Successfully conducting a phishing simulation

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

BEGINNING OF CONTENT Why conduct a fake phishing exercise?

Phishing is the entry point for 91% of attacks*. The objective of phishing simulations is to prevent the hacking of your company to avoid financial losses, loss of sensitive information, and damage to your reputation. Your information systems and production can be heavily impacted by these threats. That's why it's important to prepare for phishing through realistic training.

According to Euler Hermes, it is common during these simulations to obtain a click rate higher than 20%. This is a high number considering the consequences that can result from just one click. Getting 10/10 on a quiz is much simpler than identifying a phishing email in a real-life situation.

Phishing emails are not necessarily synonymous with spelling mistakes and obvious scams. Some publicly available information allows hackers to reach you with personalized, highly plausible, and realistic emails.

The human element

In phishing simulations, practical implementation occurs in a different emotional context. A phishing attack relies on social engineering, where the hacker uses various psychological levers to compromise the victim.

Curiosity, pride, or willingness to help, for example, can lower the victim's vigilance, making them more vulnerable.

Because hackers use these manipulation levers, there is a noticeable difference between the theoretical scores obtained in quizzes and the results of simulations.

Quizzes and theoretical awareness operations do not replicate the emotional state in which the victim finds themselves at the time of compromise. It is therefore necessary to carry out realistic simulations, much closer to the reality faced by phishing victims.

Different types of phishing simulations

At Arsen, we are used to seeing two different types of phishing simulations.

You can opt for a simulation called a silent attack, or a awareness campaign by informing your employees of their mistake immediately after committing it.

The silent attack

The silent attack allows you to know the behavior of your employees in a real-life situation, resembling a typical hacker attack.

Example of data that a hacker can collect during a credential harvesting attack.

If you use Arsen, you obtain, just like the hacker, an excerpt of the entered data (excluding the password) as well as information about the equipment used (mobile, computer, VPN, etc.).

Once the user is compromised, they are redirected to legitimate pages, error pages, or to services on which the user is already authenticated in order to reduce post-compromise suspicion levels.

For example, the target enters their login credentials and is then redirected to Gmail, where they are probably already authenticated. If the user session remains open, they will have the impression of having logged in as they normally would.

The awareness campaign

During an awareness campaign, when an employee makes a mistake, they are redirected to an awareness page. This page allows them to adopt better reflexes at the most opportune moment. With this option, you obtain instant and highly engaging awareness.

It is likely that employees will notify their colleagues before they become aware of the test. It only takes one person to raise the alert in the team to strengthen their security score and bias your assessment. That's why we recommend alternating between the two types of phishing simulations.

Defining the objectives of a phishing simulation

It is important to set concrete objectives to assess your progress over time. The main objective of phishing tests is to improve the company's ability to defend against threats.

For us, it is the ability of employees to report and alert incident response services: the development of a "human firewall".

Indicators such as click rates or reporting rates can be used to set measurable goals.

Certain measurable data can help you define your objectives. The click rate, the number of collected credentials, or even the number of reports to your security service are quantifiable values representing your level of security over a period.

We have developed a security score based on the behavioral data of the people tested, allowing you to gauge your improvement over time. You can analyze the score of a group of individuals such as a department, or choose to look at the overall security level of your company and track its evolution over the course of campaigns.

These simulations allow you to observe the behavior of your users. Clearly defining the behavior you want to observe is essential. Communicating an operating procedure to employees is a solution to provide them with an ideal vision of digital security.

Whether it is a test or a real attack, your employees will have the same reactions. It is therefore crucial to carry out high-quality tests that closely resemble reality.

What makes a successful phishing simulation?

A successful phishing simulation is a campaign that raises awareness among your employees about the dangers and appropriate defense reflexes.

It must succeed in training your employees and engaging them in your cyber defense strategy. They must understand that being autonomous and responsible in fighting against phishing is essential for company security. Each employee is a link in the cybersecurity chain.

To carry out successful campaigns, it is important to adapt them. The assimilation of dangers and security protocols does not happen at the same pace for every individual.

Good learning does not come from a single successful phishing campaign. It takes time and a constant mix of theoretical and practical support. In these exercises, it is interesting to ask for feedback from your employees to know their feelings and opinions.

Of course, a successful campaign means achieving set objectives. The click rate on a link, the number of collected credentials, or the reporting rate are indicators that can be used to measure the success of the simulation.

You can use these indicators to measure the evolution from one campaign to another.

Important points to maximize results

The security score, based on the behavioral data of employees during simulations, evolves over time.

There are several ways to maximize your results in phishing tests, and positive reinforcement is one of them.

Highlighting the "good students" will be more pedagogical than pointing out employees who have more difficulties. Indeed, anonymizing the results by grouping your employees by teams is a very good solution. This action will reduce discomfort between individuals while increasing motivation and healthy competition among different groups.

Prioritize practical simulations combined with theoretical content to provide solutions and methods to employees who find themselves trapped.

Silent simulations are necessary to have a realistic view of your security level. However, use them sparingly to primarily provide answers to the problems your employees face during simulations.

Mistakes to avoid in a phishing simulation

Just as there are best practices that allow you to get more out of your simulations, there are also mistakes to avoid.

Firstly, you should not come across as the team that "traps" its colleagues. It is important to be perceived as a help and a resource for employees.

Secondly, regularly add theoretical and educational content to provide support to your employees, as well as new tools and new ways to detect and respond to attacks.

Position yourself as a resource, a trainer, and regularly remind them that you are not looking for culprits.

Finally, avoid simulation scenarios that use unethical or potentially conflict-generating pretexts: notifications of salary increases, promises of gifts from the employee committee, etc.

These scenarios can create "false joy" among your colleagues. Although they can be useful from time to time to increase the level of difficulty, they risk impacting your reputation and therefore your ability to raise awareness in the long term.

It is crucial to maintain a pedagogical and benevolent approach in your phishing training.


In this article, we have seen the important points to keep in mind in order to successfully conduct a phishing simulation and better prepare your company.

Phishing exercises represent the only way to test in situations close to reality.

Above all, think about instilling a testing culture, perceived not as a punishment or a trap, but as training to strengthen everyone's resilience in both professional and personal environments.

Regularly raise awareness and conduct tests to measure improvement and identify areas for improvement.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.