Back to Blog
Practice Operations

Building a Phishing Awareness Program in 30 Days

A 30-day plan to stand up a real phishing awareness program at a small tax firm: tools, training cadence, simulation thresholds, and what to do when someone clicks.

June 23, 2026
·
min read

Security awareness training is required by the FTC Safeguards Rule, by IRS Publication 4557, and by every cyber insurance application. Most tax firms either skip it or run a one-time video and forget about it. Neither approach passes scrutiny anymore.

This is the 30-day plan we use to stand up a real phishing awareness program at firms with 3 to 20 employees. It produces the documentation insurers and regulators want, and it actually changes behavior.

Day 1 to 5: pick the tool

A real program needs a tool. Manual training does not produce the artifacts. The standard options for small firms:

  • KnowBe4: feature-rich, more expensive, the standard for compliance-heavy industries
  • Hoxhunt: training is gamified, employees actually engage with it
  • Curricula: low-cost, story-based
  • Microsoft Attack Simulator: included with Microsoft 365 Business Premium and above

Cost ranges from $1 to $5 per user per month. Pick one and commit. Do not split between tools.

Day 6 to 10: roll out the baseline

Every employee completes the baseline training. This is typically 30 to 60 minutes of video content covering phishing, password hygiene, social engineering, and incident reporting.

Schedule the training. Block calendars. Send reminders. Verify completion.

Artifact: A completion report with employee name, date, and score.

Day 11 to 15: send the first simulation

A phishing simulation is a fake phishing email sent to your team to see who clicks. The first one should be moderate difficulty so you get a useful baseline.

Use a template that resembles a real threat to your firm. Common ones: fake Microsoft 365 login, fake DocuSign request, fake client uploading a W-2.

Track three numbers:

  • Click rate: what percentage clicked the link
  • Submit rate: what percentage entered credentials
  • Report rate: what percentage reported the email as phishing

A small tax firm baseline is typically 20 to 30 percent click rate. The goal is under 5 percent within 6 months.

Day 16 to 20: assign remediation training

Anyone who clicked or submitted gets immediate remediation training. The tool handles this automatically. The training is 5 to 15 minutes targeted at the specific failure mode.

Do not skip this. Do not let it slide. The remediation is what makes the program work. The first time someone fails the simulation, they learn. The second time, they remember. By the third time, they almost always report it instead of clicking.

Day 21 to 25: write the policy

Write the firm's phishing policy. One page. Cover:

  • What employees should do when they receive a suspicious email
  • What happens if they click on a phishing link or enter credentials
  • The cadence of training and simulation
  • The reporting channel (a button in email, a Slack channel, an inbox)

Important: the policy must be supportive, not punitive. If staff fear punishment for clicking, they will hide the click and the firm will not learn about the breach until it is too late.

Artifact: Signed policy by every employee.

Day 26 to 30: build the recurring schedule

A program that runs once is not a program. The schedule:

  • Quarterly: full simulation campaign with at least 2 different lure templates
  • Monthly: 5 to 10 minute micro-training (quick video on a current threat)
  • Annually: full baseline training refresh, signed policy renewal

Block the cadence on the calendar for the next 12 months. Set the tool to auto-send simulations on randomized dates.

What to do when someone clicks

Two scenarios.

Scenario A: They clicked but did not enter credentials. The damage is minimal (some browser tracking, possibly malware that the EDR blocked). Remediation training, document it, move on.

Scenario B: They entered credentials. Treat it as a real incident. Force password reset, revoke all sessions, check inbox for new rules, scan workstation, document. If the user has access to anything sensitive, expand the investigation.

In both cases: support the user, do not punish. The fastest way to kill a security culture is to fire someone for clicking. Treat the click as data, not as a moral failing.

What this looks like in your WISP

"All employees complete annual security awareness training and acknowledge our information security policy in writing. Phishing simulations are run quarterly using [Tool Name]. Remediation training is assigned automatically to employees who fail simulations. Click rates and report rates are tracked and reviewed by the qualified individual quarterly. Annual click rate target is below 5 percent."

That paragraph plus the artifacts (training records, simulation reports, signed policies) makes the difference between a defensible program and a checkbox.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Practice Operations

Password Manager Rollout for a 5-Person Tax Firm

July 21, 2026
Practice Operations

Replacing Email Attachments With a Secure Client Portal

July 7, 2026
Practice Operations

Backup and Disaster Recovery for a Tax Practice in 90 Minutes

May 26, 2026