Sending a fake phishing email and counting clicks is easy. Turning that number into a team that reports attacks instead of falling for them is the real work.
by Aydan Arabadzha
Almost every breach we are called in after started the same way: someone clicked something. Not because they were careless, but because the message looked normal and they were busy.
That is why phishing simulations exist. Done well, they turn your biggest risk into your best early-warning system. Done badly, they just annoy people and teach them to distrust IT. The difference is in how you run them.
Most simulations report one number: how many people clicked. It is the wrong headline.
A click tells you someone was fooled for a moment. A report tells you someone spotted the attack and warned the rest of the company. The second number is the one that actually protects you, because the faster a real phishing email gets reported, the faster you can shut it down before it spreads.
Track both. Celebrate the reporters loudly. Over time you want the click rate falling and the report rate climbing, and the report rate is the one to obsess over.
There is a temptation to design the meanest possible email to catch as many people as you can. Resist it. A simulation that uses a genuinely cruel lure, like a fake bonus or a fake layoff notice, will catch people, but it also burns trust and teaches nothing useful.
Base your simulations on what attackers are actually sending your industry this quarter. A delivery notice. A shared document. A password expiry warning. Real lures, run fairly, produce results you can act on and a team that feels tested, not tricked.
The most valuable thirty seconds in the whole exercise is right after someone clicks. That is the teachable moment. A short, calm page that says "this was a simulation, here is the one detail that gave it away" sticks far better than an hour-long course three months later.
Keep it specific. Point at the lookalike domain, the mismatched sender, the urgency. People remember the tell. They rarely remember the lecture.
A single phishing test is a snapshot. Behaviour changes when testing becomes a quiet, regular rhythm. Run campaigns throughout the year, vary the lures, and rotate who gets targeted. The goal is not a perfect score on one day. It is a workforce that treats every unexpected message with a little healthy suspicion, every day.
Not everyone is an equal target. Finance teams who can move money, executives with broad access, and anyone with admin rights are worth more to an attacker and deserve more focused, more realistic testing. Treat them accordingly.
Measure reporting, keep the lures realistic and fair, train in the moment it matters, and run the whole thing as a routine rather than a one-off gotcha. That is how a phishing simulation stops being a number on a slide and starts being the reason an attack gets caught on day one.
Want to see how your team holds up? Phishing testing is one of the things we do best.