blue background

Protect Government Services with Phishing Training

Equip staff to recognize and report malicious messages that could threaten your organization’s data and services.

Train Employees to Recognize & Report Phishing 


Phishing happens when attackers trick people into clicking harmful links, opening fake emails or downloading malicious attachments. These actions can expose sensitive information or install malware. 

Most online attacks begin with a single click. Criminals often use phishing to steal credentials, access accounts or install ransomware that locks systems and demands payment. According to the FBI’s 2024 Internet Crime Report, phishing topped the list of the five most reported cybercrimes, with 193,407 complaints. And Verizon’s 2025 Data Breach Investigations Report found that 43% of the public sector breaches they investigated involved phishing. 

Phishing remains a common—and costly—threat to state, local, tribal and territorial (SLTT) government organizations. When it happens in government at any level, it can expose sensitive citizen data, disrupt essential services, or even lead to ransomware attacks. The impact is especially serious for SLTT agencies that oversee critical infrastructure such as public utilities, or emergency services. Communities depend on these systems every day. Resource-constrained SLTTs are especially at risk, since they often have fewer cybersecurity resources than more resourced organizations.  

The good news? Phishing attacks are often preventable when employees are trained to recognize and avoid suspicious messages.  

Are you training your employees to spot phishing and protect their devices? A well-trained workforce can stop attacks before they cause harm. 


Follow These Steps to Avoid Phishing Scams 

Phishing is a serious risk. Fortunately, there are things you can do to reduce your risk.  
 

  1. Use available training resources. 

    Phishing scams are getting harder to spot. Attackers may include personal or organization-specific details to make fake messages appear real. Train employees to watch for red flags such as strange or unexpected requests, urgent language or suspicious links. Messages may appear to come from known contacts whose accounts were compromised. Encourage staff to be extra cautious with messages that appear to come from state or federal agencies, elected officials or law enforcement—these are commonly spoofed to gain trust. 

    Early recognition can help stop attacks. Threat literacy helps staff understand how attackers operate through emails, websites or social engineering and how to respond.  

    Use phishing simulations that mimic real threats your agency might face. Frequent, realistic testing helps employees build lasting awareness. You don’t need to create training materials from scratch. Coordinate with state-level cybersecurity programs or fusion centers for phishing simulation resources. Many offer support or no-cost tools. 
     

  2. Keep employees informed. 

    Designate someone, such as an IT provider or staff lead, to track emerging threats. Ask them to share updates with your team between trainings. 

    Remind employees, constituents, contractors and vendors to stay alert. If a message feels off or unexpected, staff should verify it—but not by replying or using any phone number or link in the message. Instead, use a search engine to look up the business’s phone number, or if it appears to come from someone you know, use a known contact method you already have such as a phone number or email address stored on your computer. 
     

  3. Build a culture of cybersecurity. 

    Threats evolve constantly, so once-a-year training isn’t enough. As a leader, set the tone by reinforcing secure online practices regularly—just like any other workplace policy. Ongoing education helps staff stay alert and respond quickly.  

    Make it easy and safe to report suspicious emails and phishing attempts, even if they have inadvertently downloaded malware or shared data. A no-blame culture promotes quick action and reduces the chance of widespread damage. 

    Ensure your communication security policies include: 

    • Clear guidance on how to report phishing attempts
    • Expectations around how to use official communication channels
    • Requirements for regular security training 

    Align your policies with state mandates or federal guidelines such as National Institute of Standards and Technology (NIST) standards. 

    CISA has no-cost tabletop exercises you can adapt to your organization to ensure that all participants understand their roles during an incident.  

printer icon with cybersecurity essentials fact sheet

Printable Tips

Get the Four Cybersecurity Essentials for SLTTs in one handy, printable summary. 

GET IT NOW

No-Cost Cyber Threat Services—Share with Your IT Team

malware symbol

Malware Analysis

Submit malware samples to CISA’s experts for no-cost analysis. Get recommendations for removal and recovery. 

Stop Ransomware logo

Stop Ransomware

Find resources to tackle ransomware more effectively at the Government’s official one-stop location. 

resource document icon for State, Local, Tribal and Territorial government resources

State, Local, Tribal & Territorial Resources

No-cost information, resources, and tools from CISA to help you defend against cyber threats.

Require Strong Passwords in Government

Require MFA in Government

Update Government Software

Secure U.S. State, Local, Tribal & Territorial Government

State, Local, Tribal & Territorial Government Resources

Cybersecurity Awareness Month