How to Run Simulated Phishing Campaigns

Next, inform employees that the company will be running a simulated phishing campaign. It’s important to acknowledge that even experienced users can be vulnerable to phishing attempts, and that the goal is not to test or punish individuals, but to strengthen awareness and improve the ability to recognize malicious emails.

Reassure employees that this exercise is designed as a learning tool to help them better identify and respond to real-world threats in a safe environment.

It is also helpful to coordinate in advance with engineering and IT teams so they are aware of the campaign and can ensure systems and support processes are prepared accordingly.

Phishing attacks often involve impersonating a high-level executive or other trusted individual within the business. You’ll want to recruit an executive who is willing to be impersonated in the phishing campaign ahead of time, and prep them to be ready to respond to employees who may ask about the best way to report the simulated attack. 

You should keep the timing of your initial simulated phishing email confidential to employees. This allows you to establish an accurate baseline of how many users successfully recognize and report the message as phishing once it is delivered. The results can then be used to inform and improve your ongoing security awareness and testing program.

To help employees recognize and understand phishing emails, organizations should provide clear security awareness training. This can include graphics, presentations, and videos designed to illustrate common phishing tactics and warning signs.

This training should run alongside simulated phishing campaigns so employees can immediately apply what they are learning. For maximum effectiveness, educational content should also be integrated into the company’s broader security awareness program to reinforce key concepts over time.

You can now launch your campaign. Before doing so, determine how many simulated phishing emails you plan to send. Once you have a clear understanding of employee response rates, you may find that you need to provide additional educational content or adjust your strategy — for example, by reducing the number of emails or refining the scenarios used.

Once the phishing campaign has begun, start looking at the data. It's a good idea to take note of whether there are specific departments, locations, or teams that need more training to raise their reporting rate. You may also want to dial up the difficulty level of campaigns as your workforce becomes better at recognizing phishing emails. 

A common metric used in phishing simulations is clickthrough rate, as well as the percentage of users who enter login credentials or other sensitive information. However, these results are often influenced by the difficulty or sophistication of a specific phishing scenario, making them less reliable as a standalone measure of program effectiveness.

A more meaningful metric is the reporting rate — how many employees report the simulated phishing email compared to those who do not recognize it. Over time, this rate should increase as employees become more aware and better trained. If reporting rates do not improve, it may indicate that the organization needs to strengthen or adjust its security awareness training.

If employees struggle to identify simulated phishing emails, training should be adjusted accordingly. This may include providing additional guidance, examples, or short-form videos that reinforce key warning signs and behaviors.

Most importantly, employees need to understand why security matters to them personally. What is the real-world impact of a malicious email? What motivates them to pause, scrutinize messages, and report suspicious activity? Reinforcing this context through simulations and follow-up communication can help answer those questions, such as whether their actions helped prevent financial loss or stopped a potential security incident.

It's also valuable to analyze behavioral differences between employees who click on phishing emails and those who report them. This can help identify the emotional triggers and identity deception techniques attackers rely on, such as urgency, authority, or impersonation, and guide more targeted awareness training.

As employees become more skilled at recognizing phishing attempts, organizations can significantly reduce their exposure to costly incidents such as data breaches and business email compromise. Phishing remains one of the most common initial access vectors used by attackers, alongside stolen credentials, exploited vulnerabilities, and automated bot activity. Verizon’s Data Breach Investigations Report has consistently shown that phishing plays a major role in breaches, including a significant share of business email compromise cases.

Attackers may use phishing to harvest credentials, deploy ransomware via malicious links or attachments, or install malware that disrupts operations and spreads across networks or supply chains. In some cases, these attacks can escalate from isolated incidents to large-scale business and security disruptions.