Skip to content

How to start a successful phishing simulation program

Simulated phishing attacks provide an effective way to help identify, track and measure weaknesses and improvements in your security program as they relate to phishing and social engineering. Phishing simulation can also help you identify which types of phishing attacks are most successful against your organization and which groups of employees to focus more on as part of your security awareness training efforts.

There are several ways to run phishing simulation exercises across your organization. One of the quickest and safest ways to do this is to use phishing simulation software like PhishDeck to send employees a simulated phishing email. However, there’s more to a fruitful phishing simulation exercise than just the tools that help you carry it out.

Carrying out a successful phishing simulation test requires some planning. Before running your first phishing simulation it is important to work out the following.

Plan your initiative

Before launching your first phishing simulation campaign, you should have a plan of how the phishing simulation program will work. This will help you better communicate initiatives with other executive team members and department heads.

Ensure that your phishing simulation plan covers the following.

  • Frequency of your planned phishing simulation campaigns (e.g. quarterly, bi-monthly, monthly…);
  • A description of supporting security awareness content to be made available to employees;
  • Easy to follow instructions about how employees should report suspected phishing or social engineering attacks.

When communicating your initiative make every effort to be clear, concise, and transparent – be sure to provide readers with a way to reach out and ask questions

Identify phishing simulation metrics

Defining metrics will help you determine how successful your security awareness and incident response programs are.

Funnel chart showing Campaign metrics in PhishDeck

While it may be tempting to focus on reducing the open rate and click rate, they probably aren’t metrics you would want to focus on. Emails are there to be opened, and links are there to be clicked–on their own, these actions are not inherently dangerous.

Instead, it is advisable to focus on metrics that are tied to actions that have real-world consequences. The following are some examples of useful metrics to track.

  • Count of credentials entered
  • Count of phishing emails reported
  • Time to first report
  • Average time to report
  • Time to first response

Get leadership buy-in

Your organization’s leadership needs to be on-board, to authorize and endorse all phishing simulation assessments. Having your organization’s leadership buy-in ensures they fully understand the motivations behind phishing simulation as well as the value it brings to your organization’s overall security posture.

If your organization’s leadership is still on the fence about conducting a simulated phishing program, you can use this opportunity to explain the risks phishing poses to your organization, the motivation behind your proposed phishing simulation program, as well as the value it brings to your organization’s overall security posture using examples that are contextual to your organization. For instance, showing an example of a real phishing email, or citing phishing statistics for a specific industry vertical, will make your case with leadership even more relevant and interesting.

This is also a great time to establish a few “golden rules” such as ensuring that it would not be acceptable to shame phished employees and that the results of a phishing simulation would not have any negative effect on anyone’s employment. Establishing trust with employees and recognizing that they are an integral part of the solution in the defense against phishing attacks is the cornerstone of any successful security awareness program–undermining that trust is a surefire way to shoot your security awareness program in the foot.

Run a baseline phishing simulation campaign

To kickstart your security awareness program, you’ll need to determine what your phishing baseline is. A phishing baseline is an indication of how many targeted users open, click-through, and complete the action requested in the phishing email (e.g. entering their credentials into a phishing website).

Knowing what your baseline is, allows you to track progress and gauge the effectiveness of your security awareness efforts. Additionally, a baseline also helps you track improvements or regressions in your response to phishing attacks.

When running your baseline phishing simulation campaign, keep it under wraps. While you will likely want to involve a limited number of stakeholders on a need-to-know basis, keep the number of people who know about your phishing simulation campaign to a minimum. You will certainly want to be in close collaboration with your IT helpdesk, and depending on the type of organization you are performing the phishing test on, you may need to give a heads-up to a representative from legal and HR (ideally without providing specifics as to time frames of your campaign).

Segment and stagger

While you can certainly send an entire organization a single phishing simulation email at one go, someone is likely to notice, sound the alarm early, and ruin your exercise. While having someone sound the alarm is a good thing since you’re trying to determine a baseline, you want to try and delay this as much as possible. Additionally, you don’t want to inundate your IT helpdesk, even if they are notified about the test in advance. Instead, it’s wise to take the following approach when obtaining a baseline.

Segment your targets

Before you start your first phishing simulation campaign, you need to identify who the simulation will target. If it’s your first time running a phishing simulation in your organization, you may be tempted to run a single large-scale simulation across the entire company.

The first step in this regard is to identify what departments or teams will be the most affected by a phishing incident. This is important because if you do not know who the target is, you will not know what to look for in the data.

Segmented phishing simulation Targets using Lists in PhishDeck

Select several pretexts (templates)

If you confine your campaign to only one pretext (template), you will end up making things predictable if/when the word spreads. We recommend a minimum of 2 templates and a maximum of 5 for your first phishing test.

Several pretexts (Templates) selected in a PhishDeck Campaign

Stagger sending times

Stretch the phishing simulation campaign over a period of time. The duration of your campaign is up to you, but depending on the size of your test, we recommend it be somewhere between 5 and 30 days when running a test with 300 phishing simulation targets or less and up to 60 days for tests with over 500 phishing simulation targets.

Staggered sending times in a PhishDeck Campaign

Exclude weekends and hours outside 9 to 5

While PhishDeck handles this automatically for you, you should keep in mind that emails that land on a weekend or outside working hours are probably not going to get much attention. Additionally, even if you’re on the best of terms with your IT helpdesk team, no one likes being called in on a weekend or after hours.

The first phishing simulation should remain in stealth mode for as long as you can keep it. This means that your phishing pages should not redirect to any sort of educational content once a target completes the action being asked of them in the phishing email (e.g. entering their credentials). Instead, the phishing simulation page should redirect to some generic error page. Again, the point of a baseline is to better understand your organization’s exposure to phishing and collective security awareness.

Announce your phishing simulation program

While your baseline phishing simulation should remain secret, so as to conduct an accurate assessment of your organization’s exposure to phishing, you want to make sure that any ongoing phishing simulation program is clearly communicated to employees. Think of this as a fire drill–telling everyone the exact date defeats the purpose, but letting everyone know there may be a fire drill helps set expectations.

It is also very important to clearly communicate the intentions of the program. It should be clear to everyone that the objective of simulated phishing exercises is not to trick anyone or make anyone feel stupid but rather to help build defenses in anticipation of the real thing.

When announcing your phishing simulation program, make sure to include the following key elements.

  • Explain what phishing is, and why it is such a big risk for your organization;
  • Explain that phishing simulation is part of the organization’s ongoing security training and awareness strategy;
  • Provide advice on how to spot suspicious emails and communications;
  • The process of reporting a phishing email to your IT helpdesk;
  • Where to find additional help and resources.

Launch your phishing simulation program

Once you’ve communicated your program with everyone, it’s time to launch your phishing simulation program (congratulations!). We recommend conducting phishing simulation tests not more than once a month, but at least once every 3 months.

Use the results obtained in your baseline together with the metrics you defined to inform your security awareness strategy and use follow-up phishing simulations to assert whether your efforts have registered an improvement and if so by how much.

Since your organization changes over time, you may want to repeat your baseline phishing exercise (e.g. once per year) to account for new joiners, leavers, and other organizational changes. Alternatively, you can set up baseline phishing simulation assessments for new joiners.

When done right, phishing simulation tests help safely expose both your employees and IT support/response teams to the dangers of phishing. This helps users not only know what to look out for but also how and where to report a suspected attack. Moreover, the results you obtain from your phishing simulation exercises, together with tracking of your defined metrics (for example count of credentials entered, count of phishing emails reported, time to first report…) will help inform decisions on where to concentrate efforts.

Putting time, thought, and effort into a simulated phishing program, especially when it is part of a larger security awareness effort, will pay dividends and help foster a measurable, proactive security culture in your organization.