Choosing the right schedule for your phishing simulations

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

When you want to test the resilience of your company against phishing attacks, you must choose certain parameters such as your targets, the type of campaign, or the scenario.

A rarely mentioned parameter but one that greatly influences the level of compromise is the timing of your phishing simulations.

The objective of this article is to help you choose the best timing for your phishing exercises.

The importance of timing

Arsen campaign programming page

Arsen allows you to schedule your phishing campaigns at the most opportune times

The time at which you send your phishing campaign affects the attention of your employees and therefore influences the results. Choosing the right timing for your simulations is therefore an important element in their implementation.

It is also important to vary the time slots of your phishing simulations in order to avoid your employees detecting them because you test them regularly at the same time. The element of surprise is an important factor in the success of a phishing simulation. It allows you to obtain results that are closer to a real attack.

From an operational point of view, the concentration level of your employees evolves throughout the day. Depending on the time at which you carry out your phishing exercise, you will therefore obtain slightly different results.

From a legal point of view, you must — in the majority of cases — respect your colleagues' right to disconnect, which can limit you in certain cases. Let's explore this in more detail.

Decreased vigilance

At certain times, you may observe a decrease in vigilance on the part of your employees.

The end of the day or week is a period when your colleagues are more easily distracted and tend to be more vulnerable to phishing. This trend is also observed around lunch breaks, as hunger or digestion affects the level of concentration.

After-work hours also come with a decrease in vigilance. People are no longer in a professional setting but a personal one, and therefore feel personally threatened. It is very likely that your employees will be much less alert outside of working hours. If they check their emails in their personal environment, they will be more prone to distractions from their surroundings (e.g., TV on, children, etc.) and therefore perform compromising actions.

A hacker will not hesitate to exploit these decreased alertness moments. It is interesting to conduct simulations during these time slots in order to obtain practical data on the resilience of your company.

Right to disconnect

Defining time constraints with Arsen

The Arsen application allows you to define time constraints to respect the right to disconnect

Many companies are not allowed to contact their employees outside of working hours in order to respect the right to disconnect. If this applies to you, it is therefore very difficult to carry out campaigns outside of working hours.

Hackers, on the other hand, have no constraints and will not hesitate to attack your employees outside of their working hours.

It may be interesting to consider a phishing simulation during these time slots in order to make it as realistic as possible. Before scheduling such an operation, you will need to consult — and therefore inform — your HR department to ensure that you are not violating your company's policy.

Examples of phishing simulation timings

Here are a few examples of timings to inspire you for your future phishing simulations. These are generally the timings chosen by our clients when they conduct their simulations.

11:30 AM - 12:30 PM: before lunch break

Lunch break

There is a decrease in vigilance before lunch break: the break is approaching, hunger sets in, and there isn't enough time before the break to engage in a lengthy task. Therefore, there is a certain idleness when checking emails before lunch break.

5:30 PM - 6:30 PM: end of the day

Take advantage of checking emails just before leaving the office: your employees generally have low vigilance.

Your employees feel the fatigue of the end of the day and may tend to overlook security rules when opening their inbox for the last time.

In this scenario, the email must create a sense of urgency. Your employees must not ignore it until the next day. The victim must feel the need to respond or act as quickly as possible. The concept of urgency is often exploited to bypass good security practices among employees.

Afterwork: 7 PM - 8 PM

Metro photo

Ah, the afterwork! One of our favorite time slots at Arsen (for conducting phishing campaigns).

It may be interesting to schedule your campaigns during a time when there is a decrease in attention and fewer colleagues available at the office to ask for advice when receiving the email. These attacks allow you to observe an individual's behavior when facing a threat alone.


If you want to choose a timing when your employees will be more vulnerable in order to simulate "real" attacks, we recommend scheduling your phishing campaigns during the above-mentioned time slots. You will obtain a higher click rate, more exploitable results, and a more realistic view of your vulnerability to phishing.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.