Phishing threats are everywhere, and if your employees don’t know how to spot them, you’re putting your information at risk. Knowing how to build a successful phishing simulation is vital for identifying how well employees can spot the latest threats and ensuring they know how to spot them independently.

Unfortunately, many organizations fail to offer adequate security awareness training, with research showing that more than 25% of American workers fall for phishing emails.

This article will examine how security leaders can build a successful phishing simulation campaign to help employees overcome emerging phishing scams and social engineering threats.

What is a Phishing Simulation and How Does it Work? 

In simple terms, a phishing simulation is a test where you send a group of users emails to try and trick them into clicking on a fake link or attachment. If an employee clicks on a link or attachment or enters their details into a fake web form, they’d have infected your network with malware in an actual attack.

When deciding to run a phishing simulation, you should target a group of users and only inform a few other non-tested individuals in the organization.

Your first test should compare your user’s security awareness against other organizations. Most organizations that perform phishing simulations experience:

  • A 20-30% simulation success rate where users click on links
  • A 10-20% simulation success rate where users open attachments
  • Less than 5% simulation success rate for submitting data in forms

How to Build a Successful Phishing Simulation Campaign: 2 Steps to Creating a Successful Phishing Awareness Program

If you don’t know how to create a successful phishing simulation campaign, there are two main steps you can follow to hit the ground running:

Step 1: Select a testing objective

The first step of your test is to determine the objective of the simulation, namely, what threat you’re going to target employees within your phishing email to test their security awareness. There are three main objectives you can use:

  • Malicious links – Use malicious links to test if employees are vulnerable to being misled into clicking on malicious links, deploying malware to their device, or handing over their login credentials.
  • Data Collection via Web Form – Fraudsters often lure users into clicking on links to fake web forms, so using these as part of your simulation can tell if a user is prone to sharing their sensitive data and login credentials with an impostor.
  • Infected Attachment – Cyber criminals routinely embed viruses in files to infect recipients’ devices, so sending users fake ‘infected attachments’ can test their endpoint security.

No matter what objective you choose, you’re going to want to try and accurately replicate the same techniques that an attacker would use to trick an employee into handing over information, so it’s highly recommended to use an out-of-the-box phishing simulation solution with realistic examples.

Step 2: Select the scenario

After choosing your objective, it’s time to select the scenario your phishing threat will use to test the user. There are three main ways to build testing scenarios:

  1. Spoof an internal or external department of your organization
  2. Spoof a legitimate organization or fictitious brand (Ideally a legitimate organization as this is what attackers do daily)
  3. Use an out-of-the-box scenario or customize one from scratch (we recommend using out-of-the-box as these are designed on real attack scenarios)

The key to selecting the best scenario for your users is to pick one that’s relevant to their day-to-day work. Ask yourself what brands they trust and what malicious CTA’s they’d be likely to respond to and click through to a phishing site.

What Do I Do Once the Simulation Is Complete?

After you’ve completed the simulation, you’ll be able to see how many users clicked on malicious links, attachments, and data forms. In general, you should be looking to generate results of a phishing rate of less than 5% for clicking on links and 1% for employees sharing account names and passwords.

However, it will usually take 4 or 5 phishing simulations before your employees achieve a phishing rate of less than 5%, so don’t be discouraged if you don’t pass the first few times.

You can also measure program effectiveness by looking at the number of victims who have completed training, the number of victims who haven’t completed training, and the number of repeat clickers.

Even if you know how to build a successful phishing simulation, it’s crucial to analyze the data you’ve collected to identify gaps in employees’ security awareness and determine topics to prioritize in your training.

Topics you can review include:

  • Email security
  • Social engineering
  • Phishing
  • Malicious software
  • Identity theft
  • Internet use
  • Ransomware
  • Business email compromise
  • Passwords

How Many Phishing Simulations Should I Complete Per Year?

Knowing how many phishing simulations to run is just as important as knowing how to build a phishing simulation in the first place. The number of phishing simulations you should use is down to your users’ needs and your broader cyber security goals.

As a general rule of thumb, we recommend enterprises complete 6-10 phishing simulations per user per year, as our research shows that the ideal time frame is between 40-60 days.

The reason is that this is a regular enough time frame to keep security threats top of mind without fatiguing the employee with training opportunities.


If you don’t know how to build a successful phishing simulation campaign, then there are plenty of resources you can use to assist you. The most important thing is to try and test your users with real-world scenarios.

This way, you’ll educate them on the techniques that attackers use on a daily basis and drastically reduce the chance of a data breach taking place in your environment.



Want to see how your security awareness stacks up against other organizations in your industry or region?

Watch the on-demand Gone Phishing Tournament results webcast