How to Build a Security Awareness Program with Phishing Simulations

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Security awareness programs work when they change behavior, not just knowledge. Employees know phishing is dangerous: what they lack is the automatic recognition of phishing in their inbox under the time pressure of a busy workday. Phishing simulations build this recognition by creating repeated, realistic experiences of phishing attempts in a safe environment where the consequence of clicking is training, not breach.
The most common mistakes: making simulations too easy (they do not represent real threats), too hard (they demoralize rather than teach), punitive (they damage security culture), or infrequent (one simulation per year measures nothing and teaches nothing). Effective programs run monthly simulations with relevant pretexts, measure improvement over time, and treat clicking as a learning opportunity.
Program Structure and Governance
Program components:
1. Baseline assessment (Month 1):
- Send initial simulation to all employees with NO prior warning
- Use a moderate-difficulty template (not trivially obvious, not advanced APT)
- Measure: click rate, credential submission rate, report rate by department
- This establishes your starting baseline: expect 20-40% click rate
2. Monthly simulations (ongoing):
- Rotate templates: seasonal themes, IT helpdesk pretexts, HR pretexts,
executive pretexts, vendor pretexts
- Vary difficulty: mix easy-to-spot and harder templates
- Target different populations: all staff, executives, finance, IT
3. Training delivery:
- Just-in-time: immediate training page when employee clicks simulation link
- Annual mandatory training: 30-45 minutes covering phishing, social engineering,
password hygiene, reporting procedures
- Targeted training: additional modules for repeat clickers
- Executive briefings: separate, business-focused awareness for leadership
4. Metrics and reporting (quarterly to leadership):
- Phishing susceptibility rate trend (click rate over time)
- Department-by-department comparison
- Report rate trend (goal: more employees reporting)
- Training completion rate
- Repeat clicker rate
Governing principles:
- NEVER punish for clicking a simulation: it creates resentment
and employees start forwarding simulation emails to each other (gaming the metrics)
- Report results positively: celebrate improvement, not failures
- Notify HR and Legal before launching to ensure program is within policy
- Get executive sponsor approval: executive phishing simulations especially
require senior buy-in
GoPhish Configuration and Campaign Setup
# Install GoPhish on an Ubuntu server:
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
./gophish &
# Access GoPhish admin interface:
# https://[server-ip]:3333
# Default credentials: admin / [password shown in gophish output]
# Change immediately after first login
# IMPORTANT: Register a domain for sending simulations
# Do NOT use your corporate domain: use a look-alike for realism
# Examples: company-security[.]com, it-helpdesk-corp[.]com
# Register via a registrar, point DNS to your GoPhish server
# Configure SPF, DKIM for deliverability (so simulations reach inboxes, not spam)
Create a simulation campaign:
In GoPhish:
1. Create Sending Profile:
From: IT Helpdesk <helpdesk@company-it-support[.]com>
SMTP Host: your-smtp-server:25
Test email: send to yourself first to verify delivery
2. Create Landing Page:
Clone the real Office 365 login page (GoPhish has import URL feature)
Capture credentials: Enable (for metrics: credentials go to GoPhish DB,
not stored persistently; disclose this in your program policy)
Redirect to: A training page after submission
Training page content:
"This was a phishing simulation from your security team.
You submitted credentials to what appeared to be a Microsoft login page.
Here is how to identify phishing attempts: [training content]"
3. Create Email Template:
Realistic pretext:
Subject: Action Required: Your Microsoft 365 password expires in 24 hours
Body: "Your Microsoft 365 account password will expire...
Click here to update your password: [phishing link]"
4. Create Group (target audience):
Import from CSV: First Name, Last Name, Email, Position, Department
Or: Sync from HR system or Active Directory
5. Launch Campaign:
Name: Q3-2024-IT-Helpdesk-Pretext
Email Template: [created above]
Landing Page: [created above]
Send By Date: 5 days (spread delivery to avoid triggering spam filters)
Groups: All-Staff
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Microsoft Attack Simulation Training
Microsoft 365 Defender includes built-in Attack Simulation Training (requires Microsoft 365 E5 or Defender for Office P2).
Microsoft 365 Defender > Email & Collaboration > Attack simulation training
Advantages over GoPhish:
- No external infrastructure needed
- Native M365 integration (can target specific M365 users/groups)
- Built-in training content library
- Automatic assignment of training when employee clicks
- Reporting integrated with M365 Security Score
Limitations vs. GoPhish:
- Requires E5 / Defender P2 license
- Less flexibility in template customization
- Simulations use Microsoft-owned domains (employees may recognize them over time)
Configure a simulation:
Attack simulation training > Simulations > + Launch a simulation
Simulation type:
Credential Harvest (most common): realistic login page
Link in Attachment: phishing PDF with embedded link
Attachment with malware macro text: macro-enabled document
Drive-by URL: simulates drive-by download attempt
Payload: Select from library or customize
Built-in: Microsoft credential harvest templates
Custom: Import your own HTML email template
Target users: All users, specific groups, or previous clickers
Training assignment:
Assign training modules automatically to users who click
Microsoft has built-in modules (5-15 minutes each)
Training completion tracked in the portal
Automated training assignment for repeat clickers:
In Attack Simulation Training > End User Notifications:
Create automation rule:
Trigger: User clicked simulated link
Action: Assign training module + send notification email
Training: "Recognizing and Reporting Phishing" (Microsoft built-in)
Deadline: 7 days
For repeat clickers (clicked in 2 of last 3 simulations):
Assign extended training path:
- "Phishing Fundamentals" (15 min)
- "Social Engineering Tactics" (10 min)
- "Secure Email Habits" (10 min)
Escalate to manager notification after 3 consecutive failures
Metrics, Reporting, and Improvement
Key metrics to track monthly:
1. Phishing Susceptibility Rate (PSR) by department:
PSR = (clicks + credential submissions) / emails delivered × 100
Baseline target: < 5% after 12 months of program
Alert threshold: > 20% in any department (needs targeted intervention)
2. Report Rate:
Report Rate = phishing reports submitted / emails delivered × 100
Target: > 15% (employees actively reporting suspicious email)
High report rate = employees acting as sensors, not just targets
3. Repeat Clicker Rate:
% of employees who clicked in 2+ of the last 4 simulations
These employees need individual intervention/additional training
Escalation path: IT security counseling → HR involvement (if compliance required)
4. Template difficulty-adjusted metrics:
Weight click rates by template difficulty (beginner/intermediate/advanced)
Easy template with 20% click rate = different concern than hard template with 15%
Quarterly leadership reporting template:
Executive Security Awareness Summary: Q3 2024
Phishing susceptibility trend:
Q1 2024: 28% click rate (baseline)
Q2 2024: 19% click rate (-32% improvement)
Q3 2024: 11% click rate (-61% from baseline)
Highest-risk departments:
Finance: 14% click rate (4 employees, targeted training assigned)
Customer Service: 18% click rate (scheduled targeted workshop)
Positive trends:
Report rate: 3% → 11% (employees actively reporting phishing)
Training completion: 94% of staff completed Q3 annual training
Q4 plan:
Continue monthly simulations
Executive phishing simulation scheduled for [date]
Goal: < 8% click rate by year-end
The bottom line
An effective security awareness program runs monthly phishing simulations with rotating pretexts, delivers just-in-time training immediately when employees click, and measures click rate, report rate, and repeat-clicker rate per department. Use GoPhish (free, self-hosted) or Microsoft Attack Simulation Training (E5/Defender P2). Never punish for clicking: treat it as a training moment. Target a click rate below 5% and a report rate above 15% after 12 months. Report quarterly to leadership with trend data, department comparison, and specific improvement plans for high-risk departments. Identify repeat clickers for individual intervention before they become the weakest link in a real phishing campaign.
Frequently asked questions
How often should organizations run phishing simulations?
Monthly simulations with rotating templates are the most effective cadence for driving behavioral change: annual or quarterly simulations lack the repetition needed to build automatic recognition. Monthly frequency also ensures you catch new employees who joined since the last simulation. Vary the templates across categories (IT helpdesk, HR, executive, vendor, seasonal) and difficulty levels. Some organizations add targeted high-difficulty simulations for finance and executive teams quarterly in addition to monthly all-staff simulations.
What metrics should a security awareness program track?
The three key metrics are: (1) Phishing Susceptibility Rate: the percentage who clicked or submitted credentials; target below 5% after 12 months of training; (2) Report Rate: the percentage who reported the simulation to security; target above 15%, as high report rates indicate employees are actively participating in defense; (3) Repeat Clicker Rate: employees who clicked in multiple consecutive simulations; these individuals need individual intervention, not just online training modules. Track all three metrics by department to identify where targeted workshops or policy changes are needed.
What are the most effective phishing simulation templates for enterprise training?
The most effective simulation templates (highest credential submission rates, used to train employees on realistic threats): IT helpdesk credential reset requests (urgent tone, familiar IT branding); Microsoft 365 or Google Workspace account security alerts; HR-themed messages (payroll updates, benefits enrollment, PTO policy changes); executive impersonation (an email appearing to come from the CEO or CFO requesting urgent action); and invoice or vendor payment notifications targeting finance teams. Vary difficulty: start with obvious cues (generic greetings, poor formatting) and progress to high-sophistication templates (personalized, correct logos, plausible sender names) as susceptibility rates decrease.
How do I build a phishing reporting button and what should happen when employees click it?
Phishing reporting buttons (Microsoft Report Message, KnowBe4 Phish Alert Button, Proofpoint Report Suspicious Message) let employees report suspicious emails with one click. The workflow when a report is submitted: (1) Automatically move the email to a dedicated mailbox or SOAR queue for analyst triage. (2) Check if the reported message matches an active phishing simulation (award positive feedback to the reporter). (3) If real phishing: pull headers for IOC extraction, check if other users received the same message (query mail logs by sender/subject), and block the sender and any linked URLs in your email gateway. Build positive feedback loops: send automatic 'thank you' responses to reporters (even for false positives) so employees continue reporting. High report rates are a leading indicator of security culture health.
What security awareness training topics should be included beyond phishing?
A comprehensive security awareness program should cover: (1) Password hygiene and password manager adoption (employees who understand why weak passwords are dangerous use password managers at higher rates than employees who just hear 'use a complex password'). (2) MFA enrollment and why SMS is weaker than authenticator apps. (3) Physical security: tailgating, shoulder surfing, secure document disposal. (4) Removable media risks: USB drives found in parking lots are a social engineering classic. (5) Reporting procedures: who to call, what to say, and that reporting mistakes is encouraged without punishment. (6) Home network security for remote workers: router firmware updates, WPA3, not mixing personal and work devices on the same network. Deliver training in short modules (5-10 minutes) rather than annual all-day sessions — retention drops sharply with long formats.
How do you measure whether a phishing simulation program is actually changing behavior or just training employees to recognize the simulation platform?
Program gaming is a real failure mode: employees share simulation URLs with each other, forward emails to colleagues with warnings, or learn to recognize the GoPhish or Microsoft Attack Simulator landing page domains. Detect gaming by monitoring the time-to-report metric: if a large percentage of employees report a simulation within seconds of delivery (before they could have read the email), forwards of the simulation email within the organization are occurring. Counter this by rotating the sending infrastructure (use different look-alike domains per campaign), varying the landing page hosting (not always the same subdomain pattern), and splitting the target population so not all employees receive the same template simultaneously. Use control groups: send a subset of employees a new-format template that has never been used before and compare their click rate against employees who have seen similar templates; a significant difference in click rates indicates muscle memory for recognizing the platform rather than genuine phishing recognition. Track behavior transfer by correlating simulation report rates with real phishing report rates from your mail gateway: if simulation report rates are high but real suspicious-email reports are low, employees have learned to identify simulations specifically, not phishing generally.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
