Phishing Simulation: A Step-by-Step Guide for Security Teams

of all breaches involve phishing as the initial access vector
Verizon DBIR 2024

reduction in click rates achievable with quarterly simulation + targeted training
KnowBe4 Phishing by Industry, 2024

0 sec

median time for a user to click a phishing link after receiving it
Proofpoint State of the Phish, 2024

Why Run Phishing Simulations?

Technical security controls ,firewalls, endpoint protection, MFA ,can be bypassed. What they cannot do is make your employees immune to convincing social engineering. A phishing simulation is the only way to measure how susceptible your workforce actually is, and the only reliable method to deliver training at the exact moment it is most effective: immediately after someone almost made a mistake.

"The question is not whether your employees will receive phishing emails. They already are. The question is whether they will recognise them ,and whether you have any data to show auditors that you have done anything about it."

Beyond the direct security benefit, phishing simulations have become a compliance expectation. ISO 27001 Annex A.6.3 requires measurable security awareness training. SOC 2 CC2.2 requires demonstrating that security responsibilities are communicated to staff. Auditors increasingly look for click rate trend data ,not just training completion records ,as evidence that your programme is working.

Choosing Your Phishing Simulation Platform

Your choice of platform determines what you can measure, how realistic your templates can be, and what training you can deliver to employees who click. Here are the main options:

Free / Open Source

GoPhish

Open-source, self-hosted phishing simulation framework. Full control, no per-user cost, highly customisable. Requires technical setup and your own SMTP infrastructure. Best for teams with engineering resources who want maximum control.

Enterprise

KnowBe4

The market leader for combined phishing simulation and security awareness training. Thousands of template options, automated training assignment, deep compliance reporting. Per-user pricing makes it expensive at scale but the ROI is well-documented.

Enterprise

Proofpoint Security Awareness

Strong integration with Proofpoint email security. Best-in-class threat intelligence feeds realistic templates based on current active campaigns. Recommended if you already use Proofpoint for email filtering.

Included

Microsoft Attack Simulator

Included with Microsoft 365 E5 / Defender for Office 365 Plan 2. Lower template diversity than dedicated platforms but zero additional cost if you are already on E5. Good starting point before investing in a dedicated platform.

The 7-Step Phishing Simulation Process

1
Choose your platform and configure your sending infrastructureSet up your simulation platform and configure a sending domain that does not match your primary company domain ,use a lookalike domain (e.g. seccomply-it.com vs seccomply.net). Whitelist the sending IP in your email gateway so simulation emails are not filtered. Brief your IT and security team so they do not raise a false incident.
2
Define scope and run a baseline campaignDecide which departments to include. Run an initial campaign with a realistic template before any training ,this baseline click rate is your starting point and the benchmark against which all future improvement is measured. Do not announce the campaign in advance.
3
Design realistic templates relevant to your organisationGeneric phishing templates produce lower click rates because they do not resonate with your workforce. Build templates that mirror tools your team actually uses ,your ticketing system, your HR platform, your cloud storage provider. The more relevant the template, the more valuable the training opportunity when someone clicks.
4
Launch the campaign and track all actionsSend simulated phishing emails and track four actions per recipient: email opened, link clicked, credentials submitted, and email reported. The report rate is as important as the click rate ,a workforce that actively reports phishing is significantly more valuable than one that merely avoids clicking.
5
Deliver an immediate teachable momentWhen an employee clicks a simulated phishing link, redirect them immediately to a short (2-3 minute) training module that explains what they missed and how to spot it next time. This teachable moment ,delivered at the exact moment of a near-miss ,is far more effective than annual awareness training. Do not use a shame page. Education, not punishment.
6
Analyse results and segment your high-risk employeesAfter each campaign, identify three groups: employees who clicked (need targeted training), repeat clickers across multiple campaigns (need personalised intervention), and employees who never report (need reporting culture training). Generic awareness training delivered to everyone equally is far less effective than targeted follow-up for high-risk individuals.
7
Run quarterly simulations and track trend dataA single simulation is a snapshot. A quarterly programme with tracked click rates over 12 months shows measurable improvement ,and that trend data is exactly what ISO 27001 and SOC 2 auditors want to see. Vary your templates each quarter so employees are tested against different scenarios, not conditioned to recognise a specific simulation format.

Designing Effective Phishing Templates

Template quality determines what you learn from each campaign. The most effective templates exploit the two most reliable social engineering triggers: urgency and authority. Here are the template types that consistently produce the highest click rates ,and therefore the most valuable training opportunities.

🔐

IT Security Password Reset High click rateAppears to come from internal IT. Creates urgency: "Your account will be locked in 24 hours." Credential harvesting scenario. Highly effective because it exploits the authority of IT and the fear of losing access.

📋

HR Policy Acknowledgment Required High click rateAppears to come from HR. "You are required to acknowledge the updated policy before your next performance review." Time-sensitive, authority-based. Finance and operations teams show highest click rates for this template type.

💰

Invoice or Payment Approval High click rateAppears to come from accounts payable or a vendor. "Your approval is required for invoice #INV-4821." Finance teams are the highest-risk group for this template ,it mirrors their actual daily workflow.

📦

Delivery or Shipping Notification Medium-High click rateAppears to come from a courier service. "Your package could not be delivered. Click here to reschedule." Extremely widespread in real-world campaigns. Effective because most employees are expecting deliveries at any given time.

📁

Shared Document Notification Medium click rateMimics Google Drive, OneDrive, or Dropbox sharing notifications. "Soham Sawant has shared a document with you." Credential harvesting via a fake login page. Particularly effective for users who frequently share documents.

Security awareness training delivery ,the teachable moment immediately after a simulated click is the most effective intervention point in any phishing simulation programme.

Measuring What Actually Matters

Most phishing simulation programmes track click rates and stop there. The metrics that actually tell you whether your programme is working go deeper.

📊
Click Rate Trend (primary metric)Your click rate over time ,not just a single number. A downward trend from baseline across quarterly campaigns is the core evidence of programme effectiveness. A click rate above 20% after 6 months of simulations signals a programme that needs redesigning.
🚩
Report Rate (underrated metric)The percentage of employees who report the simulated phishing email to your security team. A high report rate means employees are not just avoiding clicks ,they are actively participating in your security culture. This metric matters as much as click rate for ISO 27001 evidence.
🔄
Repeat Clicker RateThe percentage of employees who click in multiple campaigns despite receiving training. Repeat clickers require a different intervention ,individualised coaching, not another generic awareness module. A repeat clicker rate above 5% after three campaigns indicates a training design problem.
⏱️
Time-to-ReportHow quickly employees report suspicious emails after receiving them. Fast reporting times indicate a trained workforce that acts on suspicion rather than ignoring it. Your incident response plan should assume that phishing emails will be in inboxes for some time ,time-to-report data informs how long that window actually is.

Phishing Simulation and Compliance Requirements

Framework	Relevant Control	What Phishing Simulation Provides
ISO 27001	Annex A.6.3 ,Information security awareness, education and training	Click rate trend data, training completion records, measurable behaviour change evidence
SOC 2	CC2.2 ,Communication of security responsibilities	Evidence that security awareness training is ongoing and measurably effective
HIPAA	164.308(a)(5) ,Security awareness and training	Documented phishing simulation programme with employee training records
PCI DSS	Req 12.6 ,Security awareness programme	Formal security awareness training with documented phishing testing cadence
GDPR	Article 32 ,Appropriate technical and organisational measures	Demonstrates that human risk (the leading cause of breaches) is being actively managed

💡

What Auditors Actually Want to See

Auditors are not satisfied with "we ran annual security awareness training." They want evidence that training has a measurable impact on behaviour. Click rate trend data from quarterly simulations ,showing improvement over a 12-month period ,is exactly the kind of evidence that satisfies ISO 27001 and SOC 2 reviewers and demonstrates a mature security culture.

Common Phishing Simulation Mistakes

✗
Running annual simulations and calling it a programmeOne simulation per year produces a data point, not a trend. Quarterly simulations with varied templates are the minimum for a programme that produces meaningful improvement and satisfies compliance auditors looking for evidence of continuous training effectiveness.
✗
Using the same template repeatedlyEmployees learn to recognise your specific simulation format, not phishing in general. Vary your templates each quarter ,different senders, different scenarios, different urgency triggers. The goal is to build general phishing recognition skills, not template-specific pattern matching.
✗
Shaming employees who clickPublic naming, aggressive shame pages, or punitive consequences for clicking damage psychological safety and reduce the likelihood that employees will report suspicious emails in future. The objective is a security-aware culture, not a blame culture. Treat clicking as a training opportunity, not a disciplinary matter.
✗
Delivering the same training to everyoneThe employee who has never clicked needs a different experience than the employee who has clicked in three consecutive campaigns. Segment your workforce based on simulation results and deliver targeted training ,not the same 20-minute module to 200 people who have different risk profiles.

Frequently Asked Questions

What is a phishing simulation?▾

A phishing simulation is a controlled security exercise where an organisation sends realistic but fake phishing emails to its own employees to test their ability to identify and report phishing attempts. The goal is not to catch people out ,it is to identify training gaps, measure baseline susceptibility, and deliver targeted education that reduces the likelihood of a real phishing attack succeeding.

What is a good phishing click rate benchmark?▾

Industry average click rates for untrained employees typically range from 25-40% on realistic phishing templates. After 12 months of quarterly simulations with targeted training, well-run programmes achieve click rates below 5%. A click rate above 20% indicates a high-risk training gap. A click rate consistently below 5% with a high report rate indicates a mature security awareness culture.

How does phishing simulation satisfy ISO 27001 and SOC 2 requirements?▾

ISO 27001 Annex A.6.3 requires security awareness, education, and training. SOC 2 CC2.2 requires communication of security responsibilities to staff. Phishing simulation provides measurable evidence of both: click rate trend data over time demonstrates programme effectiveness, and completion records demonstrate that training was delivered. Auditors look specifically for evidence that security awareness training has a measurable impact ,not just that it was conducted.

What phishing templates are most effective?▾

The most effective phishing templates exploit urgency and authority. IT security password reset requests, HR policy acknowledgment reminders, payroll system notifications, delivery tracking links, and shared document notifications from familiar cloud services consistently produce the highest click rates and therefore the most valuable training opportunities.

Should you warn employees before running a phishing simulation?▾

No. Announcing a phishing simulation before it runs defeats its purpose ,employees will be on high alert for that specific period and results will not reflect their normal behaviour. Instead, communicate the existence of an ongoing phishing simulation programme generally (without campaign-specific timing) so employees know to be vigilant at all times.