Phishing Simulation Campaigns
Overview
Phishing Campaigns let you test employee security awareness with realistic phishing simulations. Measure vulnerability, identify training needs, and track improvement over time.
Why Phishing Simulations?
The Threat
- 91% of cyberattacks start with phishing
- Average cost of a phishing breach: $4.65M
- Click rates range from 5-30% even in trained organizations
Benefits of Simulation
- Measure actual employee behavior
- Identify high-risk individuals and departments
- Reinforce training with practical experience
- Track improvement over time
- Meet compliance requirements
Campaign Lifecycle
Plan
Define campaign goals and target audience.
Create
Select templates and configure the campaign.
Launch
Send simulated phishing emails.
Monitor
Track opens, clicks, and submissions.
Report
Analyze results and identify trends.
Remediate
Assign training to those who failed.
Creating a Campaign
Campaign Setup
- Navigate to Employees → Phishing Campaigns
- Click Create Campaign
- Configure basics:
- Campaign name
- Description
- Start and end dates
- Continue to template selection
Selecting Templates
Choose phishing templates that match real threats:
| Category | Examples |
|---|---|
| Credential Theft | Fake login pages, password reset |
| Business Email | Invoice requests, executive impersonation |
| IT Alerts | System updates, security warnings |
| Social | LinkedIn, social media notifications |
| Seasonal | Holiday offers, tax season |
Template Features
Each template includes:
- Email Template - The phishing email content
- Landing Page - Where clicks lead (fake login, etc.)
- Difficulty Level - Easy, medium, hard to detect
- Indicators - What makes it suspicious
Customizing Templates
Personalize templates with:
- Company branding (for realistic scenarios)
- Employee name and department
- Custom sender information
- Modified landing pages
Target Audience
Selecting Targets
| Option | Description |
|---|---|
| All Employees | Company-wide campaign |
| By Group | Specific compliance groups |
| By Department | Target departments |
| Random Sample | Percentage of employees |
| Failed Previous | Those who failed before |
Exclusions
Exclude employees who:
- Are on leave
- Recently completed training
- Were recently tested
- Are in sensitive roles (with approval)
Sending Configuration
Send Options
| Setting | Description |
|---|---|
| Send All At Once | All emails sent immediately |
| Staggered | Spread over hours/days |
| Random Times | Randomize delivery times |
| Working Hours | Only during business hours |
Sender Settings
Configure the "from" address:
- Use realistic external domains
- Internal IT impersonation
- Vendor/partner impersonation
Ensure you have proper authorization before impersonating real companies or individuals.
Campaign Monitoring
Real-Time Dashboard
Monitor campaign progress:
| Metric | Description |
|---|---|
| Sent | Emails delivered |
| Opened | Email opened (if tracking enabled) |
| Clicked | Link clicked |
| Submitted | Data entered on landing page |
| Reported | Reported as phishing |
Event Timeline
View individual employee actions:
- Email delivered (timestamp)
- Email opened (timestamp)
- Link clicked (timestamp)
- Form submitted (timestamp)
- Reported as suspicious (timestamp)
Analytics and Reporting
Campaign Results
| Metric | Calculation |
|---|---|
| Click Rate | Clicked / Sent × 100 |
| Submission Rate | Submitted / Sent × 100 |
| Report Rate | Reported / Sent × 100 |
| Compromise Rate | Submitted / Clicked × 100 |
Comparisons
Compare results:
- Against previous campaigns
- By department
- By seniority level
- Industry benchmarks
Trend Analysis
Track improvement over time:
- Monthly click rate trends
- Department improvement
- Training impact correlation
Reporting Mechanism
Employee Reporting
Enable employees to report suspicious emails:
- Outlook Add-in - Report button in Outlook
- Gmail Add-on - Report in Gmail
- Forward to Address - Forward to security team
Report Handling
When employees report:
- Email analyzed (real threat or simulation)
- If simulation: marked as "Reported" in campaign
- If real threat: escalated to security team
- Employee receives feedback
Remediation
Training Assignment
Auto-assign training when employees fail:
- Enable auto-remediation in campaign settings
- Select training course to assign
- Set assignment timing (immediately, after campaign)
- Configure notifications
Just-in-Time Training
Immediately after clicking:
- Employee redirected to educational page
- Shows what they missed (phishing indicators)
- Short training module on the spot
- Tracks completion
Best Practices
Start Easy, Progress Harder
Begin with obvious phishing. Gradually increase difficulty as awareness improves.
Test Regularly
Monthly or quarterly campaigns maintain awareness. Annual testing isn't enough.
Vary Templates
Use different scenarios each campaign. Employees learn to spot specific patterns otherwise.
Focus on Education
Goal is learning, not punishment. Use failures as teaching moments.
Celebrate Reporting
Recognize employees who report phishing. Build a culture of reporting.
Compliance
Phishing simulations support:
| Framework | Requirement |
|---|---|
| SOC 2 | CC2.2, CC9.2 |
| ISO 27001 | A.7.2.2 |
| NIST CSF | PR.AT-1 |