Security Awareness Training in the Age of AI-Powered Phishing

For twenty years, the advice was the same: look for the spelling mistakes, the bad grammar, the generic "Dear Customer" greeting. That advice is now actively dangerous. Generative AI writes phishing emails with flawless grammar, perfect branding, and details scraped from the target's own LinkedIn profile — and it does it at a scale, speed, and cost that no human attacker could ever match. The tell-tale signs are gone. The human being at the keyboard is now the single most attacked surface in your organisation, and the playbook for defending that surface has to change.

AI rewrote the phishing playbook

Phishing used to be a numbers game played by people. An attacker wrote one clumsy email, blasted it to a list, and hoped a fraction of recipients were careless enough to click. The clumsiness was the defence — odd phrasing and obvious errors did the filtering for you.

Generative AI removed the clumsiness. A modern social-engineering campaign can now:

• Write perfectly. No spelling errors, no awkward grammar, native-quality fluency in English, Hindi or any language the target uses.
• Personalise at scale. The model reads a target's LinkedIn role, recent posts, and the company's press releases, then writes a message that references a real project, a real colleague, and a real deadline.
• Impersonate convincingly. Voice cloning turns a 30-second sample into a phone call from "the CFO". Deepfake video has already been used to authorise fraudulent transfers on conference calls.
• Mutate endlessly. Every email in a campaign is slightly different, defeating signature-based filters that rely on seeing the same message twice.
• Move off email. QR-code phishing ("quishing") puts the malicious link in an image the email gateway never scans; smishing and chat-app lures sidestep mail security entirely.

The economics matter as much as the quality. What once took a skilled operator hours now takes a prompt and a few seconds. Attackers can run thousands of bespoke, well-researched lures for the price of an API call. The volume and the credibility went up at the same time — and both of them land on the same place: an employee deciding, in a few seconds, whether to trust a message.

The training you bought in 2019 stopped working

Most organisations do have "security awareness training". For the majority it means a once-a-year, 45-minute slideshow that staff click through during onboarding or compliance season. That model fails for three structural reasons.

The deepest problem is the second one. Training that tells staff to "look for poor grammar and spelling" is now teaching them the wrong thing — it builds false confidence in a signal that no longer exists. Effective training in 2026 teaches process: verify unexpected payment or credential requests through a second channel, treat urgency itself as a red flag, never authenticate from a link, and report anything that feels off. Those habits hold up whether the lure was written by a bored teenager or a frontier model.

From "awareness" to human risk management

The shift in language is not marketing — it is the whole point. "Awareness" is a feeling. "Human risk" is a number you can measure, target, and reduce. You cannot manage what you cannot see, and a slideshow shows you nothing. A real programme runs a continuous loop: simulate realistic attacks, see who is susceptible, train precisely those people on precisely that weakness, and re-measure.

This is exactly what Fortinet built FortiSAT to do.

The FortiSAT loop: five steps, repeated

What sets FortiSAT apart: the Security Fabric feedback loop

Most security-awareness products are islands. They run simulations, push training, and produce a dashboard — and that is where they stop. The risk they measure never reaches the controls that could act on it.

Inside the platform

Compliance: NIST, PCI-DSS, GDPR — and India's DPDP Act

Security awareness training is not only good practice — it is increasingly a written requirement. FortiSAT's curriculum aligns to the NIST framework (NIST 800-50 and NIST 800-16), and the platform supports compliance and security frameworks including NIST, PCI-DSS and GDPR.

For Indian enterprises, the regulatory pressure is closer to home. The Digital Personal Data Protection (DPDP) Act raises the cost of a data breach sharply, and a breach that began with a phished credential is still a breach the organisation must answer for. Sector regulators reinforce it: the RBI expects board-level ownership of cyber risk from regulated entities, SEBI's framework covers the securities-market ecosystem, and CERT-In's directions set incident-reporting obligations that a single successful phishing email can trigger. A measured, documented human-risk programme is how a Chief Information Security Officer demonstrates due diligence — not with a completion certificate, but with a susceptibility trend line that points down.

Rolling out FortiSAT with Ogma

Ogma Consulting is an authorised Fortinet partner, and we deliver FortiSAT as a programme, not a licence drop. Buying the platform is easy; changing behaviour is the work. A typical engagement runs in four stages.

FortiSAT is a per-user cloud subscription (minimum 25 users) and includes FortiCare premium support; a free tier is available for organisations with up to 25 users. Ogma returns a sized INR quote, with applicable GST, against your user count and directory setup.

Related: FortiDLP — feature walkthrough & use cases · Fortinet Partner India · Talk to Ogma