2LRN4 security awareness platform
← Back to knowledge base

How do phishing simulations work in training?

Practical guidance on how phishing simulations work for organizations that want to improve secure behavior structurally.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

A phishing simulation is a controlled, harmless mock attack you send to your own employees to see how they react. It is not an intelligence test and not a measure of who is "smart" or "clueless". It is a measure of the culture in your organisation: do employees feel safe enough to report suspicious messages, and how quickly do they do so? How does such a simulation work technically, what does it measure (and not measure), and how do you set it up so it teaches employees rather than scares them?

What is a phishing simulation and what does it actually do?

A phishing simulation is a mock phishing attack that you (or your vendor) send to a pre-defined group of employees. The messages look like real phishing emails, but a click does not lead to an attacker. It leads to a safe landing page on your platform, where the employee gets a short explanation of what they could have recognised.

The goal is not to trick people. The goal is to make two behaviours visible: how many employees click on a suspicious message (the click rate) and how many employees report the message to IT (the report rate). Together these two numbers give a much richer picture than a classic test or e-learning score: they show how employees behave under pressure.

A well-designed phishing simulation is a recurring part of your security awareness programme, not a one-off exercise. A single measurement says little; only after twelve months can you see whether the click rate is falling and the report rate is rising, and only then do you know your programme is working.

The technical setup: from template to reporting

A phishing simulation is built from four blocks that a good platform lets you combine in a few clicks.

  • A template: the look and content of the message. This can be a mock parcel-delivery email, a fake invoice, a Microsoft 365 prompt to reauthenticate, or a fake message from the IT helpdesk. A good platform offers dozens of templates per sector, in every language your organisation needs.
  • An audience: who receives the message. This can be the entire organisation, a specific department, a role (all finance staff), or a random sample. A good platform synchronises audiences automatically from your HR system or Microsoft Entra ID, so new joiners are added without manual work.
  • A schedule: when the message is sent. Timing influences the outcome significantly: a busy Monday morning gives different numbers than a quiet Friday afternoon. A good platform lets you plan an annual cycle in advance, so the programme runs without active management.
  • A landing page and reporting: what happens after a click, and what you see back. On a click the employee gets a short explanation, the platform records who clicked and who reported, and you receive a dashboard with click and report rates by department.

What a simulation does and does not measure

A phishing simulation measures three things very well, and three things it does not measure. Keeping that distinction sharp matters: otherwise you draw the wrong conclusions.

What a simulation measures: the click rate (which share of employees click on a suspicious message), the report rate (which share report via the report button or helpdesk) and the time-to-first-report (how quickly anyone raises the alarm). Together these three numbers form a reliable picture of the reporting culture in your organisation.

What a simulation does not measure: the intelligence of individual employees, theoretical knowledge of phishing, or how someone will behave under real attack pressure. An employee who clicks on a well-made AI simulation is not "stupid"; they are an average user facing a realistic attack. That is exactly the kind of attack your programme should train for.

In practice this is the most important insight: an organisation with a low click rate and a low report rate is not safe. It is an organisation where people have simply stopped reporting. An organisation with an average click rate and a high report rate is resilient, because real attacks become visible quickly.

The three rules that separate learning from punishment

A phishing simulation in the wrong hands can break more than it builds. Three rules decide whether your simulation becomes a learning instrument or an instrument that undermines reporting culture.

  • Measure reporting, communicate reporting, reward reporting. When someone reports a simulation, they get a short thank-you message. When a team scores well on reports, mention that in a newsletter. Make reporting visible as positive behaviour, and the rate rises month by month.
  • Never punish a click. Anyone who clicks gets a short explanation: "This was a simulation. These are the three signs you could have spotted." End of story. No email to the manager, no mandatory retraining, no mention in performance reviews. A click is a learning moment, not a violation.
  • Never report individual numbers to managers. Aggregated numbers per department help decide where content needs strengthening. Individual numbers to a manager: never. The moment that happens is the moment employees stop reporting, and you lose your most important defence layer against real attacks.
  • Match the rhythm to organisational context. A simulation during a reorganisation or just before bonus payments feels like an aggressive act, not training. People are already unsettled, and what you damage is not the click rate but trust in the programme. A badly timed simulation can set an awareness programme back for years.

Modern simulation forms and the feedback loop

A phishing simulation that in 2026 still only sends classic emails with broken language trains employees on an attack pattern that barely exists anymore. Realistic simulations include the modern attack techniques seen in practice.

  • Classic phishing email, but in flawless language and with perfect branding, generated the way an AI attacker does it in seconds. This is the most important base type in 2026.
  • Smishing (SMS phishing) to the business or registered private phone, with a short text and a shortened link. This trains employees on the device where they are least critical.
  • Quishing (QR phishing) via an image in an email or on a poster. The QR code leads to a safe landing page on the platform. This practises the pattern that email filters cannot read QR codes.
  • MFA fatigue scenario: a short burst of simulated push notifications or a login prompt at an odd time. This trains recognition of adversary-in-the-middle patterns and push bombing.
  • The feedback loop: anyone who clicks immediately gets a short microlearning module of a few minutes with the three signs they could have spotted. No administrative aftermath, no escalation to the manager, just an immediate learning moment. This linkage between click and learning is what turns a simulation from control into training.

How to anchor this in your awareness programme

A phishing simulation is not a stand-alone activity but part of a broader awareness cycle. In practice a rhythm of four to six simulations per year works best for most organisations, alternating with short e-learning modules and periodic communication via intranet, posters or team meetings.

Start with a baseline measurement before the substantive programme begins. That gives you an honest starting point: an organisation without a focused programme usually sits at 25 to 35 percent click rate, with a 10 to 15 percent report rate. With a mature programme the click rate drops to 5 to 10 percent over twelve to eighteen months, and the report rate rises to 60 to 75 percent. Comparison with your own baseline matters more than comparison with external benchmarks: your own movement shows whether something is really changing.

Connect the simulation to the real world of your organisation. Do not keep sending the same generic template, but use scenarios that match what your employees actually see in their inbox: supplier communication for finance, customer messages for service staff, IT notifications for the entire organisation. The closer the simulation sits to reality, the more an employee learns from a mistake.

And finally: keep the report button visible in the mail client, connected to a simple triage process. A high report rate is only useful if something happens with the reports: fast acknowledgment to the reporter, daily triage by the security team, and when a real attack appears, a swift warning to the rest of the organisation. Only then does the simulation become more than a stand-alone number: it becomes part of a working defence process.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the phishing page

Related articles

Sources

FAQ

What is a phishing simulation exactly?

A phishing simulation is a controlled, simulated phishing attack you send to your own employees to see how many click and how many report. It is not a real attack: a click leads to a safe landing page on the platform with a short explanation.

Should I announce simulations to employees beforehand?

Yes, in general terms. Announce at the start of the awareness programme that phishing simulations are part of it and what the purpose is. You do not announce individual simulations, which would make measurement impossible, but the general principle should be known and stated in policy.

What is a good click rate in a phishing simulation?

Without a focused programme an average organisation sits at 25 to 35 percent click rate. With a mature programme it drops to 5 to 10 percent over twelve to eighteen months. More important than the absolute figure is the movement compared to your own baseline.

Can I share individual click results with managers?

No, do not do this. As soon as employees know that their individual click behaviour reaches their manager, reporting drops sharply. With it you lose your early detection of real attacks. Aggregated numbers per department are useful for deciding where content needs strengthening.

How often should I run phishing simulations?

Four to six simulations per year works well in most organisations. More often leads to fatigue, less often offers too little practice. More important than the count is variation in form (email, smishing, quishing) and in difficulty.

What is the difference between a phishing simulation and a real phishing attack?

Technically they look alike, but in a simulation the link leads to a safe landing page on your platform instead of to an attacker. No passwords or data are stolen and no malware is installed. The only thing recorded is who clicked and who reported.

How do I know my phishing simulations are effective?

Look at three numbers over a period of six to twelve months: the click rate should drop, the report rate should rise, and the time-to-first-report should shorten. A single simulation says little; only the trend across multiple simulations shows whether the programme is working.

External source: CISA - Avoiding social engineering and phishing attacks

Related articles
Email security and social engineering: what employees need to know → What is phishing? →
Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles