Real Phishing Training That Changes Behaviour, Not Just an Annual Checkbox
Quarterly phishing simulations against your real users, short role-based training when they fall for one, and reporting that shows trend lines instead of vanity metrics. Insurers ask for this. Most clients don't have it.
Staff are the most reliable entry point for attackers. A convincing phishing email, impersonating a bank, a supplier, or internal IT, can bypass every technical control you have deployed if the person who clicks it has valid credentials and a real business reason to act. The defence is staff who recognise phishing and report it, reliably, across the whole organisation.
That does not happen from a 45-minute annual video. It comes from repeated exposure to realistic simulations, short training that sticks, and metrics that show trend lines rather than one-time pass/fail rates.
North Star, based in Prince George, BC, delivers quarterly phishing simulations, role-based awareness training, and quarterly reporting mapped to cyber insurance questionnaire fields, for businesses across British Columbia, Alberta, and Yukon.
What Is Included
Phishing Simulations, Realistic, Varied, Quarterly
Quarterly campaigns using templates that match real phishing seen in the wild, not obvious fakes that every trained employee spots. Templates are localised to Canadian context: CRA notifications, major Canadian banks, Canada Post, common SaaS platforms. Campaign schedule and templates varied to prevent staff from recognising the pattern.
Role-Based Training Modules
Short (five to seven minute) training modules triggered immediately when someone clicks a simulated phishing link. Finance and accounts payable staff see scenarios involving invoice fraud and wire transfer requests. Executives see CEO fraud and board-level impersonation. Operations staff see supply chain and vendor compromise scenarios. Everyone gets relevant content, not the same generic module.
Click Rate and Trend Reporting
Click rate, report rate, and time-to-report tracked per campaign and per department. Trend over time, not just whether you passed the last one. Improvement targets set and reviewed quarterly. Quarterly written summary plus an annual board-ready output suitable for governance reporting.
Compliance Mapping
Most cyber insurance policies now require documented security awareness training. North Star's reporting maps directly to common insurer questionnaire fields, so renewal prep takes minutes, not days.
How It Works
Step 1, Baseline
First campaign with no prior warning to establish a real starting click rate. Expect 15 - 30% on a realistic first campaign. This is the number to improve, not a judgment on your staff.
Step 2, Train
Click-and-train flow: anyone who clicks a simulation link gets a short, role-specific training module immediately. No public shaming, no all-staff email naming names.
Step 3, Iterate
Quarterly campaigns with increasing template difficulty as your organisation's click rate improves. Templates updated to match current phishing trends. Reporting shows whether the training is producing durable improvement.
Step 4, Report
Quarterly written summary with trend data. Annual board-ready output. Insurer questionnaire mapping. Recommendations for departments or roles with persistently elevated click rates.
Who This Is For
- BC, Alberta, or Yukon businesses that know they need security awareness training but have not found a programme that produces measurable, lasting improvement
- Organisations required by their cyber insurer to demonstrate documented phishing simulation and awareness training
- Finance teams, healthcare providers, legal firms, and other organisations where a successful phishing attack could result in financial fraud or a data breach notification obligation
- IT managers who need a turnkey programme they can report on to leadership without managing the platform themselves
What buyers ask before they sign
Will staff resent being tested?
When it is framed correctly and delivered with the right tone, phishing simulation is received well. We recommend a brief communication to staff before the first campaign explaining what the programme is for, that training modules (not criticism) follow a click, and that the goal is to improve the organisation's resilience. Most staff appreciate it once they understand the purpose.
What if our click rate is very high?
High initial click rates are normal and expected. A 15 - 30% click rate on a realistic first campaign is typical for untrained staff. It is the baseline, not a failure. The programme's job is to reduce it over time, and the trend data shows whether it is working.
How long are the training modules?
Five to seven minutes per module. Short enough to complete without abandoning. Role-specific enough to be relevant. We do not deliver 45-minute generic videos that staff click through without retaining anything.
Do you offer in-person training?
Short, in-person or virtual kickoff sessions for leadership teams are available as an add-on. The core programme is online and self-paced.
What about new staff?
New staff are enrolled automatically as part of onboarding. They receive the baseline module when they join rather than waiting for the next quarterly campaign.
Does this satisfy cyber insurance requirements?
Yes. North Star's reporting format maps to the documented training and simulation requirements in standard Canadian cyber insurance questionnaires. We provide the documentation you need at renewal.
Why North Star
North Star is a Prince George-based cybersecurity provider serving businesses across Northern BC, BC, Alberta, and Yukon. Our phishing training programme is managed, you do not need to administer a platform, create campaigns, or generate reports. We run the programme, deliver the results, and map the output to your insurer's requirements. Training is localised to Canadian context, not US-centric templates that do not match what your staff actually see in their inbox.
Get a Quote on Phishing & Awareness Training
We will scope a programme for your user count, industry, and insurance requirements.
Call 672-983-1174 or request a quote online.
Get a quote on phishing & awareness training.
Tell us a bit about your environment and we'll come back with a scoped proposal in two business days. No obligation, no pressure.
Request a Quote Back to CybersecurityReal behaviour change, not an annual checkbox.
Security awareness training has a reputation for being ineffective because most programs are: a 45-minute video once a year that staff click through to get the completion certificate and promptly forget. Phishing simulation and training works differently when it is run properly. You send realistic phishing emails to your actual staff on a quarterly basis, measure who clicks and who submits credentials, train the people who fall for it immediately while the lesson is relevant, and track the click rate over time to see whether behaviour is actually changing.
For a Prince George accounting firm with 18 staff, a realistic business email compromise simulation (a spoofed email from "the managing partner" asking for an urgent wire transfer) tests a very different set of behaviours than a generic "you've won a prize" phishing email. North Star builds simulations calibrated to the attack types relevant to your industry and staff roles. Finance staff get BEC simulations. IT staff get credential phishing for admin portals. Reception and admin staff get invoice fraud scenarios. The training that follows a failed simulation is short, specific to the attack they fell for, and delivered immediately rather than at the next scheduled training session.
Phishing simulation and training deliverables.
- Quarterly phishing simulations: realistic phishing campaigns sent to all staff using a dedicated simulation platform. Campaigns rotate between credential phishing, BEC, invoice fraud, and attachment-based attacks.
- Just-in-time training: staff who click a simulation link receive a short (5-10 minute) training module immediately, specific to the type of attack they fell for.
- Role-based training curriculum: annual training modules assigned by role. Finance staff complete BEC and wire fraud modules. IT staff complete privileged access and social engineering modules. General staff complete foundational security hygiene.
- Click rate tracking: baseline click rate measured in the first campaign, tracked quarterly. You see trend lines, not just a point-in-time number.
- Reporting for insurers: quarterly simulation report showing campaign dates, staff counts, click rates, and training completion rates. Formatted to satisfy cyber insurance questionnaire requirements.
- Manager dashboard: visibility into which departments have higher click rates so targeted coaching or additional training can be prioritized.
- Incident reporting culture: staff are taught to report suspicious emails to IT using a one-click reporting button in Outlook, creating a feedback loop that improves detection.
Any business where a staff member clicking a phishing link causes real damage.
Phishing training is relevant for every organization with email-using staff. The industries in BC and Alberta where it matters most are those where a single successful phishing attack has disproportionate consequences: professional services firms where an email compromise leads to fraudulent wire transfers; oilfield services companies where a compromised account exposes contractor records and project bids; retail businesses where POS credentials are the gateway to payment data; and any business holding client information under BC PIPA or AB PIPA where a phishing-sourced breach triggers notification obligations to the privacy commissioner and affected clients.
According to the Verizon Data Breach Investigations Report, phishing is involved in a significant proportion of data breaches globally. In Canada, CIRA's cybersecurity survey data consistently shows phishing as the most common attack vector reported by Canadian organizations of all sizes. The risk is not theoretical. The question for most SMBs is whether their staff have ever been tested against a realistic simulation, and most have not.
Cyber insurance carriers in Canada increasingly require evidence of ongoing security awareness training, not a once-a-year completion record. They want to see quarterly simulation results and trend data showing that your click rate is declining over time. North Star's program produces exactly that documentation.
Per-user annual fee, billed monthly.
Phishing simulation and training is priced per user per year, billed monthly, and covers four quarterly simulation campaigns and one full annual training curriculum. The rate scales with user count. It can be purchased as a standalone service or bundled into a managed cybersecurity plan. Volume discounts apply for organizations with more than 50 users. Contact North Star for a proposal based on your user count and your current insurer requirements.
What clients ask before starting.
Will staff be upset when they fail a simulation?
Done right, phishing simulations are not punitive. The training that follows a failed click is presented as a learning moment, not a disciplinary action. We recommend communicating to staff upfront that simulations will happen, that the goal is to improve the organization's overall resilience, and that falling for a simulation is normal and expected at the start of a program. Most staff click rates drop significantly after the first two or three campaigns once they understand what to look for.
How realistic are the simulations?
Our simulations use the same techniques real attackers use: spoofed sender domains, lookalike domains, pretexts based on common business scenarios (IT password reset, HR policy update, CEO wire transfer request), and legitimate-looking landing pages that harvest credentials. We do not use obvious "click here to win a prize" templates that no real attacker would use. The goal is to test staff against the attacks they are likely to actually encounter.
How do we measure whether it is working?
We track click rate (percentage of staff who clicked the simulation link) and credential submission rate (percentage who entered a username and password) across every campaign. A successful program shows a declining trend in both metrics over six to twelve months. We also track training completion rates and report on departments or roles with above-average click rates so you can prioritize additional attention where it is most needed.
Does this satisfy CASL or privacy requirements?
CASL (Canada's Anti-Spam Legislation) applies to commercial electronic messages sent to external recipients, not to internal security training or simulation campaigns. Phishing simulations are internal communications. Training records and simulation results may be relevant as evidence of reasonable security safeguards under BC PIPA, AB PIPA, or PIPEDA in the event of an incident investigation. We provide documentation formatted to support that use.
Simulations calibrated to BC and AB business realities, not generic templates.
North Star is based in Prince George and serves businesses across BC, Alberta, and the Yukon. Our phishing simulations are designed around the attack scenarios relevant to Western Canadian SMBs: CRA impersonation emails targeting businesses during tax season, Microsoft 365 credential phishing targeting remote workers, oilfield contractor invoice fraud, and executive impersonation targeting finance staff. We do not use generic off-the-shelf templates that staff recognize immediately because they've seen the same ones three years in a row. The program tracks real behaviour change and produces the documentation that Canadian insurance carriers require at renewal time.
Frequently asked questions
What is included in a phishing training program?
A comprehensive program includes simulated email attacks, educational modules, and performance tracking. We send realistic but safe phishing emails to your staff to see how they respond. If someone clicks, they receive immediate training on what they missed. This hands-on approach is far more effective than traditional lectures because it teaches employees to recognise red flags in their actual workflow, significantly lowering your overall risk profile.
How often should employees receive security training?
Security training should be an ongoing process rather than a one-time event. Cyber threats evolve rapidly, and regular simulations keep security top of mind. We recommend monthly or quarterly phishing tests combined with annual formal training sessions. This cadence ensures that new employees are onboarded correctly and that long-term staff remain vigilant against new tactics like spear-phishing and social engineering attacks that target specific business departments or roles.
Can phishing training help with compliance?
Yes, many regulatory frameworks and insurance policies now require proof of regular security awareness training. By implementing our program, your business demonstrates a commitment to data protection. We provide detailed reporting that shows completion rates and improvement over time, which is essential for audits or when renewing cyber insurance. This helps ensure your organisation meets industry standards while protecting sensitive client information from unauthorized access through compromised credentials.
What happens if an employee fails a phishing test?
Failing a test is a learning opportunity, not a cause for punishment. When an employee clicks a simulated link, they are directed to a brief, interactive training page that explains the specific signs they overlooked. The goal is to build confidence and awareness. Our platform tracks these instances so management can see which departments might need extra support, allowing us to tailor future training to address specific vulnerabilities within your team.