How Security Awareness Training Stopped 3 Phishing Attacks in One Quarter at a Pune IT Company

Anish Pandey · 2026-02-20 · 8 min read

In July 2025, CodeCraft Technologies — a 55-person software development company in Pune — nearly lost access to their entire Google Workspace account. A senior developer received an email that appeared to come from Google, warning that his account would be suspended due to unusual activity, with a link to verify his identity. He clicked the link, entered his Google credentials on a convincing replica of the Google login page, and submitted the form before realising something was wrong. He immediately called IT. The password was changed in time. No accounts were compromised. But the incident triggered a question from the CEO: how many of the 55 employees would have done the same thing? The answer, from a simulated phishing test run the following week, was 31 out of 55.

The Phishing Test: Confronting the Real Number

our team ran a simulated phishing campaign for CodeCraft before the security awareness programme began. The simulation sent three different phishing email types to all 55 employees over two weeks: a Google account suspension notice, a HR circular about a policy update requiring login to view, and an invoice from a vendor with a request to update bank details. The results: 31 employees clicked at least one link (56% click rate), 19 employees entered credentials on the fake page (35% credential submission rate), and 8 employees reported the suspicious email to IT (14% reporting rate). These numbers are, unfortunately, typical for an untrained Indian workforce. CERT-In's 2024 incident report attributes 78% of successful cyberattacks on Indian organisations to human-factor failures — phishing, credential sharing, and social engineering.

Why Standard IT Security Policies Do Not Work

Most Indian companies have an IT security policy — a PDF document emailed to employees during onboarding that nobody reads after the first day. The policy says 'do not click suspicious links' and 'do not share your password'. The 31 CodeCraft employees who clicked the phishing link were not unaware that phishing exists — most of them could define phishing if asked. The gap is between knowing that phishing is dangerous in the abstract and recognising a specific phishing email in the moment, when you are busy, when the email appears urgent, and when the design and branding look convincing. Security awareness training addresses this gap not through policy statements but through repeated practical exposure — simulated attacks, immediate feedback, and trained recognition of specific red flags.

The 6-Week Programme: How It Was Structured

our team designed a 6-week security awareness programme for CodeCraft's 55 employees, delivered in three formats. First, four 45-minute online modules covering phishing recognition, password security, safe handling of sensitive data, and social engineering tactics — completed at each employee's own pace over the first three weeks, with a 10-question quiz at the end of each module. Second, two live 60-minute workshop sessions (one for developers, one for non-technical staff) with real examples of phishing emails that had targeted Indian companies in the past year, including replicas of the Google suspension email that had almost caught CodeCraft's developer. Third, a follow-up simulated phishing campaign at the end of week 6 — same three attack types — to measure improvement.

The Week 6 Simulation: Measuring What Changed

At the end of the 6-week programme, our team ran the follow-up phishing simulation. The results: click rate down from 56% to 18% (31 to 10 employees). Credential submission rate down from 35% to 5% (19 to 3 employees). Reporting rate up from 14% to 49% (8 to 27 employees). The improvement in the reporting rate was the most strategically significant change — employees who recognised suspicious emails and reported them were actively contributing to the company's security rather than just avoiding being the vector of attack. The three employees who still submitted credentials in the simulation were not repeat offenders from the baseline — they were employees who had joined after the programme started and received only the online modules, not the live workshops. Subsequent live workshop attendance was made mandatory for all new joiners.

The Three Real Attacks in Q3 2025

In the quarter following the awareness programme, CodeCraft received three genuine phishing attack attempts. The first was an email purporting to be from their AWS account manager, citing unusual billing activity and requesting login to review charges. A developer recognised it as phishing from the domain mismatch (a common tell taught in the workshop) and reported it to IT within 4 minutes. The second was a WhatsApp message to the HR manager claiming to be from the CEO, asking her to urgently process a vendor payment — a classic Business Email Compromise (BEC) tactic. She called the CEO to verify, confirmed it was fake, and reported it. The third was an Office 365 credential harvesting email caught by two employees simultaneously. None of the three resulted in a compromised account. In the previous year, without training, at least one of these would likely have succeeded.

Security Awareness as a Compliance Requirement

Employee security awareness training is not just good practice — it is increasingly a formal compliance requirement. ISO 27001:2022 Annex A control A.6.3 mandates security awareness and training for all personnel. NIST Cybersecurity Framework requires awareness and training as a core Protect function. India's DPDP Act (Digital Personal Data Protection Act) creates data protection obligations on all organisations — and employee training on safe data handling is a due diligence defence in the event of a breach. For companies pursuing ISO 27001, SOC 2, or any regulatory compliance, the employee training programme is a mandatory element that is actively tested during audits. our team delivers security awareness programmes as a standalone service or as part of a broader compliance implementation, including phishing simulations, content, delivery, and post-training reporting.

Conclusion

Security technology — firewalls, endpoint protection, email filters — can block known threats. But every phishing email that reaches an employee's inbox is an unknown threat in the moment of delivery. The human layer is the last line of defence, and in most Indian organisations it is untrained. CodeCraft's experience shows what a 6-week programme changes: employees who were a liability in July became the company's security sensors by October, detecting real attacks before any software flagged them. The cost of the programme — ₹1.85 lakh for 55 employees including content, delivery, simulation, and reporting — is equivalent to one hour of downtime from a successful breach. Security awareness training is the highest-ROI investment in a company's security posture. Start with a phishing simulation — we will show you your actual risk before you commit to anything.

Topics: Security Awareness Training, Phishing Prevention, Compliance, Employee Training, Cybersecurity, Pune, India