When it comes to preventing phishing attacks, companies are often torn between how to spend their security dollars. The choice they make is usually between two options: employee awareness training and email security hardware/software. The first choice assumes your employees can protect you from phishing attacks if only they can be taught to spot them. The second choice assumes there’s not enough training in the world for you employees to stop every phishing attack—it’s better to leave that to technology.

In a perfect world, companies would just do both as part of a “defense-in-depth” strategy. Unfortunately, many companies don’t have the resources for both and are forced to choose one or the other. Which one is more effective? Depends which data you look at. What we do know for sure though is that one of these options is also an attack vector now, thanks to some clever hackers.

According to a recent article on SC Magazine, “That anti-phishing training email your employees just received may, ironically, actually be a phishing email, according to cyber threat analysts who recently uncovered a security awareness-themed online social engineering campaign.” I’m not sure I’d use the word ironic here. Maybe terrifying would be more appropriate.

Continuing from the article, experts recently “reported on a phishing campaign that sends emails purporting to be a notification urging employees to complete their training with cybersecurity awareness company KnowBe4. Clicking on the embedded links, however, takes email recipients to a phishing page designed to steal their Microsoft Outlook credentials and other personal information. The email warns employees that they have only one day left to complete their training before the program expires. Urgency is often a tool used by social engineers to trick victims into making hasty decisions without thinking about the consequences of their actions

This is actually quite clever on the hacker’s part. Who would expect a notification for phishing awareness training to be a phishing email? Actually, everybody should. It’s the phishing attack that was bound to happen.

The attack is not meant to suggest companies should forgo awareness training altogether. But, it does highlight the fact that companies on a strict budget, who must choose between two alternative solutions to the phishing problem, are probably better served by choosing email security technology like that available from Phish Protection.

Phish Protection is cloud-based email security specifically designed to combat phishing. And because it’s cloud-based it requires no hardware to buy, no software to buy and no maintenance, ever. It also means it works with all major email providers, sets up in about 10 minutes and costs just pennies per employee per month. Phish Protection is so inexpensive, you’d be hard pressed to find awareness training at this price.

For cost-conscious companies intent on keeping safe from phishing attacks, the choice is easy: Phish Protection. Try it risk free for 60 days right now.