Most phishing simulation programs are theater. They send a quarterly email pretending to be the CEO asking for gift cards, count the click rate, send a bored compliance training video, and call it a year. Click rates rarely move. Here's what actually works.
Why typical programs fail
- Predictable cadence. If users know quarterly tests are coming, they pay attention for one week. Three months later they're back to normal.
- Generic templates. The fake-DocuSign template fools no one with two years of experience. Real adversaries write custom lures targeting the actual business.
- Punitive culture. When clicking means getting publicly shamed in a Slack channel, users hide near-misses instead of reporting them — and your detection signal disappears.
- No follow-through. The training video plays. The phishing report email goes to a noreply@ address. The user gets no individualized feedback.
What does work
1. Continuous, randomized simulation
Run small batches every week, not large campaigns each quarter. Different users get different lures. Predictability becomes impossible.
2. Templates that match real threats
Replace the generic templates with what attackers actually send today. Browser-update lures, Microsoft 365 token-theft pages, vendor-impersonation invoices, OAuth consent prompts. Refresh templates monthly based on what threat intel teams (including ours) are actually seeing in the wild.
3. The reporting habit, not the click metric
The right primary metric isn't click rate. It's report rate. A user who reports a real phishing email — even after also clicking it — has just given the security team a working signal. Optimize for reporting and detection follows.
Make the report button one click in Outlook or Gmail. Acknowledge every report individually. Publicly thank top reporters. The cultural shift is the entire program.
4. Just-in-time microlearning
If a user clicks a simulation, they get a 60-second interactive page at the moment of the click — not a calendared training session next week. The teaching moment is the moment of failure. Cognitive science calls this contextual learning. It works.
5. Track the people who are real targets
Executives, finance, IT admins, and HR are the high-value targets in every breach. Their simulation cadence should be 3–4× higher than the rest of the organization. Their training should be specifically relevant to the lures real attackers use against them.
What we measure
- Report rate — primary indicator of culture and capability.
- Time to first report — how fast does the first user notice a wave?
- Click rate by role — segment-specific so finance and IT admins are tracked separately.
- Repeat-clicker rate — concentrated risk that needs targeted intervention, not org-wide training.
- Real-world parity — quarterly comparison of simulation results vs. actual phishing campaigns hitting the tenant.
Click rate measures the program's quality, not the user's quality. If your click rate is high, the lures probably aren't realistic enough.
Real-world results
In customer environments running this approach for 12 months, we've observed:
- Median click rate dropped from 14% → 3%.
- Report rate climbed from 2% → 38%.
- Median time-to-report on real phishing campaigns dropped from 4 hours → 8 minutes.
- Two confirmed real-world AiTM phishing campaigns were caught and contained because users reported them within minutes of the first wave hitting.