Try this first
- 1Define repeat offender clearly: three or more clicks in six months, or two clicks without a single report. One-off does not count.
- 2Talk to the person once, not by mail. Ask what happened. Sometimes it is time pressure tied to the role (finance, HR recruiting, customer contact), sometimes something in the workday does not match the simulation.
- 3Build a targeted track: shorter, more often, with more realistic samples. Piling on longer training videos does not work.
- 4Tighten technical brakes on those accounts: extra Conditional Access checks, quicker account lockout on suspicious behaviour, and an extra layer in Defender (Strict policy) for highest-risk roles.
- 5Discuss with managers that it is not a punishment. The moment it feels like one, staff hide that they clicked, which is the opposite of what you want.
When to bring us in
If someone passes six clicks in half a year and refuses the conversation, that is an HR matter, not an IT matter. IT signals, the manager acts.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.