In This Article
- The control with no dashboard: your people
- Why your staff is the most-attacked control at a financial institution
- The training your regulator actually requires
- Why annual click-through training fails the exam and the attacker
- The Microsoft 365 tool you may already own but never turned on
- What an examiner-ready security awareness program looks like
- Frequently Asked Questions
Your branch staff, your loan officers, and your back-office processors open hundreds of emails a day. Every one of those messages is a decision: real or fake, safe or hostile, click or report. Your firewalls, your Microsoft Defender filters, and your multifactor authentication all work to keep the hostile ones away from that decision. None of them removes the decision entirely. Sooner or later, a convincing message reaches a real person, and what that person does next is the control that holds or fails.
That person is the part of your institution attackers aim at first, and it is the one control with no configuration screen and no green checkmark. This is where security awareness training for financial institutions stops being a compliance chore and becomes a genuine line of defense. Done as a once-a-year slideshow, it changes almost nothing. Done as a sustained, measured program, it is one of the few controls that has been shown to move the number that matters: how often your people fall for a real attack.
This guide is written for the people who own that risk at credit unions, banks, and mortgage companies, the IT directors, security leads, and compliance officers who answer to both the examiner and the breach. It covers what the rule actually requires, why the annual training most institutions run fails on both fronts, the Microsoft 365 tool you may already be paying for and have never switched on, and what a program looks like that an examiner will accept and an attacker will notice.
The control with no dashboard: your people
A financial institution spends real money on the controls it can see on a screen. Conditional access policies, endpoint protection, email filtering, a security score that goes up and to the right. All of that is worth doing, and our guide on conditional access policies for financial institutions walks through the identity side of it. But there is one control that never shows up as a tidy percentage on a dashboard, and it is the one attackers have decided is the softest way in: the judgment of the person reading the email.
According to Verizon's 2025 Data Breach Investigations Report, the human element was involved in roughly 60 percent of breaches. That figure has held steady, year over year, while the technical controls around it have improved. The reason it holds steady is simple. As filters get better at blocking known-bad messages, attackers invest more in the messages that get through, the ones crafted to look like a wire request from your CEO, a document-share notice from your title company, or a password-reset prompt from Microsoft itself.
Why this matters for financial institutions
A bank, credit union, or mortgage company is a higher-value target than a typical business of the same size. The accounts move money, the records hold member and customer financial data, and a single compromised mailbox can expose closing disclosures, loan files, and account numbers. Attackers know this, which is why financial services sees some of the most targeted and best-crafted social engineering of any industry. The human layer is not a soft spot you can ignore because it is small. It is the front door, and it is the one your competitors keep leaving unlocked.
Why your staff is the most-attacked control at a financial institution
To understand why training is worth the effort, you have to see how the attack actually starts. It rarely begins with a clever exploit against a server. It begins with a message to a person.
According to IBM's Cost of a Data Breach Report 2025, phishing was the single most common way attackers first got into the systems they breached, accounting for about 16 percent of breaches studied, and breaches that started with phishing were among the costliest, averaging about 4.8 million dollars each. That 4.8 million dollar figure is the average cost of a phishing-initiated breach specifically, not the overall average, which the same report puts at about 4.44 million dollars globally. The lesson in those two numbers together is that the cheapest attack to launch, an email, opens the door to one of the most expensive incidents to clean up.
Sheer volume backs that up. According to the FBI Internet Crime Complaint Center's 2024 Internet Crime Report, phishing and spoofing was the single most-reported type of cybercrime, with 193,407 complaints. For a financial institution, that volume is not abstract. It is the steady stream of messages your staff sorts through every day, any one of which can be the one that works.
Here is what that looks like on a normal Tuesday at a credit union or a mortgage office.
A loan processor receives an email that looks like a secure document-share notice from a title company they work with weekly. Its branding is right, the language is routine, and it asks them to sign in to view a closing package. The sign-in page is a pixel-perfect copy of the Microsoft 365 login.
If the processor enters their credentials, the attacker now has a working login to your tenant. Strong multifactor authentication may still stop them, but attacker kits increasingly capture the second factor too. Only one control reliably prevents this: the processor recognizing the message as wrong and reporting it instead of signing in.
This is a credential-harvest attack, and it is the most common social engineering technique your people will face. The technical layers matter and you should run them: Microsoft Defender for Office 365 will filter a large share of these messages, and our guide on Microsoft Defender for Office 365 anti-phishing for financial institutions covers how. But filters are a probability game. They block most, not all. The messages that slip through are, by definition, the convincing ones, and they land in front of a human being whose training is the last control in the chain. Increasingly those messages are written and personalized by AI, which is why the human layer is getting harder, not easier, as our guide on AI brand-impersonation phishing for financial institutions describes.
Your email filter is a probability game. It blocks most attacks, not all. The messages that get through are the convincing ones, and the only control left standing between them and your tenant is a person who was either trained to notice or was not.
The training your regulator actually requires
Security awareness training is not optional for a financial institution, and it is not merely a best practice borrowed from a framework. It is a written requirement, and which rule names it depends on what kind of institution you are. This is one of those places where getting the regulatory detail right earns you credibility with an examiner, so it is worth being precise.
For non-bank financial institutions, which includes most independent mortgage lenders and brokers, the requirement lives in the FTC Safeguards Rule. The rule lists the elements every covered institution's information security program must contain, and training is one of them, stated in plain language.
Provide your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment.
Read the second half of that sentence closely, because it is where most programs fall short. The training must be updated to reflect the risks identified by your risk assessment. A static deck that says the same thing every year, regardless of what is actually targeting your institution, does not meet that standard. If your risk assessment flags business email compromise and wire fraud, your training has to address business email compromise and wire fraud, and it has to keep pace as those threats evolve.
Banks and credit unions are not covered by the FTC Safeguards Rule, but they are not exempt from the training requirement. They reach it through a parallel set of rules that implement the Gramm-Leach-Bliley Act, and the expectation is the same.
Non-bank mortgage companies
Governed by the FTC Safeguards Rule, 16 CFR Part 314. Section 314.4(e)(1) requires the institution to provide personnel with security awareness training, updated to reflect the risks its own risk assessment identifies.
Banks and credit unions
Governed by the GLBA information security standards. The Interagency Guidelines for banks (OCC at 12 CFR Part 30 Appendix B, FDIC at 12 CFR Part 364 Appendix B, Federal Reserve at 12 CFR Part 208 Appendix D-2) and the NCUA's Guidelines for Safeguarding Member Information (12 CFR Part 748, Appendix A) both call for training appropriate personnel as part of the information security program.
Sitting above all of these is the examiner's playbook. The FFIEC IT Examination Handbook, in its Information Security booklet, sets the expectation that a supervised institution maintains a security awareness and training program for its staff. It is guidance rather than codified law, but it is the lens through which examiners from every agency assess whether your program is real or merely on paper. When an examiner asks to see your security awareness program, they are reading you against that booklet, and a folder containing one annual training certificate is not what it describes.
The question behind the requirement
Across all of these rules, the examiner is really asking one question: can you show that your people are measurably better at recognizing attacks than they were a year ago, and that your program is responding to the threats actually aimed at you? A completion certificate answers a different, smaller question, namely whether everyone sat through a video. The gap between those two questions is exactly where findings come from, and it is exactly the gap a real program closes.
Why annual click-through training fails the exam and the attacker
Most financial institutions already do security awareness training. They assign an annual module, employees click through it, everyone certifies completion, and the certificate goes in the compliance folder. It satisfies the literal checkbox, and it does very little else. The evidence on this is uncomfortable and worth facing honestly.
Research on security awareness training consistently finds that a one-time session does little to change how often employees click on the attacks that reach them. People sit through the annual module, certify, and then click the next convincing phish at roughly the rate they would have anyway. The annual deck changes what is in the compliance folder. It does not reliably change behavior.
What does change behavior is a different model entirely: frequent, realistic practice with immediate feedback, sustained over time and measured. One of the most widely cited datasets on this comes from KnowBe4's Phishing by Industry Benchmarking Report 2025, which tracks how often employees fall for simulated phishing across tens of thousands of organizations.
The number that proves the model
According to KnowBe4's Phishing by Industry Benchmarking Report 2025, organizations start at a global average phish-prone rate of about 33 percent, meaning roughly one in three employees will fall for a simulated phishing test before any program is in place. After 12 months of continuous training with simulated phishing, that rate falls by 86 percent, to roughly 4 percent. The difference between a 33 percent failure rate and a 4 percent failure rate is not the content of the training. It is the frequency, the realism, and the measurement, sustained for a year instead of completed in an afternoon.
That contrast is the whole argument. A one-time module is a snapshot that satisfies a requirement on the day it is taken. A sustained program is a trend line that bends the institution's actual risk down month over month, and it produces, as a byproduct, exactly the evidence an examiner wants to see. The same program that protects you is the program that proves you are protected. The reason most institutions do not run it is not that they do not believe in it. It is that running it well takes a tool, a cadence, and someone to own it. The tool, for most Microsoft 365 customers, is closer than they think.
Running an annual module and calling it a program?
ABT builds and runs the sustained, simulated-phishing security awareness program examiners actually expect, inside your managed Microsoft 365 tenant.
The Microsoft 365 tool you may already own but never turned on
Here is the part most institutions miss. You may already be paying for an enterprise-grade phishing simulation and training platform, built into Microsoft 365, and never have switched it on. It is called Microsoft Attack Simulation Training, and it lives inside Microsoft Defender for Office 365.
Per Microsoft's documentation, Attack Simulation Training lets you run benign, harmless simulated phishing campaigns against your own staff, then automatically assign training to the people who need it most. The simulated attacks use the same social engineering techniques real attackers use, curated from the MITRE ATT&CK framework: credential harvesting, malicious attachments, links to malware, drive-by URLs, and consent-phishing prompts, including QR-code variants. In other words, you can send your loan processor a safe version of exactly the title-company credential-harvest email from the scenario above, see who clicks, and turn that moment into training instead of a breach.
Attack Simulation Training pairs the simulations with a built-in library of training modules, delivered in partnership with Terranova Security, that you can assign automatically based on how each person performed. It tracks who opened, who clicked, and who reported, and it surfaces a Predicted Compromise Rate so you can gauge how realistic a given simulated message is before you send it. The entire program runs inside the Microsoft 365 tenant your institution already operates, with no separate platform to buy or integrate.
Included in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. Runs simulated phishing campaigns using social engineering techniques curated from MITRE ATT&CK, assigns training from a built-in module library, and tracks simulation interactions and reporting.
That license line is where the catch hides, and it is the single most useful thing to check before you assume you are covered. Attack Simulation Training is included with Microsoft 365 E5 and with Microsoft Defender for Office 365 Plan 2. It is not included with Microsoft Defender for Office 365 Plan 1, which is the tier bundled into Microsoft 365 Business Premium, the plan a great many community banks, credit unions, and mortgage companies run. So an institution can be paying for a respectable security suite, believe it has phishing simulation, and not actually have the capability turned on or even available until it adds the right plan.
Check this before your next exam
If your institution runs Microsoft 365 Business Premium, you have Microsoft Defender for Office 365 Plan 1, which does not include Attack Simulation Training. You would need Defender for Office 365 Plan 2 (available as an add-on) or Microsoft 365 E5 to run native simulated phishing. The good news is that the fix is usually a licensing adjustment, not a new platform purchase. The first step is simply knowing which side of that line you are on, because "we have Microsoft security" and "we can run phishing simulations" are not the same statement.
A note on terminology that auditors notice
ABT manages your Microsoft 365 tenant. Microsoft owns and runs the underlying infrastructure; as a Tier-1 Microsoft Cloud Solution Provider, ABT configures and operates the security controls inside that tenant through delegated administration, including Attack Simulation Training. The distinction matters in an exam. A provider that says it will host your Microsoft 365, rather than manage it, signals it may not understand its own delegated-admin role, and that is the kind of imprecision that makes an examiner look harder at everything else.
What an examiner-ready security awareness program looks like
Owning the tool is not the same as running the program, any more than owning a treadmill makes you fit. The difference between a checkbox and a defense is a repeatable cadence that someone owns and measures. An examiner-ready program, the kind that bends the phish-prone rate down and produces the evidence the rule wants, has five recurring parts.
Baseline. Before you train anyone, run a simulated phishing campaign to measure where your institution actually stands. That first number, your starting phish-prone rate, is the most honest data point you will get, and it is the floor you measure progress against. It also tends to get leadership's attention faster than any policy memo.
Simulate continuously. Send realistic simulated phishing on a regular cadence, monthly is a common rhythm, using the techniques actually targeting financial institutions: fake document-share notices, spoofed wire requests, Microsoft 365 credential prompts. Vary the difficulty. Its aim is not to trick people into feeling foolish; it is to give them frequent, low-stakes practice at recognizing the real thing.
Train in the moment. When someone clicks, that is the teachable instant, and the training should arrive then, tied to what they just did, not six months later in an unrelated module. Attack Simulation Training automates exactly this, assigning a short, relevant lesson to the person who needs it, which is what makes the cadence sustainable without a full-time trainer.
Measure and report. Track the phish-prone rate, the reporting rate, and repeat-clicker patterns over time. The trend line is the deliverable. A program that can show a phish-prone rate falling quarter over quarter is telling the institution's board and its examiner the same true story: the human layer is getting stronger, on purpose, with numbers to prove it.
Tie it to the risk assessment. Close the loop the rule asks for. Feed what the simulations reveal back into the risk assessment, and update the training to match the threats your institution is actually seeing. That is the difference between training that is updated to reflect identified risks, the standard the FTC Safeguards Rule sets, and a deck that says the same thing every January.
The same program that bends your phish-prone rate from one in three down toward one in twenty-five is the program that hands your examiner a year of trend data. The defense and the evidence are the same artifact.
That five-part cadence is straightforward to describe and genuinely hard to sustain, which is the honest reason most institutions never get past the annual module. It needs a tool that is configured correctly, a monthly rhythm that does not slip when the quarter gets busy, content that tracks current threats, and someone to read the numbers and act on them. For an institution whose security team is already stretched across the rest of the Microsoft 365 stack, that program is exactly the kind of recurring work that falls off the calendar.
Most institutions we work with already own the platform, or are one licensing step away from it. What they do not have is the recurring program around it: the monthly simulations, the in-the-moment training, the trend reporting, and the link back to the risk assessment. As a Tier-1 Microsoft Cloud Solution Provider that runs Microsoft 365 for more than 750 banks, credit unions, and mortgage companies, ABT sees the business email compromise and wire-fraud patterns aimed at financial institutions before most single institutions do, and seeds the simulations with them. ABT manages the Microsoft 365 tenant, confirms the institution has the right Defender for Office 365 licensing for Attack Simulation Training, and runs the sustained program as part of M365 Guardian, our managed security operating model: the baseline, the monthly cadence, the in-the-moment training, the measurement, and the examiner-ready reporting. The platform is the easy part. The year of consistent execution that bends the phish-prone rate down is the work.
Your human layer is the control that does not fix itself and does not stay fixed. It needs practice, measurement, and attention on a schedule. Get it right and you turn the part of your institution attackers count on into the part that catches them, while producing the evidence your next exam will ask for. For the identity controls that back up a well-trained workforce, our guide on phishing-resistant multifactor authentication for financial institutions is a natural next read, and for the broader Safeguards Rule program that training sits inside, see our guide on the FTC Safeguards Rule and Microsoft 365 for mortgage companies.
Start with a licensing check and a baseline
ABT confirms whether your Microsoft Defender for Office 365 plan includes Attack Simulation Training, runs a first simulated campaign to measure where your people actually stand today, and turns that baseline into the sustained, examiner-ready program your exam expects, all inside the Microsoft 365 tenant we manage for you.
Frequently Asked Questions
Yes. For non-bank financial institutions, including most independent mortgage lenders, the FTC Safeguards Rule at 16 CFR 314.4(e)(1) requires providing personnel with security awareness training that is updated to reflect risks identified by the risk assessment. Banks and credit unions reach the same requirement through the GLBA information security standards: the Interagency Guidelines for banks (such as 12 CFR Part 30 Appendix B for the OCC and 12 CFR Part 364 Appendix B for the FDIC) and the NCUA's Guidelines for Safeguarding Member Information at 12 CFR Part 748 Appendix A both call for training appropriate personnel. The FFIEC IT Examination Handbook's Information Security booklet sets the examiner expectation that institutions maintain a security awareness and training program.
It can, depending on your license. Microsoft Attack Simulation Training, part of Microsoft Defender for Office 365, runs simulated phishing campaigns and assigns training based on how employees respond. Per Microsoft's documentation, it is included with Microsoft 365 E5 and with Microsoft Defender for Office 365 Plan 2. It is not included with Defender for Office 365 Plan 1, which is the tier bundled into Microsoft 365 Business Premium. Many community banks, credit unions, and mortgage companies run Business Premium, so they would need to add Defender for Office 365 Plan 2 or move to E5 to use native phishing simulation.
Because behavior change comes from frequent practice, not a once-a-year session. Research on training outcomes consistently finds that a one-time session does little to change how often employees click on the attacks that reach them. By contrast, KnowBe4's Phishing by Industry Benchmarking Report 2025 found that organizations running ongoing training with simulated phishing reduced their average phish-prone rate from about 33 percent to roughly 4 percent over 12 months, an 86 percent reduction. The FTC Safeguards Rule also requires training to be updated to reflect current risks, which a static annual deck does not satisfy.
An examiner is looking for evidence that the program is real and effective, not just that it exists. That means a documented cadence of training and simulated phishing, records of who participated and how they performed, trend data showing the phish-prone rate over time, and a link back to the institution's risk assessment so the training reflects current threats. A single annual completion certificate answers a much smaller question, whether people sat through a video, and the gap between that certificate and a measured program is where exam findings come from.
A monthly cadence is a common and effective rhythm. The goal is frequent, low-stakes practice that keeps recognition sharp, rather than an annual event. KnowBe4's 2025 benchmarking data shows the phish-prone rate falling by 86 percent over 12 months of ongoing training, which depends on a sustained schedule rather than a single campaign. Vary the difficulty and the techniques over time, mirroring the document-share notices, spoofed wire requests, and credential prompts that actually target financial institutions, and feed what you learn back into the next round.
Yes, and for most institutions that is the practical way to sustain a real program. A Tier-1 Microsoft Cloud Solution Provider like ABT manages your Microsoft 365 tenant, confirms you have the right Microsoft Defender for Office 365 licensing for Attack Simulation Training, and runs the recurring program: establishing a baseline, sending monthly simulations, assigning training in the moment, tracking the phish-prone trend, and producing the reporting your examiner expects. That removes the most common reason programs fail, which is not a lack of tooling but the absence of someone to own the monthly cadence and the measurement.
