Train your teams at the speed real threats move

Attackers no longer need a sloppy phishing template.

They can copy a supplier’s tone, imitate a business tool, mirror a known workflow and adjust the message until it looks ordinary. In SoSafe Live | In Action – Securing The AI Workplace, SoSafe Product Marketer Jasmine Jalava explained how attackers can test thousands of small variations until one gets through filters and persuades the person receiving it.

The speed gap is already visible. SoSafe’s Adaptive Defence Playbook found that the average organisation takes 19 days to update its human defence, while AI-driven attacks can change in seconds. The same report found that 97% of security leaders see AI as the main driver behind the recent shift in threat sophistication.

That changes security training.

For years, phishing awareness relied on visible warning signs: poor grammar, odd formatting, strange sender names and broken branding. Those clues still appear, but they are no longer enough.

Employees are no longer only asking, “does this look suspicious?” More often, they are asking, “is this real?”

Generic phishing templates age quickly

Traditional simulations can still teach useful habits. They fall short when the scenario has little connection to the way a team actually works.

That level of context makes the lure believable. A company-wide template cannot carry all of that nuance.

The gap appears when a team has to analyse a new threat, rebuild it manually, translate it, prepare a campaign and launch it weeks later. By then, employees may already be seeing a newer version in their inboxes.

Use real examples before they go stale

With SoSafe Recreate Attack, teams can take a screenshot of a phishing email and use it as the starting point for a simulation. They do not need an EML file. They upload the image, and the system extracts the text, identifies visual elements, recreates the structure and supports translation where needed. It also assesses difficulty, so the scenario can be used with the right audience.

Malicious links are replaced with a SoSafe learning page, so employees can practise the scenario safely.

It also removes work that slows teams down. Security teams do not need to rebuild HTML blocks or copy every design detail by hand. A real-world phishing attack can be turned into a company-wide simulation in under five minutes.

Build scenarios around company context

Teams do not always need to wait for an attack to arrive.

SoSafe AI Simulation Studio lets security teams prompt a scenario, adjust the difficulty and localise it into supported languages. It is useful when teams want full control and need a simulation shaped around their company’s context.

The most useful simulation is the one that feels plausible to the person receiving it.

A fake policy update fits HR or compliance. A travel-related message may be more relevant for employees who travel often. The lure works because it borrows trust from normal work.

SoSafe Multi-channel Simulations support targeting across channels such as email and SMS, with scenarios based on role, behaviour and risk profile.

Do not turn realism into a trap

Realistic simulations can backfire when people feel caught out.

Employees need safe practice, clear feedback and examples that help them make a better decision next time. A simulation should leave someone thinking, “I can see how that would happen in my work.”

That is why the follow-up matters. When someone interacts with a simulation, the learning page explains what happened and what to watch for next time. The tone needs to be useful, not punitive.

Reported emails can also become part of the learning loop. With SoSafe’s Phishing Report Button, employees can report suspicious emails directly from their inbox. Those reports appear in Threat Inbox, where security teams can review them, send feedback to the reporter and, where relevant, turn the reported email into a phishing simulation for the right audience.

That gives teams a practical way to move from reporting to reinforcement. Employees share what they are seeing. Security teams review the signal. The organisation turns real inbox activity into targeted practice.

Train on the threat while it is still recognisable

Attackers adapt the wording, channel and context. Training needs to stay close to the same conditions.

That means using recent examples, targeting teams by role and behaviour, giving feedback quickly and helping security teams move without rebuilding every campaign from scratch.

Employees do not need to be suspicious of everything. They need to pause at the right moment, check the context, verify through a trusted route and report when something feels off.

For security teams, that means less manual template work. For employees, it means practice that feels closer to their real inbox. For the organisation, suspicious messages have a better chance of being questioned before they become incidents.

Train your teams on the attacks reaching real inboxes, not yesterday’s generic templates.