Back to Blog

Run An Effective Simulated Phishing Campaign - Here's How!

Emma Woods

We recently wrote a blog on the reasons why running simulated phishing campaigns can create a security risk for your organisation. Now here's how you can get up and running your first simulated phish in no time at all. 

Employees working together in an office


Step 1 - Select a Partner

“Do not try this at home” is the first (and easiest) step. That’s because for starters the time and effort you will put into to getting this working, with domains, web pages, reporting etc. will start you off at a loss. Just choose a partner (and there are some really good free tools) to work with and away you go!

A partner experienced in this area will be able to steer you away from some of the gotchas and make sure that you get the maximum value from the exercise.

Step 2 - Create a Programme

A well structured simulated phishing programme should sit alongside your Security Awareness programme, and tie into and compliance/auditory/regulatory requirements you have.

  • Allow you to track improvement
  • Present a format which is better for auditory and compliance purposes
  • Provide better management data
  •  Increase user acceptance
  • Make your business more secure

Step 3 - Inform your Workforce

This can divide opinion under “best practice” but no matter what objections I hear I always endorse being open and up-front about running simulations with your staff… WHY? Because you need them to buy into your Security Awareness programme!!!

If you do not inform them you run the risk that they will feel like you are trying to catch them out, which is not the objective here. My recommendation would be to put out a notice sponsored by the board highlighting:

- This is what we are doing - Your simulated phishing simulated plan

- This is why we are doing it - To understand if our security awareness plan is working?

- This is how it will benefit the business

- This is how it will benefit you

- This is what the business expects of you

- This is what you should expect of the business

Step 4 - Mix it Up

One of the biggest challenges with simulated phishing is ensuring the validity of results. If one employee spots your simulation and informs others, it could ruin your well-crafted efforts. A couple of ways that you could avoid this would be to:

- Mix up the type of attack you are doing, use different templates and spear phishing approaches

- Target small representative samples of your workforce

- Spread the simulation out with logical time between each

* Remember, this is part of your Security Awareness programme and is an ongoing initiative

Step 5 - Record your Results

This might sound like an obvious one but it’s so crucial it had to go in. Recording of your results will allow you to analyse them over time, understand where your risk areas are and see trends in data. The workforce is a moving target which, makes it hard to quantify so the more information you have the better understanding you will have moving forward.

Read more in our full guide of pishing, what to expect and how to a avoid it.


                        Launch Your Free Phishing Test Now

Related Posts

39% of Employees Gave Away Their Passwords In This Phishing Simulation

Image of Micke Ahola
Micke Ahola

It’s half past four on a Thursday afternoon. You’re getting through your last tasks of the day,...

Read more

Simulated Phishing Exposes the True Cyber Vulnerability of Businesses

Image of Micke Ahola
Micke Ahola

There is no shortage of cyber threats in 2020. With infectious ransomware attacks shutting...

Read more