute video once a year that staff click through to get the completion certificate and promptly forget. Phishing simulation and training works differently when it is run properly. You send realistic phishing emails to your actual staff on a quarterly basis, measure who clicks and who submits credentials, train the people who fall for it immediately while the lesson is relevant, and track the click rate over time to see whether behaviour is actually changing.
For a Prince George accounting firm with 18 staff, a realistic business email compromise simulation (a spoofed email from "the managing partner" asking for an urgent wire transfer) tests a very different set of behaviours than a generic "you've won a prize" phishing email. North Star builds simulations calibrated to the attack types relevant to your industry and staff roles. Finance staff get BEC simulations. IT staff get credential phishing for admin portals. Reception and admin staff get invoice fraud scenarios. The training that follows a failed simulation is short, specific to the attack they fell for, and delivered immediately rather than at the next scheduled training session.
Phishing simulation and training deliverables.
- Quarterly phishing simulations: realistic phishing campaigns sent to all staff using a dedicated simulation platform. Campaigns rotate between credential phishing, BEC, invoice fraud, and attachment-based attacks.
- Just-in-time training: staff who click a simulation link receive a short (5-10 minute) training module immediately, specific to the type of attack they fell for.
- Role-based training curriculum: annual training modules assigned by role. Finance staff complete BEC and wire fraud modules. IT staff complete privileged access and social engineering modules. General staff complete foundational security hygiene.
- Click rate tracking: baseline click rate measured in the first campaign, tracked quarterly. You see trend lines, not just a point-in-time number.
- Reporting for insurers: quarterly simulation report showing campaign dates, staff counts, click rates, and training completion rates. Formatted to satisfy cyber insurance questionnaire requirements.
- Manager dashboard: visibility into which departments have higher click rates so targeted coaching or additional training can be prioritized.
- Incident reporting culture: staff are taught to report suspicious emails to IT using a one-click reporting button in Outlook, creating a feedback loop that improves detection.
Any business where a staff member clicking a phishing link causes real damage.
Phishing training is relevant for every organization with email-using staff. The industries in BC and Alberta where it matters most are those where a single successful phishing attack has disproportionate consequences: professional services firms where an email compromise leads to fraudulent wire transfers; oilfield services companies where a compromised account exposes contractor records and project bids; retail businesses where POS credentials are the gateway to payment data; and any business holding client information under BC PIPA or AB PIPA where a phishing-sourced breach triggers notification obligations to the privacy commissioner and affected clients.
According to the Verizon Data Breach Investigations Report, phishing is involved in a significant proportion of data breaches globally. In Canada, CIRA's cybersecurity survey data consistently shows phishing as the most common attack vector reported by Canadian organizations of all sizes. The risk is not theoretical. The question for most SMBs is whether their staff have ever been tested against a realistic simulation, and most have not.
Cyber insurance carriers in Canada increasingly require evidence of ongoing security awareness training, not a once-a-year completion record. They want to see quarterly simulation results and trend data showing that your click rate is declining over time. North Star's program produces exactly that documentation.
Per-user annual fee, billed monthly.
Phishing simulation and training is priced per user per year, billed monthly, and covers four quarterly simulation campaigns and one full annual training curriculum. The rate scales with user count. It can be purchased as a standalone service or bundled into a managed cybersecurity plan. Volume discounts apply for organizations with more than 50 users. Contact North Star for a proposal based on your user count and your current insurer requirements.
What clients ask before starting.
Will staff be upset when they fail a simulation?
Done right, phishing simulations are not punitive. The training that follows a failed click is presented as a learning moment, not a disciplinary action. We recommend communicating to staff upfront that simulations will happen, that the goal is to improve the organization's overall resilience, and that falling for a simulation is normal and expected at the start of a program. Most staff click rates drop significantly after the first two or three campaigns once they understand what to look for.
How realistic are the simulations?
Our simulations use the same techniques real attackers use: spoofed sender domains, lookalike domains, pretexts based on common business scenarios (IT password reset, HR policy update, CEO wire transfer request), and legitimate-looking landing pages that harvest credentials. We do not use obvious "click here to win a prize" templates that no real attacker would use. The goal is to test staff against the attacks they are likely to actually encounter.
How do we measure whether it is working?
We track click rate (percentage of staff who clicked the simulation link) and credential submission rate (percentage who entered a username and password) across every campaign. A successful program shows a declining trend in both metrics over six to twelve months. We also track training completion rates and report on departments or roles with above-average click rates so you can prioritize additional attention where it is most needed.
Does this satisfy CASL or privacy requirements?
CASL (Canada's Anti-Spam Legislation) applies to commercial electronic messages sent to external recipients, not to internal security training or simulation campaigns. Phishing simulations are internal communications. Training records and simulation results may be relevant as evidence of reasonable security safeguards under BC PIPA, AB PIPA, or PIPEDA in the event of an incident investigation. We provide documentation formatted to support that use.
Simulations calibrated to BC and AB business realities, not generic templates.
North Star is based in Prince George and serves businesses across BC, Alberta, and the Yukon. Our phishing simulations are designed around the attack scenarios relevant to Western Canadian SMBs: CRA impersonation emails targeting businesses during tax season, Microsoft 365 credential phishing targeting remote workers, oilfield contractor invoice fraud, and executive impersonation targeting finance staff. We do not use generic off-the-shelf templates that staff recognize immediately because they've seen the same ones three years in a row. The program tracks real behaviour change and produces the documentation that Canadian insurance carriers require at renewal time.
Frequently asked questions
What is included in a phishing training program?
A comprehensive program includes simulated email attacks, educational modules, and performance tracking. We send realistic but safe phishing emails to your staff to see how they respond. If someone clicks, they receive immediate training on what they missed. This hands-on approach is far more effective than traditional lectures because it teaches employees to recognise red flags in their actual workflow, significantly lowering your overall risk profile.
How often should employees receive security training?
Security training should be an ongoing process rather than a one-time event. Cyber threats evolve rapidly, and regular simulations keep security top of mind. We recommend monthly or quarterly phishing tests combined with annual formal training sessions. This cadence ensures that new employees are onboarded correctly and that long-term staff remain vigilant against new tactics like spear-phishing and social engineering attacks that target specific business departments or roles.
Can phishing training help with compliance?
Yes, many regulatory frameworks and insurance policies now require proof of regular security awareness training. By implementing our program, your business demonstrates a commitment to data protection. We provide detailed reporting that shows completion rates and improvement over time, which is essential for audits or when renewing cyber insurance. This helps ensure your organisation meets industry standards while protecting sensitive client information from unauthorized access through compromised credentials.
What happens if an employee fails a phishing test?
Failing a test is a learning opportunity, not a cause for punishment. When an employee clicks a simulated link, they are directed to a brief, interactive training page that explains the specific signs they overlooked. The goal is to build confidence and awareness. Our platform tracks these instances so management can see which departments might need extra support, allowing us to tailor future training to address specific vulnerabilities within your team.