How to Run a Phishing Simulation Program: Platform Selection, Templates, and Measuring Behavior Change

The right platform depends on your organization's size, budget, and whether you need a fully managed service or a self-operated tool.

KnowBe4: The market-leading platform by installed base, with the largest template library (over 50,000 phishing templates), built-in training content, and strong reporting dashboards. Notable features: PhishER for triaging employee-reported emails, AI-driven template recommendations based on industry, and the Security Awareness Proficiency Assessment (SAPA) for baseline knowledge measurement. Pricing is per-seat on annual contracts; mid-market pricing ranges from $20 to $50 per user per year depending on tier. Best suited for organizations wanting a comprehensive, self-operated platform with minimal setup friction.

Proofpoint Security Awareness Training: Strong integration with Proofpoint's email security gateway, which enables automatic simulation triggering based on real phishing themes detected in your environment. The threat-correlation feature means employees receive simulations themed around actual attacks targeting your organization rather than generic templates. Includes targeted attack protection and Very Attacked People (VAP) reporting that focuses training resources on highest-risk users. Best suited for organizations already using Proofpoint for email security.

Cofense PhishMe: Specializes in conditioning employees to report suspicious email rather than just measuring click rates. The Cofense Reporter button and the Cofense Triage platform create a complete reporting and triage workflow. Cofense's approach emphasizes building a human sensor network: employees who report phishing generate intelligence that feeds back into the simulation program. Best suited for organizations with a dedicated SOC wanting to build employee-as-sensor capability.

GoPhish (open source): A free, self-hosted phishing simulation framework with a web-based management interface. Appropriate for organizations with limited budget and internal technical capability to host and operate the platform. Limitations: no built-in training content library, no automatic reporting integrations, and requires manual template management. Sufficient for small organizations running quarterly simulations; inadequate for enterprise programs needing centralized management, learning management system (LMS) integration, and advanced cohort analytics.

Decision framework:

• Under 500 employees, budget-constrained: GoPhish plus free training content from SANS Security Awareness
• 500 to 5,000 employees: KnowBe4 Silver or Proofpoint Essentials
• 5,000+ employees or heavy email security investment: KnowBe4 Platinum, Proofpoint, or Cofense

Template difficulty determines whether simulations challenge employees appropriately as the program matures. Running only easy templates keeps click rates artificially low; running only hard templates discourages employees and inflates click rates without teaching recognizable signals.

Tier 1: Easy (use for baseline measurement and new hires) Characteristics: obvious phishing signals, generic lure, poor grammar or suspicious sender domain. Examples: password expiry notice from a generic IT@ address at a clearly wrong domain, delivery notification from a domain that slightly misspells a known carrier (fedx.com), invoice from an unknown vendor. Expected click rate for naive users: 30 to 50 percent. Use Tier 1 templates for your initial baseline simulation before training begins, and for new hire onboarding simulations.

Tier 2: Medium (primary training vehicle) Characteristics: legitimate-looking sender domain (using lookalike or subdomain spoofing), plausible business context, no obvious grammar errors. Examples: Microsoft 365 sign-in alert from a lookalike domain (microsoftonline-security.com), HR benefits enrollment reminder, DocuSign agreement from a domain mimicking a known vendor. Expected click rate for trained users: 10 to 20 percent. Tier 2 is the workhorse of a mature program: run it monthly for the general employee population.

Tier 3: Hard (for security-aware employees and executives) Characteristics: highly targeted, uses real organizational context (names, projects, vendors), sent from a convincing domain, requires no link click for credential collection (credential harvesting form hosted on a legitimate-looking page). Examples: a request from a named colleague to review a shared document on what appears to be your organization's SharePoint, a calendar invite from an executive assistant, a vishing voicemail with a callback number. Expected click rate even for trained users: 5 to 15 percent. Use Tier 3 for executives, IT administrators, and employees who have achieved below 2 percent click rates on Tier 2 simulations.

Template variety: Rotate across lure categories to prevent employees from recognizing templates by theme rather than developing genuine detection skill. Categories to rotate: IT notifications, HR communications, finance and payroll, package delivery, executive requests, vendor invoices, collaboration platform alerts (Teams, SharePoint, Zoom), and industry-specific themes.

Simulation frequency is the primary driver of behavior change. Monthly simulations consistently outperform quarterly in reducing click rates because the conditioning effect requires repetition at a frequency that keeps the skill fresh.

Recommended cadence by maturity stage:

Year 1 (baseline to trained): Monthly simulations for all employees. Run Tier 1 in the first month to establish baseline. Transition to Tier 2 by month 3. Target: reach below 10 percent click rate by month 12.

Year 2+ (maintaining behavior): Monthly simulations for general population, with Tier 3 simulations quarterly for high-risk groups (executives, IT, finance). Target: sustain below 5 percent click rate across Tier 2 templates.

Scheduling considerations: Distribute simulation sends across the week to avoid day-of-week artifacts. Sending all simulations on Tuesday morning will eventually teach employees that Tuesday emails are tests. Use your platform's randomized send window feature to spread sends across 2 to 5 business days.

Avoid simulating during: major holidays, peak business periods (quarter-close for finance teams, open enrollment for HR), immediately following layoffs or major organizational changes. Employee goodwill toward the program is a resource; burning it with poorly timed simulations produces backlash that undermines training effectiveness.

Exclusions and safe lists: Exclude executives from certain simulation types that could generate escalation noise (CFO clicking a fake invoice link may trigger a real vendor investigation). Add your phishing simulation sending domains to your email security gateway's allow list to prevent the platform's test emails from being quarantined before delivery. Many simulation platforms provide dedicated allow-listing documentation for major email security products.

Notification policy: Decide upfront whether to disclose the simulation program to employees. Most security leaders prefer disclosure: tell employees that phishing simulations will occur periodically, that clicking training links is not a punishable offense, and that reporting suspected phishing is the target behavior. Transparency builds trust and encourages reporting; surprise-based programs tend to generate HR complaints and legal questions in organizations with strong employee privacy cultures.

Just-in-time (JIT) training is the mechanism that produces behavior change. Standard annual training creates knowledge that decays rapidly. JIT training delivers a targeted learning moment at the exact moment an employee demonstrates the vulnerable behavior, when they are most receptive.

How JIT training works: When an employee clicks a simulated phishing link, instead of (or in addition to) landing on the phishing page, they are immediately redirected to a brief training module explaining: exactly what made this email a phishing attempt, the specific indicators they should have noticed (lookalike domain, urgency language, generic greeting, hover-over URL mismatch), and what to do when they encounter similar emails. The training module should be 2 to 5 minutes maximum, focused, and immediately applicable.

JIT training design principles:

• Connect the training directly to the specific template that was clicked. Generic phishing training videos shown after any click are less effective than training that references the exact indicators in the email the employee just clicked.
• Avoid shame or punitive framing. Research consistently shows that shame-based responses reduce reporting rates as employees fear the consequences of acknowledging mistakes rather than reporting them.
• End the training with a single clear action: "Next time you see an email like this, click the Phish Alert Button to report it to the security team."
• Keep the training to one key lesson per interaction. Overwhelming employees with multiple concepts after a single click reduces retention of all of them.

Configuring JIT in your platform: KnowBe4 delivers training modules automatically on click through its integrated LMS. Proofpoint Security Awareness Training links click events to targeted training assignments. Both platforms allow you to customize which training module is assigned based on the template category that was clicked, enabling topic-specific training delivery.

Tracking JIT completion: Monitor training completion rates alongside click rates. An employee who clicks and completes JIT training is more valuable to your program than one who clicks but does not complete training. Low JIT completion rates may indicate the training modules are too long, inaccessible on mobile, or blocked by corporate content filtering.

Click rate is the most-reported metric and the least predictive of real security improvement. A team of 10 people where 1 person clicks every month has a 10 percent click rate. A team of 100 where 2 different people click each month has a 2 percent click rate but double the exposure. The metrics that matter are cohort-level trends over time and the report rate.

Primary metrics:

Click rate trend by cohort: Track click rates for the same population over consecutive simulations. A 25 percent click rate in month 1 dropping to 8 percent in month 6 and 3 percent in month 12 demonstrates real behavior change. A click rate that stays flat at 15 percent across 12 months indicates the training content is not driving change.

Report rate: The percentage of simulated phishing emails that employees actively report to the security team using a reporting button or forward address. Report rate is the single best indicator of security culture maturity. Organizations with strong programs see report rates reach 25 to 40 percent within 18 months. High report rate means employees are treating suspicious emails as a shared security responsibility rather than ignoring them.

Credential submission rate: Among employees who click a simulated link, what percentage enter credentials on the landing page? Clicking a link is bad; entering credentials is significantly worse. Track this separately as an indicator of the subset of employees who require targeted intervention.

Repeat clickers: Identify employees who click in three or more consecutive simulations. Repeat clickers are high-risk individuals requiring targeted intervention beyond standard training: one-on-one coaching, role-based training, or in extreme cases, access restrictions pending training completion.

Leadership reporting format: Present quarterly to leadership using: overall click rate trend (chart), department-by-department comparison (bar chart), report rate trend, number of repeat clickers and their resolution status, and a before/after comparison against the program start baseline. Frame results as risk reduction: "Employees successfully blocked X percent of simulated phishing attempts this quarter versus Y percent one year ago, representing a Z percent reduction in credential theft risk surface."

Phishing simulation programs generate pushback from multiple directions. Anticipating and addressing these objections in the program design phase prevents them from derailing the program after launch.

HR and employee relations concerns: HR teams sometimes object to phishing simulations as deceptive or as creating a punitive culture. Address this by: framing the program explicitly as training rather than testing, establishing a written no-punishment policy for clicking (document that click data is used for program improvement and individual coaching only, never for performance reviews or disciplinary action), communicating the program to all employees before it launches, and involving HR in the program governance and reporting structure.

Legal and privacy concerns in regulated environments: In jurisdictions with strong employee privacy laws (EU member states under GDPR, California, certain Canadian provinces), email monitoring and phishing simulations may require works council or union consultation, privacy impact assessments, or explicit disclosure to employees. Consult employment counsel before launching in these jurisdictions. The specific legal requirements vary significantly by country and collective bargaining agreement.

Union considerations: In unionized environments, introducing a monitoring program (even voluntary training) typically requires good-faith bargaining with the union before implementation. Failure to do so can result in unfair labor practice charges. Involve labor relations early.

The ethics of simulation: Some practitioners and ethicists object to simulations that exploit genuinely emotionally charged lures (fake COVID notifications, fake HR termination notices, fake family emergency alerts). The counterargument is that real attackers use exactly these lures, and training employees against them with a safe simulation is more ethical than leaving them unprepared. A pragmatic middle ground: use emotionally charged lures only at Tier 3, for security-aware employees who have been explicitly told the program uses all lure types, and never use lures that could cause genuine harm if an employee acts on them outside the simulation context.