Most companies in the Philippines already run some form of security awareness training. There’s usually an annual module, a quiz, maybe a certificate at the end. It checks the compliance box. But the threats these programs were designed for have shifted significantly over the past two years, and a lot of training programs haven’t moved with them.
Phishing now makes up 77% of all cyberattacks globally, up from 60% just a year ago. Attackers are using AI to write convincing messages, clone voices, and run campaigns at a speed and scale that wasn’t realistic before. If your training still tells employees to “look for spelling errors,” it’s solving a problem that barely exists anymore.
What AI Actually Changed About Phishing
The old advice was straightforward: check for bad grammar, hover over links, watch for suspicious domains. For a long time, that worked. Most phishing emails were sloppy, mass-produced, and fairly easy to catch if you paid attention.
AI changed that. Platforms like FraudGPT and similar tools now generate phishing emails that read naturally, match the context of the recipient’s role, and are personalized enough to pass a quick glance. On top of that, deepfake technology lets attackers clone a CEO’s voice and follow up a phishing email with a phone call, adding a layer of believability that training about “suspicious senders” was never built to handle.
The Fortinet 2026 Global Threat Landscape Report found that time-to-exploit for critical vulnerabilities has dropped to just 24 to 48 hours, down from nearly five days in earlier reports. Attackers are faster. The margin for human error is thinner. “Think before you click” is still good advice, but on its own, it’s not enough anymore.
Why Philippine Organizations Are Especially Exposed
The Philippines is in a tough spot. Digital adoption is moving fast, but security maturity hasn’t kept up.
Check Point’s Philippine Threat Landscape Report found that phishing sites targeting the Philippines surged 423% in 2025, jumping from 731 to 3,824. Smishing, or SMS-based phishing, has become one of the most common vectors, taking advantage of the country’s mobile-first habits and telecom infrastructure. Social media impersonation also rose 37%, with attackers creating fake executive profiles and using AI chatbots to push investment scams targeting bank customers.
A separate Fortinet-IDC survey found that 78% of Philippine organizations had already encountered AI-powered cyber threats. The top attack types included deepfake impersonation in BEC, AI-driven social engineering, and automated reconnaissance. Only 9% said they were very confident in their ability to defend against these attacks.
There’s also a local angle that global training platforms tend to overlook. Philippine phishing campaigns frequently use Taglish (mixed Tagalog and English), impersonate agencies like BIR or SSS, and time their attacks around events like tax filing deadlines or e-wallet promos. A training program designed for US or European employees simply doesn’t cover these patterns.
5 Gaps in Your Security Awareness Training That AI Exposes
If your program was built before AI became a mainstream attack tool, chances are it has some combination of the following weaknesses.
No AI-Specific Threat Content
Fortinet’s 2025 Security Awareness and Training Report surveyed 1,850 IT security leaders worldwide and found that while 88% agree AI threats have made training more important, only about 40% believe their employees can actually identify, avoid, and report AI-based attacks. That gap usually starts with the curriculum itself. If the training doesn’t cover deepfake impersonation, AI-generated BEC, or how to verify requests through a second channel, it’s preparing employees for threats that are already outdated.
Static Phishing Simulations
A lot of programs still use the same simulation templates they’ve had for years: fake shipping notifications, password reset emails, HR policy updates. Employees eventually learn to recognize the simulation format rather than build real detection instincts. Effective phishing simulations should pull from real, de-weaponized attack data relevant to your organization, not recycled templates everyone has already seen twice.
One-Size-Fits-All Delivery
Not every employee carries the same risk. Mimecast’s own platform data shows that roughly 8% of users are responsible for 80% of security incidents. But most training programs still deliver the same content to everyone on the same schedule. A finance team member who processes wire transfers every day faces different risks than a warehouse supervisor. Training should reflect that.
No Real-Time Feedback
Annual training creates a short spike in awareness that fades within weeks. What’s missing is feedback at the point of risk. When someone clicks a suspicious link or shares data on an unauthorized platform, the most effective moment to teach is right then, not during a scheduled session three months later. Real-time nudges delivered through email, Slack, or Teams can reinforce good habits and correct risky ones before they become actual incidents.
No Way to Measure Behavioral Change
Completion rates and quiz scores are still the most common SAT metrics, but they say very little about whether behavior actually changed. The Fortinet report found that 67% of organizations saw reduced incidents after implementing training, but only those tracking behavioral data, like simulation click rates, repeat offender trends, and per-user risk scores, could actually prove it. Without those metrics, you can’t tell who needs more help or show leadership that the investment is working.
What a Modern Program Should Look Like
Fixing these gaps means moving away from static, compliance-driven programs toward something more adaptive and ongoing. NIST SP 800-50 Rev. 1, updated in September 2024, reinforces this direction by recommending role-based curricula, continuous reinforcement, and measurable outcomes as the foundation of effective security awareness.
In practice, that means phishing simulations built from real attack data instead of templates, training paths that adjust based on individual risk profiles, real-time coaching at the moment of risky behavior, personal scorecards so employees can see their own progress, and risk scoring that helps security teams focus on the users who need the most support.
These capabilities already exist in platforms designed around what’s often called security behavior management. The idea is simple: training, simulation, and behavioral analytics should all feed into each other continuously, not live as separate annual events.
How Mimecast Brings This Together
Mimecast’s Human Risk Management platform is built around this approach. Its Engage module, available in Engage Core and Engage Pro tiers, combines over 200 video-based training modules with phishing simulation, behavioral nudges, and risk analytics, all managed through a central Human Risk Command Center.
One of the more practical features is SAFE Phish. It captures real phishing emails that have targeted your organization, strips out the malicious components, and converts them into simulation templates. So instead of generic test scenarios, employees train against the actual attacks that reached their inbox. Every interaction feeds into a per-user Human Risk Score, giving security teams a clear view of where organizational risk is concentrated and who needs additional support.
Engage Pro takes this further with behavioral nudges delivered through email, Slack, or Microsoft Teams, providing corrective feedback in real time when employees take risky actions, and positive reinforcement when they do the right thing. Personalized scorecards let employees track their own progress, which helps shift security from a top-down requirement into something people feel ownership over.
The risk scoring doesn’t stop at training data. Mimecast’s Human Risk Score looks at more than just how someone performs in phishing simulations. It also considers signals from endpoint security detections and real phishing emails encountered across your environment. For example, an employee might never click a simulated phish. However, if that same user regularly triggers endpoint alerts or is frequently targeted by real phishing attempts, those patterns are taken into account. The result is a more complete and realistic view of each user’s risk, based on how they behave in actual day-to-day work. This level of visibility is what separates a human risk management approach from traditional programs that rely only on completion rates or click metrics.
For Philippine organizations, working with a local solutions provider like CT Link Systems makes deployment and ongoing management practical. CT Link can help scope, deploy, and manage Mimecast in a way that fits your organization’s size, industry, and specific risk profile.
If your current training was designed for a pre-AI threat landscape, it’s worth taking a hard look at whether it’s still doing its job. The attacks have changed. The training should too.
Interested in learning more about security awareness training solutions like mimecast? Contact us at marketing@ctlink.com.ph to set up a consultation with us today!