How to launch a phishing simulation to better protect your company?

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

Choosing your type of scenario

At Arsen, we offer two types of phishing simulations: evaluation simulations, which aim to go unnoticed by employees, and awareness simulations, which train employees when they perform potentially dangerous actions.

Evaluation simulations: knowing the employee's reaction

The silent attack aims to assess employees' reactions to phishing, a vector present in 91% of cyberattacks.

By choosing this type of simulation, your test will be closer to reality with a redirection to a site that has a long authentication process. When redirected, the employee's previous session will still be open, so they will feel like they have logged in using their usual procedure: they enter their login, password, click "login," and... they are connected. Therefore, they do not report anything.

However, it is not recommended to use this type of simulation too often, as your employees may take it the wrong way and feel more trapped than supported, resulting in a loss of engagement.

We recommend conducting an evaluation simulation every quarter at most to assess the company's resilience improvement against phishing.

Integrated awareness in the simulation: the best way to make progress

The goal of the awareness simulation is to train employees to better detect phishing emails.

On the Arsen platform, the email is replayed, indicating the different clues that the employee should have detected.

Campaigns of awareness train employees to detect clues of a phishing attack.

By using this method, the employee encounters less friction. They do not need to go to an e-learning platform and are trained at the moment when they are most receptive, in a minimum amount of time and with contextualized content.

However, the major disadvantage is the possibility that colleagues may pass on the information, thus distorting the exercise's results, preventing a precise evaluation of the level of risk and sensitivity of the employees.

Choosing the targets of the simulation

It is recommended not to target the entire workforce of a company with the same phishing scenario. There is a risk that employees will warn each other if they all receive the same email at the same time.

Hackers do not proceed in this way and prefer to remain discreet.

You can choose to target a specific group or department, for example, by selecting employees who are at a higher risk or those who have undergone few simulations.

In exceptional cases, it is not advisable to target a single individual in your campaigns to avoid isolating an employee during the presentation of the results.

Choosing a relevant scenario

A scenario adapted to the targets for consistent training

When choosing a phishing scenario for your simulation, it is essential that it is adapted to the selected target.

It is pointless to send a scenario impersonating a bank for unpaid fees to the marketing department. However, it is much more sensible to send this department an alert of unusual login activity on the company's Facebook or Twitter account.

Considering the difficulty of the scenario

Arsen takes into account the difficulty of the scenarios in the calculation of the employee's security score. If an employee fails during a very difficult campaign, they will be less penalized than if it were easy to detect, and vice versa.

It is also important to vary the difficulty levels of the tests you perform. If an employee only receives complex exercises in their inbox, they may become disengaged and stop improving.

On the other hand, if you only program very simple scenarios, your employees may consider that a phishing email is easy to detect and may not recognize a more advanced phishing email.

Scheduling the date and time of the phishing campaign

You just need to choose the time and date, a crucial step in varying the difficulties and surprising employees.

We have written an article about the best times for a phishing simulation to help you choose the best time slot for your training.

Your company may be subject to rules regarding work-life balance or disconnection, which hackers would happily ignore, but we allow you to respect on Arsen.

We recommend varying the times and days of your phishing simulations. If you schedule your test every first Monday of the month at 12 pm, your employees may quickly understand the pattern, which will distort the results.


In this article, we have seen the key steps to set up a phishing campaign, whether it is to evaluate or raise awareness among your employees.

We have seen how to configure a campaign that matches your objectives and employee groups to improve the effectiveness of your awareness operations.

Whether for evaluation or training, we offer maximum flexibility to faithfully reproduce even advanced attacks and protect you from the risk of manipulation of your employees for cyberattacks.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.