In New Zealand, phishing is not a fringe threat, it is the dominant one. Kordia’s Cyber Security Report 2026 showed that 44% of businesses across NZ suffered from a cyber-attack in the past year – out of all those attacks, 45% began with a phishing email Worryingly, a quarter of organisations surveyed had no cyber security awareness training programme.
The new threat landscape
AI has industrialised phishing. Attacks that once required expertise and time can now be launched in minutes. As AI grows more capable, these attacks become more accessible for any attacker. Globally, AI-generated phishing emails have grown 1,265 percent since 2023, and roughly 82.6 percent of all phishing emails now contain AI-generated content, according to data from Hoxhunt. While only a tiny fraction – between 0.7% and 4.7% – were completely generated by AI, AI helps lower the threshold for starting a phishing campaign.
Indeed, research from IBM X-Force show that AI can generate highly convincing phishing emails in five minutes, rather than 16 hours typically required by experienced human operators. And according to Okta, hackers are using a popular AI tool to rapidly generate convincing phishing websites in as little as 30 seconds.
Why traditional phishing awareness training fails
To properly respond to the moment, technical solutions are not enough. We need a layered response, with human judgment at the core, acting as the last line of defence.
Traditional security awareness training, of which phishing awareness training is one component, is not up to the task. Phishing awareness training teaches employees how to recognise, question, and safely respond to suspicious messages — email, chat, or video — before they become costly incidents.
It’s often mandatory in new employee onboarding process, a time where an employee is absorbing a great quantity of new information. There’s a fundamental assumption (hope?) that employees will take interest in this subject, though. If they do pay attention, they will encounter a collection of bloated training videos and lengthy theoretical text, with no set curriculum.
Luckily for them (but unluckily for the business) certification is participation-based, so if they sit through the training and maybe complete some multiple-choice questions, they can get their certificate, and everyone can feel satisfied with a job well done.
Awareness barely improves, the cyber risks remain, but at least the box can be ticked.
Most employees aren’t ignoring training out of apathy. They’re overwhelmed. Traditional programs ask them to absorb lessons from abstract threats while juggling real-world deadlines.
How behaviour-based training works
Security training must rewire default habits. The core focus must be changing the default behaviour pattern, where an employee receives an e-mail, spots a link or an attachment, and clicks on it without thinking.
We need to change that default approach to one where an employee is more critical, asking questions like:
- “Am I expecting this email at this time, and from this person?”
- “Why have I received it?”
- “What domain does it come from?”
- “Does the message line up with my experience, and is what they’re asking for reasonable?”
- “Who should I contact to check?”
In sum, does the complete picture make sense and can it be trusted? And how can we make sure? To help organisations develop these habits, we offer a fully-featured solution. Let’s take a look.
Gamified training sessions
Rather than a lengthy, mandatory, one-time training session, our solution features bite-sized learning modules they can complete without disrupting their workday, with gamification that rewards their knowledge, not their participation. Training is built around a curriculum designed to change behaviour, not tick a box.
Phishing simulations
Beyond initial training video courses, many platforms offer phishing simulations, where employees receive simulated phishing emails to challenge their skills. Often, these suffer from a lack of targeting and specificity. Tech savvy users receive easy phishing tests and learn nothing, and less technical users receive difficult tests, fail, and lose confidence.
We offer a tailored approach, where phishing simulations are targeted to the technical ability of the recipient, helping all employees continue to build their knowledge and habits, no matter their starting point.
In one simulation we ran internally, a well-crafted Microsoft 365 login prompt caught several technically strong users off guard. The page looked legitimate down to the tenant branding. It was a good reminder that phishing succeeds not because people are careless, but because the attacks are getting very good.
Fall for a phishing simulation? You’ll learn what clues you could have used to avoid this fate, so you can be better prepared should a real-life attacker use the same approach. The system will even learn what time of day you are most susceptible to attacks, to fine-tune further phishing simulations.
In another phishing simulation we ran, the email itself was not particularly sophisticated. However, it was sent at the end of the month, and several users clicked through quickly. What stood out was not a lack of awareness but the context. People were under time pressure, juggling competing tasks and the email created a sense of urgency. In that moment behaviour took over from training. That is often where these attacks succeed.
Behavioural risk score
Our platform keeps track of all these interactions to develop a picture of individual, department, and company resilience, which it calls a Behavioural Risk Score. Effectively: if all other security measures failed, how safe would your company be? With the advances in AI, this question is no longer theoretical.
We have seen measurable improvement through ongoing simulation and training. For one customer, they managed to reduce an initial click rate of around 12% down to 4.5%. Beyond the click rates, we could see a change in behaviour which is the outcome we need from awareness programs.
This is consistent with broader industry trends where organisations typically start with much higher baseline susceptibility and can significantly reduce it through sustained awareness programmes that focus on behavioural change. It also shows that you need more than an annual training exercise to reduce the risk. It reinforces that behavioural change, not just technical control, is what drives long-term risk reduction.
Why security awareness training is for everyone
It’s not every role that involves wiring US $25 million. But almost every role involves handling sensitive information or accessing some system with a level of risk. We could once depend on technology alone to guard us against attacks. Those days are over. If you want to ensure your team is practicing safe online habits, phishing and security awareness training is vital. But participation is no longer enough, and a 100% completion rate means nothing if they fall at the first hurdle.