Deploying Successful Phishing Simulation Programs

Phishing Test

Phishing is the one of the ways cyber criminals attack organizations through their employees. However, recently we've seen an explosion of phishing attacks related to the global pandemic. Whether the topic is vaccine and treatment scams, local Covid-19 infections, charity scams or checks coming from the government for economic stimulus, the bad actors are out in force right now.

In this article we cover:

Preventing Security Incidents and Ransomware 

With the prevalence of attacks focusing on the pandemic, how can technology and security leaders ensure that their staff is prepared for this new normal? What techniques can help prevent ransomware infections related to covid-19 related attacks?

Phishing Simulation is often the training solution of choice for many enterprises.

Including phishing simulation is widely recognized as a part of a comprehensive security awareness program. Its benefits include real-world, practical phishing experience for staff, a chance to put training in to action, and the ability to capture meaningful metrics to track organizational progress against goals. 

The age-old adage, “practice makes perfect,” may not be 100% true, but there is no doubt that using phishing simulations to train employees to recognize threats will bring a return on your security investment.

Constructing a Successful Phishing Simulation Program to Educate Employees

Many organizations just buy a phishing simulation service and put it into service without planning. Albeit immediate results are returned the effectiveness of the program is often limited.  By doing initial planning and following good practices, your program’s success will be increased. Here are six key areas to consider:

  • Determine your baseline – It is important to measure your initial level of risk. Your first phishing campaign will tell you a lot, and it also is the easiest number to improve upon. If you have never done a phishing campaign, you may be surprised to see 30%, 40% or even 50% of your staff clicking on links in email or taking the bait in other ways. But don’t be discouraged. The good news is that the number of people who take the bait often drops rapidly as staff become aware of the risks through your security awareness training and phishing simulation programs.
  • Vary & randomize campaigns - Successful phishing campaigns mix the email template groupings, timing and other factors so it is not obvious to staff that they are being phished by your organization. Consider altering the day(s) of the week, time of day, the group that is receiving the phishing emails, and the content of the phishing message itself. 
  • Spear phish and whale – Test your staffs’ resistance to more sophisticated social engineering tactics like spear phishing and whaling. Spear phishing uses targeted messages containing the name of the person, or other specific details about them, thus making the messages look realistic and almost always more convincing than generic phishing messages.  Be sure to include campaigns that use the same techniques as phishers are successfully using such as Business Email Compromise (BEC) attacks which target either your general staff or your executives.  Finally, don’t neglect to do whaling, which is going after the biggest targets in your organization,  your executives.  To be successful, whaling should include very specific information – name, title, contact information, even a current project. 
  • Provide real-time training to victims – If staff “take the bait” fall for phishing simulation, use this as a teachable moment. Explain what happened and how they can improve next time. Reinforce the right behaviors and explain clearly that you are trying to help them – not cause embarrassment. Nevertheless, make sure that everyone is engaged and understand what is at stake. Repeat offenders may need further action, including in person discussions about the risks of phishing to the organization and to the target, as well as why that individual keeps falling for phishing attacks.
  • Phish often – To be effective, phishing simulation need to be ongoing. We recommend conducting phishing simulation campaigns at a minimum on a monthly basis and using different campaigns to target different audiences. Track phishing campaigns over time and look for improvement, as well as ongoing areas of weakness. By identifying weaknesses, you’ll be able to focus your resources in those areas to reduce risk.
  • Make Your Staff Your Best Defense. Encourage staff to report immediately report all suspected phishing attacks, enabling you to stop attacks in real-time, preventing potential security incidents.  Review your internal processes and make sure that your track incidents in a way that reduces risk from real phishing attacks that make it into your enterprise. You may even want to consider providing rewards to the employees who report phishing attacks that are successfully prevented. 

Building a Positive Culture of Security

 Phishing simulation often is used as a “stick” or punishment when staff fall for attacks.  This approach is not effective. Instead your goal should be to help phishing simulation victims learn how to detect phishing emails, understand the risks, if they fall for a phishing attack, and ultimately learn how to keep your organization, and themselves, safe.


Even with its benefits, phishing simulation alone is not enough. You need a comprehensive security awareness training program.  Phishing simulation is sometimes the only form of cyber security training that organization offer to their staff.  This approach leads to a false sense of security. Phishing threats are just one of a myriad of cybersecurity risks related, remote working, working in the cloud, mobile devices, office security, social media, and many more. So make sure you have an effective, comprehensive security awareness training program in place that covers all the risks your employees face.  New cyberthreats are continually launched and existing threats continue to evolve, make sure you are ready for them all.

Live by the rule, "Trust – But Verify". Providing your staff with training is critical. It's also important to provide frequent updates on the latest developments and hot topics specific to your workforce and organization, but a well-run phishing simulation program can ensure that staff are ‘walking the talk’ and not falling for scams.

Share to Social Media:

You Might Also Like

Subscribe to Our Security Awareness Blog

Get monthly content to keep you up to date on the latest Security Awareness News and Tips.


Recent Blog Posts