Staff notification template

Last updated June 11, 2026

Before enrolling staff, we strongly recommend telling them that simulated phishing training is starting — it sets the right tone (this is practice, not a trap), improves engagement, and helps meet transparency obligations. Adapt the note below to your organization and local law. Some jurisdictions or works councils require prior consultation or consent; check with your HR/legal advisors.

Why notify staff

• Transparency: people are told their data is processed for training.
• Trust: framing it as skill-building, not a gotcha, lifts participation.
• Better learning: the goal is recognizing real attacks, not punishment.

Email template

Copy and edit the following. Replace the bracketed parts with your own details.

Subject: We're starting phishing-awareness training

Hi team,

Phishing and scam emails are one of the most common ways attackers try to reach organizations like ours. To help us all get better at spotting them, we're starting a short, ongoing security-awareness exercise with a tool called Spotting The Bait.

From time to time you'll receive a simulatedphishing email. It's completely safe — it's a practice example, the links don't do anything harmful, and there's no penalty for getting one wrong. Each one takes under a minute: you decide whether it's a real-looking scam or legitimate, and you'll immediately see the answer and the tell-tale signs to watch for.

This is about building a skill together, not catching anyone out. We track participation and overall progress to see where a bit more support would help — not to single people out.

If you have any questions, reach out to [name / IT / security contact].

Thanks,
[Your name]

A few tips

• Send it from a real leader or your IT/security contact, not a no-reply address.
• Tell people how to report suspicious email for real (e.g. your IT inbox).
• Avoid naming or shaming individuals; celebrate team-wide improvement.
• If your IT team filters mail, ask them to allowlist the sending domain so challenges reach inboxes (we can provide the details).

See also our Privacy Policy and Data Processing Agreement.

Spotting The Bait is operated by Impaque. Questions about this document? Email legal@spottingthebait.com.