When and How to Run a Phishing Simulation

An uptick in cybersecurity events might mean your employees need help in recognizing phishing scams.

Written by Alex Vakulov
Published on Nov. 01, 2023
When and How to Run a Phishing Simulation
Image: Shutterstock / Built In
Brand Studio Logo

Phishing remains one of the most popular tools of cybercriminals. In 2022, nine out of 10 enterprises were successfully targeted by phishing attacks. 

4 Signs You Need to Conduct a Phishing Simulation

  1. Your organization has experienced an increase in security incidents or data breaches.
  2. You have established a new cybersecurity program. 
  3. You are planning significant system changes, software upgrades, policy changes, a merger or an acquisition.
  4. You need to demonstrate cybersecurity compliance in your industry.

Among employees, limited cybersecurity knowledge and skills can result in dire outcomes, from halting crucial business operations to data breaches and significant financial and reputational losses. Consequently, information security skills are becoming a necessity for employees, who might need training to notice the small things that indicate phishing.

Recognizing this, an increasing number of companies are running simulated phishing campaigns and offering comprehensive cybersecurity training programs for their staff.

The cost of a phishing simulation can vary widely depending on the size of your organization, the complexity of the simulation, the service provider and other factors. Ultimately, the expense of a phishing simulation should be seen as part of the overall cybersecurity budget and risk mitigation strategy for your organization.

More From Alex VakulovIs the Source of the Next Big Data Breach Sitting in Your Conference Room?


Determine Your Targets

First, determine which employee demographic you are targeting with the phishing simulation. This could range from new hires to a particular department or top-tier executives, who often click on dubious links as often as junior staff. Once you have chosen your target, you can decide on the phishing tactic to use.


Mass mailing

For testing a large and diverse group of users, a mass mailing works best. It is relatively quick to draft a phishing email, especially with many security awareness platforms providing a plethora of ready-to-use templates. This straightforward method can quickly pinpoint those employees most susceptible to social engineering attacks.


Spear Phishing

Spear phishing involves crafting more elaborate emails tailored to a specific individual’s interests or position. A classic example of this is whaling, which, as the name suggests, targets top-tier executives. 

In real-life cases, hackers pay extra attention to the details of the email, thoroughly researching their targets to ensure their message hits the mark. There is a high incentive for these cybercriminals: by breaching an executive’s account, they can access valuable company data or misuse their newfound authority, for instance directing an accountant to transfer substantial sums to a fraudulent account. 

Thus, individuals tasked with conducting targeted phishing simulations must prepare thoroughly and familiarize themselves with their intended victims in every detail.


Craft an Effective Phishing Email

Once you have pinpointed your target audience and the nature of your phishing test, the next step is determining the best bait. Mass mailing campaigns might use standard lures like discount coupons, holiday promotions or free ticket offers. Employees often forward such letters to colleagues, amplifying the reach of the initial phishing attempt. 

Topics that tap into current events or trends can be highly effective, too. Remember, in 2020, plenty of phishing emails centered around COVID-19-related themes, from PCR testing updates to new WHO findings and vaccination news. Common email subjects include:

  • Paycheck updates
  • Bonuses or additional compensation notifications
  • Account blocking warnings
  • Offers to purchase supplementary equipment for employees
  • Updates on company operational changes
  • Cybersecurity awareness training invitations
  • Alerts about a sent scanned document

When aiming to evaluate specific departments or even an individual manager, tailor the email to their particular concerns or interests. For instance, to engage the accounting department, consider phishing emails that zero in on their pressure points: document requests, contract approvals or invoices.


Time the Simulation for Maximum Impact

All employees can benefit from phishing tests, but some groups might need more frequent testing. For instance, employees with a history of risky behavior and those in key roles or upper management should be tested more regularly. 

If you plan a year-long training, aim for 12 to 18 tests during that period. Do not be overzealous here: limiting tests to two to three times a month is best. Pause periodically for a couple of months; otherwise, employees get used to phishing.

The content of the phishing email should be relevant to when it is sent. For example, an email about changes in work schedules might be more effective if sent on a Sunday evening. Similarly, holiday-themed emails should align with the holiday season. In essence, think creatively to make the scenarios realistic.

In terms of a structured testing approach, a good sequence might look like this:

Test > Training > Assessment > Re-Test > Additional Training (those who need it) - Re-Test

Many automated platforms allow users to set a testing schedule and enable the delayed sending of simulated phishing emails. Without such systems, have a dedicated calendar with reminders so you do not get sidetracked from other responsibilities every time you need to initiate a test.


Gauge Employee Reactions

Ideally, an employee who encounters a phishing attempt will alert the company’s information security team. This should be a consistent emphasis in every security awareness training. However, an employee might sometimes feel embarrassed or fearful, leading them to remain silent. Encouraging employees by offering rewards for reporting potential threats can significantly boost this proactive behavior.

4 Steps to Ensure an Ethical Phishing Simulation

  1. Maintain transparency with employees about the likelihood of facing simulated phishing attempts as part of their training without disclosing specific details that might compromise the efficacy of the test.
  2. Simulations should respect user privacy, never resembling communication that requests sensitive personal information or crosses professional boundaries.
  3. Use the results constructively, focusing on education and support, not for punishment or shaming.
  4. Adhere strictly to all relevant local, regional and international laws, particularly those pertaining to digital communication and privacy.

Many companies facilitate reporting by providing a designated email address to which suspicious emails can be forwarded. To make the process even more straightforward, consider integrating a plugin into email platforms like Outlook. This gives users an easy-to-use Report Attack button right within their email interface.

By monitoring the number of reported phishing attempts, you can see the level of employee engagement. This metric helps gauge their collective responsiveness to such threats. This, in turn, offers insights into the organization’s overall vulnerability to phishing.

teaching moment5 Lessons From the MGM and Caesars Casinos Cyberattacks


Analyze the Results

After conducting a test phishing campaign, dive deep into the outcomes. Phishing analysis reports should offer a comprehensive view of the event.

Whether it is an internal team or a security awareness service provider that manages the campaign, they should have insights into each specific email’s journey: who read it, who downloaded any attachments and who clicked on any embedded links. This provides a holistic view of the immediate reactions, for instance opening the email, and also potential risks, such as an employee resisting opening suspicious attachments but still clicking on a link that could compromise company data.

Companies that run their own simulated phishing campaigns can create reports in Excel. They can manually enter data using a scoring system to help visualize employee behavior and knowledge. Consider assigning scores based on the risk level of each action. For example:

  • Successfully resisted the phishing attempt: +3
  • Opened the email: -1
  • Clicked on the link: -2
  • Clicked on the attachment: -2
  • Entered company/personal information on a prompted form: -3

With this point system, you can create intuitive charts and graphs. Employees falling behind can then receive additional training, while those excelling might be challenged with more advanced testing scenarios.

You will know the phishing simulations are working if the number of incidents involving humans (passwords, physical access, etc.) decreases; if more users report potential information security incidents; and if employees behave proactively, seek advice from the information security team and otherwise show they are engaged with the process of protecting the company. 

Companies may invest millions in cybersecurity, yet malware can still get inside because the employee remains the most vulnerable element of the system. At the same time, even the most experienced and careful person can miss a phishing attempt in the hustle and bustle of daily tasks. Regularly conducting test phishing campaigns enhances an organization’s information security. When executed thoughtfully, these campaigns provide clear insights and yield tangible results.

Hiring Now
Avenue One
Fintech • Real Estate • PropTech