Running a Phishing Simulation That Actually Teaches — Not Just Shames

Why Most Phishing Simulations Fail

Most organisations run phishing simulations wrong. They send a generic “Your package is waiting” email, track click rates, name-and-shame repeat clickers in an all-hands meeting, and call it a training programme.

The result: employees feel surveilled, not educated. Click rates improve for two weeks post-campaign, then return to baseline.

This post covers the methodology we use with enterprise clients — one that measurably reduces susceptibility over 12-month rolling programmes.

The Three Principles

Teach, don’t trap. Every simulation ends with immediate, contextual education — not a “gotcha” message.
Segment by role. A finance team member faces different threats than a software engineer. Generic campaigns miss both.
Measure learning, not just clicks. Track whether knowledge improves over time, not just whether people click.

Phase 1 — Planning

Define Objectives

1
2
3
4
5
Campaign Goal      → Reduce credential submission rate from 18% to <5%
Target Segments    → Finance (wire fraud focus), IT (tech support scams), All-staff (general)
Duration           → 6 months, one campaign per segment per month
Approval           → Legal, HR, CISO signed off (document this!)
Exclusions         → C-suite requires separate approval in most orgs

Choose Scenario Difficulty

Level	Example	Target
Easy	Generic “IT password reset”	All staff — baseline
Medium	Branded HR benefits portal	All staff — month 3
Hard	Spear phish referencing real project names	Privileged users

Phase 2 — Infrastructure Setup

We use GoPhish for all client simulations — open source, auditable, no vendor lock-in.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# Install GoPhish on a VPS
wget https://github.com/gophish/gophish/releases/latest/download/gophish-linux-64bit.zip
unzip gophish-linux-64bit.zip
chmod +x gophish
./gophish &

# Configure sending domain
# 1. Register a lookalike domain (e.g. hr-portal-corp.com)
# 2. Set up SPF, DKIM, DMARC — your email MUST pass spam filters
#    to simulate a realistic sophisticated attack
# 3. Point MX to your GoPhish server

# DNS records needed:
# TXT @ "v=spf1 ip4:YOUR_VPS_IP ~all"
# TXT mail._domainkey "v=DKIM1; k=rsa; p=..."
# TXT _dmarc "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

Phase 3 — Email Template Design

Good phishing templates have these characteristics:

1
2
3
4
5
✓ Correct branding (logo, colours, font)
✓ Plausible sender name (not @gmail.com — use the configured domain)
✓ Appropriate urgency — not panic-inducing
✓ Single clear call to action
✓ Passes basic grammar check (most real phishing does now)

Example template — “IT Password Expiry”:

1
2
3
4
5
6
7
8
9
Subject: [ACTION REQUIRED] Your password expires in 24 hours

Your CORP network password is scheduled to expire.
To avoid losing access, please update it before the deadline.

[Update Password Now] ← link to GoPhish landing page

IT Help Desk
help@it-corp-support.com

Phase 4 — The Landing Page

This is where most simulations go wrong. A “gotcha” page kills the programme.

Bad: “You’ve been phished! Click here for mandatory training.”

Good: An immediate, context-specific lesson in the moment of failure:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
You just experienced a simulated phishing attack.

Here's what gave it away:
→ The sender domain was "it-corp-support.com" — not "corp.com"
→ Legitimate IT never asks for your password via email
→ The urgency ("24 hours") is a classic pressure tactic

What to do when you see this for real:
1. Don't click — close the tab
2. Report it: forward to security@corp.com
3. If you clicked: notify IT immediately — no judgment

[5-minute learning module] ← short, relevant, not a 40-slide deck

Phase 5 — Metrics That Matter

Track these over rolling 12 months:

Metric	Month 1	Month 6	Month 12
Click rate	24%	12%	7%
Credential submission	18%	6%	2%
Report rate	3%	14%	28%
Time to report	4.2 hrs	1.8 hrs	0.6 hrs

The report rate is the most important metric. Employees who report suspicious emails are your best early-warning system — more valuable than any employee who just doesn’t click.

Common Mistakes to Avoid

Over-targeting the same people — rotate randomly, don’t pile on repeat clickers
No leadership buy-in — if the CEO is excluded, employees notice and resent it
Immediate punitive action — treat clickers as teaching opportunities, not compliance failures
One campaign per year — threat landscape changes monthly; your programme should too
No positive reinforcement — publicly recognise employees who report phishing attempts