Phishing Forwards: Why Protocol Beats Training

It happened two weeks after phishing awareness training wrapped up. A well-meaning employee received a suspicious email, wanted to do the right thing, and forwarded it company-wide with a simple question: "Is this legit?" Four accounts were compromised before anyone could answer. This scenario — pulled from a real discussion circulating in IT and MSP communities on Reddit — isn't a story about a bad employee or even a failed training program. It's a story about a missing protocol. And if your organization treats "send suspicious emails to IT" as an informal suggestion rather than a documented, enforced procedure, you're one curious employee away from the same outcome. Training Creates Awareness. Protocol Creates Containment. Phishing awareness training has real value. Employees who recognize red flags — urgent language, mismatched sender domains, unexpected attachments — are less likely to click. But awareness doesn't tell an employee what to do next . And that gap is where incidents h