Click rate
The primary phishing simulation metric: percentage of employees who clicked a simulated phishing link; industry baseline is 20-30% for first simulations; target after 12 months of training is under 5%
Report rate
The percentage of employees who reported the simulated phishing email to security: a more meaningful metric than click rate; high report rates mean employees are actively participating in defense
GoPhish
Open-source phishing simulation platform: free, self-hosted; creates landing pages, tracks click and credential submission events, and sends simulation emails via configurable SMTP server
JIT Training
Training delivered immediately after an employee clicks a simulated phishing link: the teachable moment approach; more effective than annual classroom training because the learning is anchored to a recent experience

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Security awareness programs work when they change behavior, not just knowledge. Employees know phishing is dangerous: what they lack is the automatic recognition of phishing in their inbox under the time pressure of a busy workday. Phishing simulations build this recognition by creating repeated, realistic experiences of phishing attempts in a safe environment where the consequence of clicking is training, not breach.

The most common mistakes: making simulations too easy (they do not represent real threats), too hard (they demoralize rather than teach), punitive (they damage security culture), or infrequent (one simulation per year measures nothing and teaches nothing). Effective programs run monthly simulations with relevant pretexts, measure improvement over time, and treat clicking as a learning opportunity.

Program Structure and Governance

Program components:

1. Baseline assessment (Month 1):
   - Send initial simulation to all employees with NO prior warning
   - Use a moderate-difficulty template (not trivially obvious, not advanced APT)
   - Measure: click rate, credential submission rate, report rate by department
   - This establishes your starting baseline: expect 20-40% click rate

2. Monthly simulations (ongoing):
   - Rotate templates: seasonal themes, IT helpdesk pretexts, HR pretexts,
     executive pretexts, vendor pretexts
   - Vary difficulty: mix easy-to-spot and harder templates
   - Target different populations: all staff, executives, finance, IT

3. Training delivery:
   - Just-in-time: immediate training page when employee clicks simulation link
   - Annual mandatory training: 30-45 minutes covering phishing, social engineering,
     password hygiene, reporting procedures
   - Targeted training: additional modules for repeat clickers
   - Executive briefings: separate, business-focused awareness for leadership

4. Metrics and reporting (quarterly to leadership):
   - Phishing susceptibility rate trend (click rate over time)
   - Department-by-department comparison
   - Report rate trend (goal: more employees reporting)
   - Training completion rate
   - Repeat clicker rate

Governing principles:
- NEVER punish for clicking a simulation: it creates resentment
  and employees start forwarding simulation emails to each other (gaming the metrics)
- Report results positively: celebrate improvement, not failures
- Notify HR and Legal before launching to ensure program is within policy
- Get executive sponsor approval: executive phishing simulations especially
  require senior buy-in

GoPhish Configuration and Campaign Setup

# Install GoPhish on an Ubuntu server:
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
./gophish &

# Access GoPhish admin interface:
# https://[server-ip]:3333
# Default credentials: admin / [password shown in gophish output]
# Change immediately after first login

# IMPORTANT: Register a domain for sending simulations
# Do NOT use your corporate domain: use a look-alike for realism
# Examples: company-security[.]com, it-helpdesk-corp[.]com
# Register via a registrar, point DNS to your GoPhish server
# Configure SPF, DKIM for deliverability (so simulations reach inboxes, not spam)

Create a simulation campaign:

In GoPhish:

1. Create Sending Profile:
   From: IT Helpdesk <helpdesk@company-it-support[.]com>
   SMTP Host: your-smtp-server:25
   Test email: send to yourself first to verify delivery

2. Create Landing Page:
   Clone the real Office 365 login page (GoPhish has import URL feature)
   Capture credentials: Enable (for metrics: credentials go to GoPhish DB,
     not stored persistently; disclose this in your program policy)
   Redirect to: A training page after submission
   Training page content:
     "This was a phishing simulation from your security team.
      You submitted credentials to what appeared to be a Microsoft login page.
      Here is how to identify phishing attempts: [training content]"

3. Create Email Template:
   Realistic pretext:
   Subject: Action Required: Your Microsoft 365 password expires in 24 hours
   Body: "Your Microsoft 365 account password will expire...
   Click here to update your password: [phishing link]"

4. Create Group (target audience):
   Import from CSV: First Name, Last Name, Email, Position, Department
   Or: Sync from HR system or Active Directory

5. Launch Campaign:
   Name: Q3-2024-IT-Helpdesk-Pretext
   Email Template: [created above]
   Landing Page: [created above]
   Send By Date: 5 days (spread delivery to avoid triggering spam filters)
   Groups: All-Staff
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Microsoft Attack Simulation Training

Microsoft 365 Defender includes built-in Attack Simulation Training (requires Microsoft 365 E5 or Defender for Office P2).

Microsoft 365 Defender > Email & Collaboration > Attack simulation training

Advantages over GoPhish:
- No external infrastructure needed
- Native M365 integration (can target specific M365 users/groups)
- Built-in training content library
- Automatic assignment of training when employee clicks
- Reporting integrated with M365 Security Score

Limitations vs. GoPhish:
- Requires E5 / Defender P2 license
- Less flexibility in template customization
- Simulations use Microsoft-owned domains (employees may recognize them over time)

Configure a simulation:
Attack simulation training > Simulations > + Launch a simulation

Simulation type:
  Credential Harvest (most common): realistic login page
  Link in Attachment: phishing PDF with embedded link
  Attachment with malware macro text: macro-enabled document
  Drive-by URL: simulates drive-by download attempt

Payload: Select from library or customize
  Built-in: Microsoft credential harvest templates
  Custom: Import your own HTML email template

Target users: All users, specific groups, or previous clickers

Training assignment:
  Assign training modules automatically to users who click
  Microsoft has built-in modules (5-15 minutes each)
  Training completion tracked in the portal

Automated training assignment for repeat clickers:

In Attack Simulation Training > End User Notifications:

Create automation rule:
  Trigger: User clicked simulated link
  Action: Assign training module + send notification email
  Training: "Recognizing and Reporting Phishing" (Microsoft built-in)
  Deadline: 7 days

For repeat clickers (clicked in 2 of last 3 simulations):
  Assign extended training path:
  - "Phishing Fundamentals" (15 min)
  - "Social Engineering Tactics" (10 min)
  - "Secure Email Habits" (10 min)
  Escalate to manager notification after 3 consecutive failures

Metrics, Reporting, and Improvement

Key metrics to track monthly:

1. Phishing Susceptibility Rate (PSR) by department:
   PSR = (clicks + credential submissions) / emails delivered × 100
   Baseline target: < 5% after 12 months of program
   Alert threshold: > 20% in any department (needs targeted intervention)

2. Report Rate:
   Report Rate = phishing reports submitted / emails delivered × 100
   Target: > 15% (employees actively reporting suspicious email)
   High report rate = employees acting as sensors, not just targets

3. Repeat Clicker Rate:
   % of employees who clicked in 2+ of the last 4 simulations
   These employees need individual intervention/additional training
   Escalation path: IT security counseling → HR involvement (if compliance required)

4. Template difficulty-adjusted metrics:
   Weight click rates by template difficulty (beginner/intermediate/advanced)
   Easy template with 20% click rate = different concern than hard template with 15%

Quarterly leadership reporting template:

Executive Security Awareness Summary: Q3 2024

Phishing susceptibility trend:
  Q1 2024: 28% click rate (baseline)
  Q2 2024: 19% click rate (-32% improvement)
  Q3 2024: 11% click rate (-61% from baseline)

Highest-risk departments:
  Finance: 14% click rate (4 employees, targeted training assigned)
  Customer Service: 18% click rate (scheduled targeted workshop)

Positive trends:
  Report rate: 3% → 11% (employees actively reporting phishing)
  Training completion: 94% of staff completed Q3 annual training

Q4 plan:
  Continue monthly simulations
  Executive phishing simulation scheduled for [date]
  Goal: < 8% click rate by year-end

The bottom line

An effective security awareness program runs monthly phishing simulations with rotating pretexts, delivers just-in-time training immediately when employees click, and measures click rate, report rate, and repeat-clicker rate per department. Use GoPhish (free, self-hosted) or Microsoft Attack Simulation Training (E5/Defender P2). Never punish for clicking: treat it as a training moment. Target a click rate below 5% and a report rate above 15% after 12 months. Report quarterly to leadership with trend data, department comparison, and specific improvement plans for high-risk departments. Identify repeat clickers for individual intervention before they become the weakest link in a real phishing campaign.

Frequently asked questions

How often should organizations run phishing simulations?

Monthly simulations with rotating templates are the most effective cadence for driving behavioral change: annual or quarterly simulations lack the repetition needed to build automatic recognition. Monthly frequency also ensures you catch new employees who joined since the last simulation. Vary the templates across categories (IT helpdesk, HR, executive, vendor, seasonal) and difficulty levels. Some organizations add targeted high-difficulty simulations for finance and executive teams quarterly in addition to monthly all-staff simulations.

What metrics should a security awareness program track?

The three key metrics are: (1) Phishing Susceptibility Rate: the percentage who clicked or submitted credentials; target below 5% after 12 months of training; (2) Report Rate: the percentage who reported the simulation to security; target above 15%, as high report rates indicate employees are actively participating in defense; (3) Repeat Clicker Rate: employees who clicked in multiple consecutive simulations; these individuals need individual intervention, not just online training modules. Track all three metrics by department to identify where targeted workshops or policy changes are needed.

What are the most effective phishing simulation templates for enterprise training?

The most effective simulation templates (highest credential submission rates, used to train employees on realistic threats): IT helpdesk credential reset requests (urgent tone, familiar IT branding); Microsoft 365 or Google Workspace account security alerts; HR-themed messages (payroll updates, benefits enrollment, PTO policy changes); executive impersonation (an email appearing to come from the CEO or CFO requesting urgent action); and invoice or vendor payment notifications targeting finance teams. Vary difficulty: start with obvious cues (generic greetings, poor formatting) and progress to high-sophistication templates (personalized, correct logos, plausible sender names) as susceptibility rates decrease.

How do I build a phishing reporting button and what should happen when employees click it?

Phishing reporting buttons (Microsoft Report Message, KnowBe4 Phish Alert Button, Proofpoint Report Suspicious Message) let employees report suspicious emails with one click. The workflow when a report is submitted: (1) Automatically move the email to a dedicated mailbox or SOAR queue for analyst triage. (2) Check if the reported message matches an active phishing simulation (award positive feedback to the reporter). (3) If real phishing: pull headers for IOC extraction, check if other users received the same message (query mail logs by sender/subject), and block the sender and any linked URLs in your email gateway. Build positive feedback loops: send automatic 'thank you' responses to reporters (even for false positives) so employees continue reporting. High report rates are a leading indicator of security culture health.

What security awareness training topics should be included beyond phishing?

A comprehensive security awareness program should cover: (1) Password hygiene and password manager adoption (employees who understand why weak passwords are dangerous use password managers at higher rates than employees who just hear 'use a complex password'). (2) MFA enrollment and why SMS is weaker than authenticator apps. (3) Physical security: tailgating, shoulder surfing, secure document disposal. (4) Removable media risks: USB drives found in parking lots are a social engineering classic. (5) Reporting procedures: who to call, what to say, and that reporting mistakes is encouraged without punishment. (6) Home network security for remote workers: router firmware updates, WPA3, not mixing personal and work devices on the same network. Deliver training in short modules (5-10 minutes) rather than annual all-day sessions — retention drops sharply with long formats.

How do you measure whether a phishing simulation program is actually changing behavior or just training employees to recognize the simulation platform?

Program gaming is a real failure mode: employees share simulation URLs with each other, forward emails to colleagues with warnings, or learn to recognize the GoPhish or Microsoft Attack Simulator landing page domains. Detect gaming by monitoring the time-to-report metric: if a large percentage of employees report a simulation within seconds of delivery (before they could have read the email), forwards of the simulation email within the organization are occurring. Counter this by rotating the sending infrastructure (use different look-alike domains per campaign), varying the landing page hosting (not always the same subdomain pattern), and splitting the target population so not all employees receive the same template simultaneously. Use control groups: send a subset of employees a new-format template that has never been used before and compare their click rate against employees who have seen similar templates; a significant difference in click rates indicates muscle memory for recognizing the platform rather than genuine phishing recognition. Track behavior transfer by correlating simulation report rates with real phishing report rates from your mail gateway: if simulation report rates are high but real suspicious-email reports are low, employees have learned to identify simulations specifically, not phishing generally.

Sources & references

  1. GoPhish: Open Source Phishing Framework
  2. Microsoft: Attack Simulation Training
  3. SANS: Security Awareness Maturity Model

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.