Security training firm PhishMe is to start marketing its innovative software-based anti-phishing training system in the UK for the first time on the back of a July funding round that raised $2.5 million (£1.6 million).

PhishMe’s began life three years ago as a training module inside consultancy Intrepidus Group before turning itself into a standalone company in order to market software used to test and train enterprise employees on how to spot malicious emails using simulated attacks.

The underlying concept behind the software - now offered as a SaaS service for convenience - is that an organisation’s security can be improved simply by changing the way employees react to malicious messages that have bypassed conventional security systems.

It’s an unusual approach that has become more event relevant as highly-targeted attacks have gone from being the exception to the rule in some industries.

Offered on an annual subscription basis, PhishMe’s system builds a customised training template for each customer designed to exploit the “emotional trends” that influence whether an employee can differentiate phishing attacks from legitimate communciation.

Doing this can be surprisingly tricky no matter how immune even experienced users believe themselves to be from the scourge. A very basic online test offered by the firm is worth taking for anyone who doubts this.

A survey of security pros carried out by the company at the recent Black Hat conference in Las Vegas found that many organisations offer staff very little training, replying on spam filters to keep rogue messages out. Only a small minority go as far as simulating real attacks in the style of PhishMe.

PhishMe co-founder and CEO believes that firms are nevertheless becoming more receptive to the idea of training staff to spot attacks.

“It [anti-phishing training] was an embarrassing thing to talk about three years ago,” he says. “But now we’ve had some high-profile attacks and that has made people willing to talk about it [phishing].”

He admits that there can still be political resistance to ‘showing up’ the failings of staff. Almost anyone can be caught out by sophisticated attacks, especially ones targeting specific individuals, and yet people remain wary about being assessed. UK enterprises now at least have the option to test their awareness using an independent assessment.