How to Build a Successful Phishing Simulation Campaign


By Theo Zafirakos, CISO Terranova Security

Three billion phishing emails are sent globally every day. 

That’s right. Billion.

These emails are a serious threat. Organizations must be constantly vigilant because if employees don’t know how to spot phishing emails, your organization’s information is at risk. Knowing how to build a successful phishing simulation is vital for identifying how well employees can spot the latest threats and ensuring they know how to spot them independently. 

Unfortunately, many organizations fail to offer adequate security awareness training. According to the 2021 Gone Phishing Tournament simulation results, 20% of employees worldwide fall for phishing email scams and compromise sensitive information. 

As security leaders, here’s what you can do to build a successful phishing simulation program to help your employees overcome emerging phishing scams and social engineering threats.

What Is A Phishing Simulation And How Does It Work?

A phishing simulation is a test where you send employees an email to test their cyber security knowledge in a safe environment. When an end user clicks on a malicious link or attachment, it’s an indication that knowledge retention could use a boost.

The goal of a phishing simulation is to demonstrate that in an actual attack, when they click on the link or attachment or enter their details into a web form, they infect the network with malware.

When running a phishing simulation, targeting a select group of users, and keeping those who know it is a simulation to a minimum, is essential. This process will give your organization a good gauge of your users’ security awareness. Most organizations who perform phishing simulations experience: 

  • A 20-30% simulation success rate where users click on links
  • A 10-20% simulation success rate where users open attachments
  • Less than 5% simulation success rate for submitting data in forms

Terranova Security CISOs recommend aiming for a 5% phishing simulation click rate improvement after completing 4–6 simulations and related awareness activities over 12 months.

How To Creating A Successful Phishing Awareness Program

When creating a successful phishing simulation program, there are two main steps to follow to set your organization up for success:

1. Select a testing objective

The first step of any program or test is determining the objective of the simulation. What threat will you use to target employees within your phishing email to test their security awareness? 

There are three main objectives you can use when implementing phishing simulations as part of a risk-based awareness training campaign:

  • Malicious Links – Use malicious links to test if employees are vulnerable to being misled into clicking on these links, deploying malware to their device, or handing over their login credentials.
  • Data Collection via Web Form – Fraudsters often lure users into clicking on links to fake web forms. Using these as part of your simulation can tell if a user is prone to sharing their sensitive data and login credentials with an impostor.
  • Infected Attachment – Cyber criminals routinely embed viruses in files to infect recipients’ devices, so sending users fake ‘infected attachments’ can test endpoint security.

No matter the objective, it is vital to replicate the same techniques attackers would use in a real-life situation. Using an out-of-the-box phishing simulation with realistic examples is recommended.

2. Select the Scenario

After choosing the objective, it’s time to select the scenario for your phishing threat that will best test the user. There are three main ways to build these testing scenarios:

  • Spoof an internal or external department of your organization.
  • Spoof a legitimate organization or fictitious brand. Ideally, a legitimate organization as this is what attackers do daily.
  • Use an out-of-the-box scenario or customize one from scratch. We recommend using out-of-the-box as these are designed for real attack scenarios.

The key to selecting the best scenario for your users is to pick the most relevant to their day-to-day work. Ask yourself what brands they trust and what malicious call to action they’d be likely to respond to and click through to a phishing site.

What do you do once the simulation is complete?

Once the simulation is complete, you will be able to see the results of your organization. Generally, the results you are looking to generate are a phishing rate of less than 5% for clicking on links and 1% for employees sharing account names and passwords. To reach this rate, however, it often takes four or five simulations, as employees must continually test their skills to be prepared to combat phishing attacks. 

Measuring the program’s effectiveness can also be done by looking at the number of victims who have completed training, the number of victims who haven’t completed training, and the number of repeat clickers. Even if you know how to build a successful phishing simulation, it’s crucial to analyze the collected data to identify gaps in employees’ security awareness and determine topics to prioritize in your training.

The purpose of phishing simulations is to educate your employees using real-world scenarios. Through effective security awareness training, organizations can give them the tools they need to drastically reduce the risk of a data breach. It’s only through addressing the human risk factor that you can truly strengthen your information security and build the kind of security-aware culture that hackers will have a difficult time infiltrating.


Theo Zafirakos is CISO of Terranova Security. He is responsible for all areas of information security for the creation and management of strategy, programs, governance, information risk assessments, and compliance for Terranova Security. Terranova Security is the global leader in Cybersecurity Awareness, with 10M+ Trained Cyber Heroes in 200+ Countries and 40+ Languages. He leads Terranova’s Professional Services team that helps our clients implement and execute information security awareness programs with measurable results. Programs that assist users in recognizing the events that require a specific action know what the appropriate action is and are motivated to take that action.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.