Phishing simulations

Realistic but safe phishing campaigns that teach recognition and reporting. Done well, they build skills. Done poorly, they breed resentment.

Doing phishing simulations right

Educational, not punitive: Goal is learning, not catching people out. No shame, punishment, or league tables of clickers.

Progressive difficulty: Start obviously fake, gradually increase sophistication as recognition improves.

Immediate feedback: When someone clicks, instant educational message. Don’t wait weeks for training assignment.

Positive reinforcement: Celebrate reporting, not just avoid clicking. Reporting suspicious emails is desired behaviour.

Role-appropriate: Target with scenarios relevant to job. Finance gets invoice fraud, HR gets resume malware, IT gets urgent password requests.

Simulation levels

Level 1: Training wheels (First campaign)

Characteristics:

  • Obviously suspicious

  • Generic greeting

  • Poor grammar

  • External sender address clear

  • Urgent but implausible request

Example:

From: security@company-email-verify.net
Subject: IMMEDIATE ACTION REQUIRED!!!
Dear User,
Your email account will be deleted in 24 hours unless you verify
immediately by clicking here.
Thank You,
Security Team

Learning objective: Basic red flag recognition. Build confidence.

Level 2: Intermediate (Month 2-3)

Characteristics:

  • More convincing sender

  • Plausible scenario

  • Better grammar

  • Legitimate-looking branding

  • Relevant to organisation

Example:

From: IT Support <itsupport@company.com> [actually from company-services.net]
Subject: Password Expiration Notice
Hi [Name],
Your password will expire in 3 days. Please update it here to avoid
account lockout.
IT Support Team

Learning objective: Closer inspection of sender, hover over links, verify urgency claims.

Level 3: Advanced (Month 6+)

Characteristics:

  • Spoofed from internal sender

  • Timely/contextual (relates to actual company events)

  • Sophisticated social engineering

  • No obvious red flags

Example:

From: CEO Name <ceo@company.com>
Subject: Re: Board Meeting Prep
[Name],
Can you send me our latest financials? Board meeting moved up and I'm
travelling without my laptop.
Thanks,
[CEO Name]

Learning objective: Verify requests through alternative channels, question unusual requests even from authority.

Response framework

When someone clicks

Immediate feedback:

  • “This was a training email”

  • Explain red flags they missed

  • Provide 2-minute video/article

  • Encourage reporting actual suspicious emails

  • No shame or punishment

When someone reports

Immediate reinforcement:

  • “Great job! This was a test.”

  • Praise for catching it

  • Small reward (coffee voucher, public recognition)

  • Feedback on what red flags they spotted

Overall campaign results

Share organisation-wide:

  • Click rate (without names)

  • Reporting rate (celebrate increase)

  • Most commonly missed red flags

  • Resources for improvement

  • Announcement of next simulation

Never:

  • Name individuals who clicked

  • Public shaming

  • Tied to performance reviews

  • Mandatory remedial training as punishment

Measuring success

Click rate trending down: From 30% to 15% to 5% over year

Reporting rate trending up: From 5% to 20% to 40% reporting suspicious emails

Time to report decreasing: From days to hours to minutes

Real phishing caught: Staff reporting actual attacks before IT notices