Because 90% of data breaches come from phishing, running simulated phishing attacks is a no-brainer for any corporate security strategy. But not all phishing training programs are created equal.

A good simulated phishing training program will lead to lower click-through rates and higher reporting rates. An outstanding program will do the same things and help users become more security savvy by treating them as partners—not liabilities.

At the end of the day, phishing training is all about changing user behavior.

So, whether you’re evaluating a vendor’s program or designing your own, a successful simulated phishing training program should:


1. Teach users to recognize and avoid threats.

Before you do any simulated phishing, educate your users. Remember, the goal is not to trick people. Because you want them to succeed and be part of the solution, start by teaching users about existing threats. (And make the training as relevant and engaging as you can—dull trainings are quickly forgotten.)

Users should be familiar with current cyberthreats, including:

  • General social engineering attacks—attempts to deceive users into divulging sensitive info
  • Suspicious emails—internal or external messages from scammers
  • Malicious links—links to spoofed websites
  • Infected attachments—emailed files with malware in the macros
  • Malvertising—advertisements that send users to malicious sites or that are infected with malicious code
  • Smishing—phishing via text (SMS) message
  • Vishing—phishing via voicemail

Knowing about these threats is important, but it’s even more important that users recognize and avoid these dangers when they come across them.

Once your users are familiar with the basics, let them know that a phishing test is coming their way sometime soon—and then go phishing!


A woman holding a red paper with a white folder image


2. Assess users’ knowledge and reactions.


If this is your first phishing go-around, maybe go with a straightforward test; something with obvious red flags. If your users should know better, turn up the difficulty. Spoof an IT team member’s email or something unexpected—like Facebook, Capital One, or FedEx.

Whatever your phishing approach, make sure you’re collecting data through the process. Look for trends across different teams or departments or for users that consistently struggle (as well as those who pass with flying colors).

The best simulated phishing training programs avoid a ‘one size fits all’ approach. If the goal is to treat users as partners and help them become more security conscious, then you need to actually understand your users’ motivations. (Shocking, we know.)

Graphs and charts are helpful, but don’t underestimate the power of user feedback. Throw in surveys, polls, and assessments every now and then to understand where your people are coming from.

For example, if users do take the phishing bait, redirect them to relevant new content—for example, a quick survey question about why they thought the email link was legitimate. There’s a big difference between users who happily give out private information to anyone who asks and those who are so overwhelmed with other responsibilities that they don’t notice red flags.

Knowing about your users’ self-awareness is a big help, especially when it comes time to . . .


3. Tactfully remediate user behavior.


Administrative response is one of the most important parts of a successful phishing training program—and it’s where most companies go awry.

You can hope most people will see phishing attempts for what they are—but inevitably, someone will fall for the bait. The secret to getting users to learn from their mistakes and change their behavior largely comes down to your response.

Here are a few pro tips for tactfully correcting user behavior:

  • Tell users right away, while the experience is fresh in their mind.
  • Create a human tone on your phishing landing page. Be up front about the situation, but remember—no one likes being patronized, berated, humiliated, or shamed for their mistakes.
  • Don’t threaten anybody’s job for failing a phishing test. If someone fails the test, it’s a sign that there’s a disconnect between the training and their behavior—so adjust your strategy.
  • Still treat every user like a partner, not a liability. Remember, you want them to feel motivated and empowered to change.

Clearly, these users need a little more training, and that’s fine—we all learn by repetition. (Just remember to keep the training upbeat and engaging.) And if you’ve been tracking data, this is the time to make good use of it.

If users still aren’t recognizing threats, prescribe more security awareness training. If software habits are putting them more at risk, suggest some alternate options—for example, using Teams or a similar platform to lessen their dependence on email.

The tone you set in your response and remedial training will go a long way toward helping users change their behavior on a fundamental level.

Small mistakes can have big consequences when it comes to cybersecurity. Good  thing your security awareness training is effective. Or is it? Get the guide >>

Regularly repeat the process.


Provide relevant training, strategically phish your users, and respond tactfully, and you’ve got a solid simulated phishing training program on your hands.

But if you only put users to the test once a year, they’re bound to forget and fall back into bad habits before too long. We’ve all experienced it—a couple of weeks after a meeting or security awareness training, we only recall bits and pieces of what we learned.

To combat the forgetfulness curve, make your security training an iterative process. Regularly (but unpredictably) adjust your strategy after each round of faux phishing, to better target weaknesses in users’ awareness, tools, and habits.


Four blue origami shirts pinned on a clothesline


Results of a successful simulated training program


As you follow these steps and repeat the process, you’re taking a strong proactive approach to securing your org against external threats. You’re finding and patching holes in your defense—instead of waiting around for scammers to find the holes for you.

Ready to test your know-how? At the end of the day, a successful simulated training program looks like:

  • Fewer (or no) breaches and less compromised data
  • Ongoing security awareness training that targets common weaknesses
  • A “do this, not that” approach that rewards positive behaviors while avoiding chastisement
  • Excited, empowered users who change their work habits to be more secure

And if users see you as a helpful, strategic partner in the end—that’s just a welcome perk.

Just for the record, this isn’t an idealistic, hypothetical kind of training program. It’s absolutely possible to achieve these kind of results—we promise.

If you’d like our two cents on how to fundamentally change your end users’ security habits, check out BrainStorm Threat Defense.