A step-by-step guide to planning, launching, and measuring phishing simulations that actually reduce your organization's risk — without burning out your security team.
Phishing attacks account for over 90% of all data breaches globally — and India saw a 175% surge in phishing incidents in 2024 alone. Yet most organizations still treat security awareness as a checkbox: a one-time annual training session that employees forget within weeks. Phishing simulations change that equation entirely.
This guide walks you through exactly how to plan, launch, and measure a phishing simulation — whether you're running your first test or optimizing a mature program.
Step 1: Define Your Objectives
Before you send a single simulated phishing email, decide what you're measuring. The most important metrics are:
- Phishing Prone Percentage (PPP): the share of users who clicked or submitted credentials
- Click rate: how many users clicked the malicious link
- Report rate: how many users flagged the email to IT or security
- Training completion rate: of those caught, what percentage finished their assigned module
Industry benchmark
The global average PPP for organizations without a security awareness program is 34%. After 90 days of simulations and training, organizations typically drop below 10%. Your 6-month target should be single digits.
Step 2: Import and Segment Your Targets
Upload a CSV of your employees or sync from your HR directory. Segmenting into groups matters because risk is not uniform across departments.
- Finance and accounts: most targeted — BEC attacks and invoice fraud
- HR teams: targeted with fake job applications containing malware
- C-suite: spear phishing and whaling using executive-impersonation templates
- New employees in their first 90 days are 3× more likely to click
Step 3: Choose Your Attack Vector
- Email phishing: fake login pages, invoice attachments, IT alerts — the most common vector
- SMS smishing: attackers target employees on personal phones with fake OTP requests
- Voice phishing (vishing): automated calls impersonating IT helpdesk or banks
- QR code phishing: fake QR codes redirecting to credential-harvesting pages
Step 4: Pick or Build a Template
- IT security alerts — "Your password expires in 24 hours"
- HR communications — "Action required: update your tax declaration"
- Package delivery notifications
- Leadership requests — CEO urgently requesting a wire transfer
- Software update prompts — fake Microsoft 365 or Google Workspace logins
Step 5: Configure and Launch
Schedule campaigns Tuesday–Thursday, 9 AM–4 PM. Stagger sending across 2–4 hours. Never announce the simulation in advance — the value is measuring real behavior.
Never announce it
Informing employees or line managers before a simulation invalidates your PPP data and gives you a false picture of actual risk.
Step 6: Auto-Enroll Compromised Users
Automated training enrollment triggered the moment a user clicks is 40% more effective than end-of-campaign bulk enrollment. The teachable moment is the 30 seconds after they realize they clicked a phishing link.
Measuring Long-Term Success
Track PPP across campaigns over time. The industry standard is reaching under 5% PPP within 12 months of a consistent monthly simulation schedule. PhishShield automates every step — free plan covers 10 targets and 1 campaign/month.
Written by
Arjun Mehta
Security Researcher at PhishShield
