Back to Blog

How to Run a Phishing Simulation

Parker Byrd

A phishing simulation is a type of security awareness training program that simulates phishing attacks on your company. It requires preparation, planning, and follow-through to make it successful. This article will explain how to prepare for a phishing simulation test at work, why they are needed, and how to set up, run, and report on the results of this simulation test.

Why Run Phishing Simulations?

Every day around the world employees are exposed to all sorts of cyber security threats, from social engineering attacks, spear phishing attacks, CEO Fraud, and other phishing threats. Phishing simulations are a great way to identify the risk of phishing attacks within your company. However, it only gets you so far by itself. Any phishing simulations should also be paired with a consistent security awareness training program that trains employees to spot and avoid all sorts of cyber security threats like password safety, ransomware, and more 

Phishing Statistics:

Based on recent Proofpoint statistics, 75% of businesses in the world were targeted by phishing attacks in 2020, with 74% of attacks against American companies successful.

Despite the fact that 95 percent of organizations claim to provide phishing awareness training to their staff, phishing attacks are still the most prevalent threat type likely to result in a data breach.

In fact, according to Verizon’s 2020 DBIR, 22% of data breaches involve phishing attacks. 

How to Prepare for the Phishing Simulation:

Make sure you have someone who is willing to put in the time and effort necessary to lead this simulation test, along with other people who are willing to participate as well.

This should be someone from IT/Security or HR - They will need permission from upper management before they can set up and run a company wide phishing simulation test.

Other items needed include: an email account that everyone uses at work (like yourcompany@domain.com), software that allows you send out bulk emails, and most importantly good subject lines and content that entices users without being too suspicious.

Set Proper Expectations

Before you begin planning your simulation test, it's important to know what you want the goals of this training session to be. The best way to do that is by completing a requirements gathering process with your stakeholders and end-users.

If they're not included in this discussion then their buy-in will not be as high when it comes time for them to take part in the simulation test.

A phishing simulation test requires preparation on the part of your organization's end-users to be successful, but it also provides them with an excellent opportunity for training and awareness that can protect both them and their company in real-world scenarios.

To best prepare your employees for this type of attack you should make sure they understand why security is important and what the risks are if they do not adhere to security policies and procedures.

The first step in this process is to determine your training goals. What will you be testing, and how does that align with your overall company's mission? Which emails should users know immediately as phishing scams versus which ones can they report for review later on by IT and Security? Will you be testing how quickly employees identify and report these phishing emails, or the actual click rates on the links inside of them?

Find a Phishing Simulator Tool

To begin planning phishing simulations, you need a tool that works for your company's needs and is easy to use. There are many companies that offer these tools at varying price points, so take the time to find one that fits your requirements.

Here are some questions you need to ask when choosing a tool:

  • What platforms does this phishing simulation platform support?
  • Is it browser-based or something you have to install?
  • What type of reporting capabilities does this phishing simulation tool offer?
  • How many employees can I train at once with a single account?
  • How many Phishing templates does it have?
  • Can you provide additional phishing training with the tool (LMS)?
  • Can employees report phishing emails?
  • What happens when users fail?
  • Can you simulate spear phishing attacks?

If you're looking for an easy-to-use phishing simulator, you can try ours free for 7 days (pro tip: go grab a trial and return here to follow along).

Decide The Metrics You Want to Track

When you run phishing simulations there are tons of metrics you can see about your phishing campaigns, but few actually provide actionable intel into your user behavior and your company's risk. Here are a few KPIs we recommended you track:

Per Phishing Test:

  • # of email opens
  • # of email clicks
  • Users that went even further (entered credentials or downloaded a file)
  • Number of users that reported the email
  • Number of users that completed training (either a course of point-of-infraction training)

Phishing Campaign Metrics on an ongoing basis

  • Testing results month over month
  • 3 and 12-month trend lines
  • Open and Click rates over time
  • Ongoing course completions for annual training and monthly courses

With Hook Security's reporting you can create custom reports and save them as a preset for future phishing campaigns.

Notify Employees of the Phishing Simulations 

Once you have the phishing simulation tool in place it's time to let your employees know what is coming.

Whether this will be done via email, on a company-wide intranet or by word of mouth, make sure that people are notified about the upcoming test and why they're receiving these fake emails. Having an end-user who understands that they should take part in the phishing simulation test will increase their buy-in during the actual event.

It's also important to know that the goal here is not to trick your employees. Yes, you want to send realistic phishing emails, but tow the line between effective and down-right dirty. You still have to work with these people.

Phishing Simulation Planning

Once you have completed your requirements gathering process and determined the goals for this simulation test then you can begin planning.

Choosing Campaigns

At a bare minimum, you’ll need two templates for your campaign: an email phishing template and a training page template.

If you’re collecting data like login credentials, you’ll need an additional landing page to collect that information. Otherwise, if we’re treating the primary action of failure as click, we can send users straight to training.

Email Template

There are two keys to good phishing simulations: A specific focus and a specific type of email. 

The focus of a phishing test will vary and often has some combination of a few phishing techniques, but it’s important to know what it is so you can maximize effectiveness. The focus can be either what the email content contains, or the main red flags that you’ll be testing. This will allow you to provide the best type of feedback and training, as you can highlight specifically what phishing threats the user should have spotted.

Phishing Test Focus Examples:

  • Too Good To Be True - Contains an offer, deal, or promise, that feels “too good to be true”, like a gift card, free items from a brand, etc.
  • Bad Links/Bad Sender - An email either from a brand or individual that contains links and/or a sender address that are malicious-looking in their nature.
  • Spoofed URL - An email from a sender address that looks eerily similar to either your company or your brand (think dr0pbox or Walrnart).
  • Urgency - An email with high levels of urgency, like a password breach, past due notice, or a request from a boss.
  • CEO Fraud - A spear phishing attack that impersonates a high-level executive at a company in order to trick someone internally, like HR or IT.

Phishing Testing Email Categories

Now that you’ve selected a focus for the email, the email itself may take the form of one of these categories of phishing threats:

  • Brand Knock-Offs
  • Current Events
  • Healthcare
  • Information Technology (IT)
  • Banking/Finance
  • Online Services
  • Social Media
  • Internal/Business Email Compromise (BEC)
  • Shipping/Notifications
  • International

Training Page

Once you’ve got your email template selected, you need to page to direct the traffic of those who click. The goal is to provide instant security awareness training to the user that they clicked on something they shouldn’t have, and how they avoid it in the future.

We recommend keeping this page and its content welcoming, simple, and quick to understand. Many users, once they realize what happened, will freak out and close the tab. So for a small fraction of users, you have a split second to get your point across.

For those who stick around long enough to take in the information, we recommend using a training video that is short, fun at times and delivers a succinct, memorable lesson.

Simulated Phishing Campaign Ideas

Although we gave you the tools above to create some solid phishing simulations, here are a few campaign ideas!


A Google “sign-in detected” email

In this scenario, the user receives an email that their Google account has noticed an unusual sign-in from an odd location. This will prompt the user to quickly click through to investigate, only to find out this email itself was fake. The user will learn that for urgent emails, verify the sender address, and when in doubt, open a new tab and go directly to the website. These urgent emails are one of the most popular phishing emails.

An internal “Account scheduled for deletion” email

Internal emails are an important part of phishing simulation training. Often times cyber criminals will pretend to be someone in your company in order to conduct a targeted spear phishing attack. In this email, it looks as though IT needs the employee to make sure their account doesn't get deleted. In reality, this was a malicious link from a hacker!

Starbucks Free Drink

Well-known brands are great for social engineering attacks. In this well designed simulated phishing email, users are "rewarded" with a free drink coupon. This type of phishing exploits the "too good to be true" nature of the offer.

Netflix - Password Reset

Similar to the Google Sign in, "password reset" simulated phishing emails are very effective to identify users who are likely to click on urgent emails.

Running Your Phishing Simulation

The benefit of doing solid phishing test prep and using a phishing simulator tool is that during the test, well, you frankly don’t have to do much.

Other than pushing the big red button to launch out your test, here’s what we recommend doing during the testing period.

Monitor Deliverability

As the phishing test goes out, make sure the emails are landing in employees’ inboxes and not bouncing. In our Phishing Simulator, you can track deliveries, opens, clicks, and reporting in real-time to keep track of your testing

Notify Help Desk

Depending on your company structure, you may be the help desk. But if not, you should notify them before testing goes out so they can handle support tickets properly.

The last thing you want is for your team to start investigating or pull the alarm on a phishing email that was a simulated one. Just let them know in advance what to expect.

Have a Mid-Test Plan

Similar to the previous point, have an operational plan for how you will handle tickets, inquiries, etc. about the phishing test.

Employees talk. And frankly, it’s a good sign if employees raise the alarm and notify each other of a funky-looking email. That being said, you do want to protect the integrity of the phishing test as much as you can.

Have a response plan for inquiries during the test. 

“Great job! Now shhh, don’t tell anyone else. Let’s see if they catch it”

After the Phishing Simulation

Once your campaign is complete, it’s time to tally up the scores, report the data to the necessary stakeholders, and let employees know how they did.

Reporting

This is where we go back to the beginning: our KPIs and metrics.

If this is your first test, then you can report on the “Per Test” metrics: opens, clicks, etc.


If you’re a few months in, that’s where you can begin showing trend lines and progress from test to test.


If you are enrolling your users into security awareness training courses in addition to phishing training, this is where you can report on that as well.

The primary takeaways from reporting should be to understand areas for improvement, show trends over time, and in some cases, demonstrate compliance.

Employee Feedback

After the simulation, it’s important to give employees feedback on the test because of two possible scenarios:

  • The employee clicked but maybe didn’t watch the security awareness training
  • The employee didn’t click and thus never even knew it happened

Either way, it’s a good idea to let them know what happened. Here’s how:

Rinse and Repeat

Congratulations! After reporting and feedback, you will have successfully completed your first simulation.

What’s next?

Time to do it all over again. We recommend testing monthly, and in some cases even more often for repeat offenders.

Well, there you have it. A full guide to effective phishing simulations.

We hope this helps you get started on your phishing testing journey. Security awareness training is not a one-time project. It’s an ongoing practice, and effective testing and security awareness training is the first step to get there.

Good luck and stay aware out there!



Sign up for our  newsletter

Get Free Exclusive Training Content in your inbox every month

Share on social media: 

More from the Blog

Never miss a post.

Enter your email below to be added to our blog newsletter and stay informed, educated, and entertained!
We will never share your email address with third parties.