$ Blog
Phishing Simulation

How to Run a Phishing Simulation Campaign

· 10 min read

Phishing remains the most common initial attack vector for data breaches. Industry reports consistently show that over 80% of security incidents involve a phishing component, whether it is a credential harvesting email, a malicious attachment, or a link to an exploit kit. The uncomfortable reality is that technical controls alone cannot stop phishing -- you also need people who recognize and report suspicious emails. A well-run phishing simulation campaign is the most effective way to build that awareness.

This guide covers everything you need to run a phishing simulation from planning through post-campaign remediation. The goal is not to embarrass employees who click, but to create a measurable, repeatable process that reduces your organization's susceptibility to real phishing attacks.

TL;DR

  • Get executive, HR, and legal buy-in before launching -- frame simulations as training, never punishment.
  • Monthly simulations typically reduce click rates from 20-30% to under 5% within 6-12 months.
  • Track report rate alongside click rate -- employees who report suspicious emails are your active defense layer.
  • Provide immediate feedback when employees click, and enroll repeat clickers in targeted remediation training.
  • Vary template types and difficulty across campaigns to build real recognition skills, not pattern matching.

Why Run Phishing Simulations?

Security awareness training by itself has limited impact. Employees sit through an annual presentation, pass a quiz, and forget most of it within weeks. Phishing simulations close that gap by creating realistic, low-stakes practice scenarios where employees encounter simulated phishing in their actual inbox, during their normal workday.

The benefits are concrete:

Measurable risk reduction. Organizations that run regular simulations typically see click rates drop from 20-30% to under 5% within 6-12 months. That is a quantifiable improvement in your security posture.

Behavioral change, not just knowledge. Reading about phishing is different from recognizing a phishing email mixed in with 50 legitimate messages. Simulations build the muscle memory to pause, inspect, and report before clicking.

Identifying high-risk groups. Some departments or roles are consistently more susceptible (executives, new hires, customer-facing teams). Simulations reveal where targeted training is needed.

Compliance requirements. Many frameworks (SOC 2, ISO 27001, PCI DSS, HIPAA) require or strongly recommend phishing awareness testing. Simulations satisfy these requirements with documented evidence.

Reporting culture. The most valuable metric is not who clicks, but who reports. A mature phishing awareness program shifts the culture from "don't click bad things" to "report anything suspicious" -- which gives your security team actionable intelligence.

PHISHING SIMULATION LIFECYCLE 1 Plan Scope, targets, timing, goals 2 Design Templates, scenarios, pretexts 3 Execute Send, track, record interactions 4 Measure Open, click, report rates, risk scoring 5 Train Remediation, coaching, repeat Continuous improvement cycle

Phase 1: Planning Your Phishing Campaign

Rushing into sending simulated phishing emails without planning is a recipe for organizational backlash. The planning phase is where you prevent problems.

Get Stakeholder Buy-In

Before anything else, secure written approval from senior leadership, HR, and legal. Phishing simulations can create anxiety and frustration among employees if they are not handled carefully. Key points to address:

  • Legal counsel review. Ensure the simulation complies with local employment laws. In some jurisdictions, simulated phishing emails may have legal implications if they are excessively deceptive or target individuals in ways that feel harassing.
  • HR alignment. Agree upfront that simulation results will not be used for punitive action. The moment employees fear disciplinary consequences for clicking, they stop reporting real phishing attempts too. Frame it as training, never as a test they can fail.
  • Executive sponsorship. A message from leadership explaining the purpose of the program (before the first campaign) dramatically reduces negative reactions.

Define Your Scope and Objectives

Decide who receives the simulation and what you are measuring. Options include:

  • Full organization. Baseline campaigns should include everyone to establish an organization-wide click rate.
  • Targeted departments. Follow-up campaigns can focus on high-risk groups identified in baseline results.
  • New hires. Running a simulation during onboarding establishes security awareness from day one.

Set specific, measurable goals: reduce click rate to under 10%, achieve a 50% reporting rate, or ensure 100% of executives can identify credential harvesting attempts.

Best Practice

Start with a broad baseline campaign before targeting specific groups. You need organization-wide data to identify which departments and roles need the most attention.

Choose Your Timing

Timing affects results and employee reception:

  • Avoid major deadlines, all-hands meetings, or company events. Employees under pressure are more likely to click, and the results will not reflect normal behavior.
  • Stagger sends over several hours or days. Sending to the entire organization simultaneously increases the chance of cross-office chatter that invalidates results.
  • Do not run simulations on Fridays or before holidays -- people who click and then worry over the weekend will not appreciate it.

Phase 2: Designing Realistic Templates

The effectiveness of a phishing simulation depends entirely on how realistic the scenarios are. Templates that are obviously fake teach employees nothing. Templates that are too sophisticated can cause panic.

The sweet spot is a scenario that a reasonably attentive person would question, but a distracted person might not.

High-Performing Template Categories

Based on real campaign data, these template types consistently generate the highest engagement:

Password expiration notices. "Your password expires in 24 hours. Click here to update it." This works because it combines urgency with a routine action that employees perform regularly. The link goes to a simulated credential harvesting page.

IT department requests. "Our IT team needs you to verify your account due to a recent security update." Internal authority combined with vague security language bypasses many employees' suspicion filters.

Shipping notifications. "Your package could not be delivered. Click to reschedule." Effective because many employees order items online for both personal and work purposes.

HR and benefits announcements. "Open enrollment changes for 2026 -- review your updated benefits." These exploit the trust employees place in HR communications.

Shared document notifications. "John shared a document with you -- click to view." Mimics legitimate notifications from Google Workspace, Microsoft 365, or Dropbox that employees receive daily.

TYPICAL CLICK RATES BY TEMPLATE TYPE Password Expiry IT Department Shipping Notice HR / Benefits Shared Document 28% 24% 21% 19% 17% Based on aggregate data from initial baseline campaigns across multiple organizations

Template Design Best Practices

Make your templates realistic but fair:

  • Use internal branding where possible. A simulated email from "IT Support" using your company logo is more realistic than a generic template.
  • Include subtle red flags that a trained employee should catch: a sender domain that is close but not quite right, a generic greeting instead of the employee's name, or a URL that does not match the claimed destination.
  • Never use actual malware or exploit kits. The landing page should display a training message, not execute anything.
  • Vary difficulty across campaigns. Start with medium-difficulty templates for the baseline. Use harder templates for subsequent campaigns as awareness improves.
  • Test the template yourself first. Send it to a small group of volunteers from the security team to check that it renders correctly, the tracking works, and the landing page displays properly.

Phase 3: Executing the Campaign

Execution is the phase most people think about first, but if you have done the planning and design work, this part is relatively straightforward.

Sending the Emails

Most phishing simulation platforms handle the sending infrastructure for you. Key considerations:

  • Sender domain. Use a domain that is close to yours but not identical. Employees should be able to catch the discrepancy if they inspect the sender. If your organization uses domain verification for phishing senders, make sure the domain is verified first.
  • Email deliverability. Work with your email team to ensure simulation emails are not blocked by your own spam filters. Most platforms provide instructions for allowlisting their sending IPs or domains.
  • Staggered delivery. Send emails in batches over hours or days rather than all at once. This reduces the chance of employees warning each other before they receive their email.

Tracking Interactions

Comprehensive tracking captures every step of the interaction funnel:

  • Email delivered. Confirms the email reached the inbox (not spam/junk).
  • Email opened. Tracked via a 1x1 pixel embedded in the email body. Note that some email clients block images by default, so open tracking underreports.
  • Link clicked. The most important metric. Records when a recipient clicked the phishing link.
  • Credentials entered. If the landing page is a credential harvester, records when someone submitted data. Never store actual passwords -- hash or discard immediately.
  • Email reported. Records when a recipient used the phishing report button (if your organization has one) or forwarded the email to the security team.

Phase 4: Measuring Results

Raw click rates are the starting point, but mature programs track deeper metrics.

Key Metrics

Click rate is the percentage of recipients who clicked the phishing link. A first-time baseline for an untrained organization typically falls between 20-35%. After 4-6 monthly simulations with training, most organizations reach 5-10%.

Report rate is the percentage of recipients who reported the email as suspicious. This is arguably more important than click rate because it measures active defense. A good target is a report rate higher than the click rate. Some organizations aim for 70%+ reporting.

Time to first click shows how quickly the fastest clickers engage. If 60% of clicks happen within the first 5 minutes of delivery, that tells you people are clicking without reading carefully.

Time to first report measures how quickly your detection pipeline works. Faster reports mean shorter exposure windows for real phishing attacks.

Repeat clickers identifies individuals who click across multiple campaigns. These users need targeted, one-on-one coaching rather than generic training.

CAMPAIGN METRICS FUNNEL 1,000 Emails Sent 950 Delivered (95%) 620 Opened (65%) 180 Clicked (19%) 40 Submitted Creds (4%) 310 Reported (33% report rate) Goal: report rate exceeds click rate

Analyzing by Segment

Break down results by department, role level, office location, and tenure. Common patterns you may find:

  • Executive assistants and C-suite have higher click rates (they deal with more email and more urgency)
  • Engineering teams have lower click rates (technical literacy helps)
  • New hires (under 90 days) click more frequently than tenured employees
  • Remote workers may have different risk profiles than in-office staff

These segments should drive targeted training programs in the next phase.

Phase 5: Post-Campaign Training and Remediation

The simulation is not the end goal -- it is a diagnostic tool. The training that follows is where actual risk reduction happens.

Immediate Feedback

When an employee clicks the phishing link, the landing page should immediately display a training message: what the red flags were, why the email was suspicious, and what they should do next time. This is far more effective than generic training because the employee just experienced the failure firsthand and is primed to learn.

Targeted Remediation for Repeat Clickers

Employees who click across multiple campaigns need more than a landing page message. Options include:

  • Automated training enrollment. Metric Tower automatically enrolls clickers in security awareness training courses, with tracking of completion and due dates.
  • One-on-one coaching. A 15-minute conversation with a security team member is more effective than any e-learning module for persistent clickers.
  • Increased simulation frequency. Repeat clickers can be added to a higher-cadence simulation group to build awareness faster.

Positive Reinforcement

Recognize and reward employees who report simulated phishing. This is critical for building a reporting culture. Options include team leaderboards, recognition in company meetings, or small rewards. The key message is: reporting is the behavior we value, not just avoiding clicks.

Common Mistake

Using simulation results for disciplinary action. The moment employees fear punishment for clicking, they stop reporting real phishing attempts too -- destroying your most valuable detection channel.

Legal and HR Considerations

Phishing simulations sit in a unique space -- they deliberately deceive employees to improve security. Handle this carefully:

  • Written policy. Have a documented phishing simulation policy reviewed by legal and HR. It should state the purpose, scope, frequency, and explicitly confirm that results will not be used for disciplinary action.
  • Privacy compliance. In jurisdictions with strong data protection laws (GDPR, CCPA), ensure your simulation tracking and data retention comply. Store only the metrics you need and define a retention period.
  • Union considerations. If your workforce is unionized, the simulation program may need to be disclosed to or negotiated with union representatives.
  • Psychological safety. Never publicly shame employees who click. Never use phishing simulation results in performance reviews. The moment people feel punished, they stop reporting real phishing too.
  • Sensitive templates. Avoid templates that exploit personal fears (fake layoff notices, fake health emergency alerts). These can cause genuine distress and undermine trust in company communications.

How Often Should You Run Simulations?

The cadence depends on your organization's maturity and goals:

Monthly is the recommended frequency for most organizations. It is frequent enough to build habits without causing "simulation fatigue." Vary the template types across months to keep employees engaged.

Quarterly is the minimum for compliance-driven programs. This is enough to maintain awareness but too infrequent for rapid improvement.

Weekly or biweekly is appropriate for high-risk environments (financial services, healthcare, defense contractors) or during intensive improvement campaigns. This cadence requires a large template library to avoid repetition.

The key is consistency. An organization that runs 12 campaigns per year will see dramatically better results than one that runs a single annual campaign, even if the total number of emails sent is the same.

Best Practice

Vary your template types across campaigns. If every simulation uses a password reset template, employees learn to spot that one pattern but remain vulnerable to everything else. Rotate through IT requests, shipping notices, HR announcements, and shared document notifications.

CLICK RATE IMPROVEMENT WITH MONTHLY SIMULATIONS 30% 20% 10% 0% M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 28% 12% 8% 5% Target: <5% Click rate Target

Setting Up Your First Campaign

Here is a practical checklist for launching your first phishing simulation:

  1. Secure executive and HR approval. Document the purpose, scope, and non-punitive policy.
  2. Choose a platform. See our comparison of phishing simulation tools for options ranging from free open-source to enterprise platforms.
  3. Start with a broad baseline. Send a medium-difficulty template to the entire organization to establish your current click rate.
  4. Analyze results by segment. Identify departments and roles with the highest click rates.
  5. Deploy targeted training. Enroll high-risk groups in awareness training before the next campaign.
  6. Run monthly campaigns. Vary templates and difficulty. Track trends over time, not just individual campaign results.
  7. Measure reporting as well as clicking. The goal is a culture where employees report suspicious emails, not just avoid clicking them.

Key Takeaways

  1. 1 Secure executive, HR, and legal approval before launching -- and make it clear that results will never be used for punishment.
  2. 2 Run monthly campaigns with varied templates -- consistency and variety drive real behavioral change, not a single annual blast.
  3. 3 Measure reporting rate alongside click rate -- your most valuable metric is how many employees actively report suspicious emails.
  4. 4 Provide immediate feedback on clicks and targeted remediation for repeat clickers -- this is where actual risk reduction happens.

Metric Tower's phishing simulator handles steps 2-7 in a single platform: 30+ prebuilt templates, campaign scheduling, delivery tracking, credential harvesting pages with immediate training messages, and automatic enrollment of clickers into remediation training courses. The funnel analytics dashboard shows opens, clicks, submissions, and reports across all campaigns with per-department breakdowns.

Related articles