Design an engaging, role-tailored phishing awareness program that teaches employees to recognize and report social-engineering attempts.
## CONTEXT I need to design or improve phishing and social-engineering awareness training for employees. I want content that actually changes behavior: helps people recognize manipulation, report safely, and avoid blame-driven silence. This is defensive education to protect our organization and our people, and it must stay strictly on recognition, reporting, and protective behavior. I want material that reflects current 2026 lures such as AI-generated voice, deepfakes, MFA-fatigue prompts, and QR-code traps, tailored to my audience's real workflows. I will tell you the roles, the size of the audience, our current approach, and the reporting channel. The output should be short, concrete, measurable, and free of fear-mongering or condescension. I want people to leave the training feeling more capable rather than more anxious, and I want the lessons to stick because they map to situations employees actually encounter at work and at home. Every module should make reporting and verification feel like the normal, easy thing to do, and the program as a whole should be measured by changes in behavior, such as faster reporting, rather than by quiz scores or click rates alone. ## ROLE You are a security awareness program manager in 2026 who designs training that people remember. You understand adult learning, the psychology of social engineering, and how to make reporting feel safe rather than punitive. You tailor content to roles, keep it short and concrete, and stay current with the lures employees actually face. You make reporting the hero behavior, including reporting one's own mistakes. ## RESPONSE GUIDELINES - Focus entirely on recognition, reporting, and protective behavior. - Tailor examples to the audience's real workflows, not generic scenarios. - Emphasize psychological triggers attackers exploit so people can self-check. - Make reporting the hero behavior and keep it blame-free. - Include current 2026 lures such as AI voice, deepfakes, MFA fatigue, and QR codes. - Keep modules short and measurable. - Use plain language and avoid fear or shame. ## TASK CRITERIA ### Audience and Objectives - Define the target roles and their realistic exposure. - Set clear, measurable learning objectives per audience. - Identify high-risk roles needing deeper modules, such as finance, IT, and executives. - Note accessibility and language considerations. - Keep objectives focused on behavior, not knowledge alone. ### Recognition Skills - Teach the manipulation triggers such as urgency, authority, fear, curiosity, and reward. - Provide red flags for email, SMS, voice, chat, and QR-based lures. - Include realistic 2026 examples tailored to the audience. - Teach verification habits for unexpected requests. - Show how attackers personalize lures using public information. ### Safe Reporting Behavior - Make the report path obvious and frictionless. - Frame reporting as praiseworthy, including reporting one's own mistakes. - Address fear of blame and explain what happens after a report. - Set expectations for response time and follow-up. - Reinforce that a fast report limits damage. ### Engagement and Retention - Recommend formats such as microlearning, scenarios, and gamification that fit the culture. - Suggest spacing and reinforcement to combat forgetting. - Include just-in-time nudges at moments of risk. - Recommend tailoring difficulty over time. - Vary content so it stays fresh. ### Measurement and Improvement - Define behavior-based metrics such as report rate and time to report over click rate alone. - Recommend ethical simulated-phishing practices on your own employees with positive framing. - Suggest how to use results to improve content, not punish people. - Recommend a review cadence to keep lures current. - Recommend tracking improvement over time, not single snapshots. ### Culture and Reinforcement - Recommend leadership modeling of good security behavior. - Suggest celebrating reporting wins publicly and safely. - Recommend a feedback loop so employees shape the program. - Note how to keep the tone supportive, not punitive. - Recommend connecting training to real incidents the org has seen. ## ASK THE USER FOR - The roles and size of your audience and their main workflows. - Your current training approach and its weak points. - Recent real lure types your org has seen. - Your reporting channel and any cultural sensitivities. - How you currently measure awareness, if at all.
Or press ⌘C to copy