Back to docs
Recipe

Recipe: Phishing simulation program

Build a measurable, repeatable internal phishing readiness program that trains users without burning trust.

Ingredients

  • Executive sponsor with written sign-off
  • HR + Legal review of simulation scope
  • Whitelisted sending domain (sim.phish.example.com)
  • Landing page with just-in-time training
  • Click-rate dashboard (no individual shaming)

Method

  1. 1Define success. Target <5% click rate by quarter 3. Measure trend, not single-campaign spikes.
  2. 2Start easy. First campaign uses an obviously fake internal “free pizza” lure. Establish baseline.
  3. 3Escalate difficulty. Over 6 months, introduce spoofed manager names, urgency cues, and credential-harvest pages.
  4. 4Train at the moment of failure.Users who click land on a 90-second micro-lesson, not a “gotcha” page.
  5. 5Report aggregate only.Share department-level click rates with managers. Never expose individual names.

Pitfalls

Do not:

  • • Simulate terminations, bonuses, or health benefits
  • • Name-and-shame individuals in reports
  • • Run campaigns during layoffs or crises
  • • Skip the executive sign-off step
← Return to docs index