With 76% of businesses having experienced a phishing attack in 2017, social engineering remains a looming threat in the modern day business world. The fact that employees only need to open phishing emails or messages for the attack to happen makes it even worse. This can lead to a diversity of security threats, from the loss of passwords to hackers gaining access to your databases and prized company secrets.

Not to burst your bubble, but hackers are also always looking for ways to refine their approach to phishing to make it look even more undetectable. As such, generic anti-phishing policies might not suffice in the fight against this looming threat. To a great extent, investing in phishing simulations might turn out to be a valuable tool in spreading security awareness among employees. Here is how to best approach phishing simulations.

Security should be an Organization-Wide Role

The security of your organization should no longer be confined to IT teams and the security monitoring tools that they invest in. If you have to fully rely on your log and database activity monitoring serviceproviders to identify flaws in your security, then you have failed as an organization. Even worse, the threat landscape has evolved over the years with more employees choosing to use their personal devices to deal with work-related tasks.

This makes it hard for the security team to exercise full control over the security of the organization without infringing on the privacy of the employees. As such, the onus of looking out for the security of your organization lies in the arms of the employees as well. What better tool is there to spread awareness than phishing simulations?

The Frequency of the Simulations Is Key

Simulations simply transform the anti-phishing knowledge that your employees have from being theoretical to being practical. However, you should avoid setting the simulations too often to make them predictable. On the other hand, setting them too far apart won’t provide enough information to gather the effectiveness of the campaign.

Also, avoid targeting the whole organization simultaneously and attack only single departments. When conducting the phishing simulations, it is vital to think like hackers. Try and persuade employees as much as you can. For instance, email the invoicing department telling them that they need to offer you some piece of information that is urgent.

Balance Out Training with Reporting

Training should form the backbone of phishing simulations as these simulations tend to gauge the effectiveness of the training. The best way to determine whether the simulation campaign is effective is to monitor and report every incidence. As long as there is a decline in the number of people who fall prey to your tactics, then you are on the right path.

Of course, phishing techniques will vary from time to time, with most becoming even harder to detect. The trick is to raise a workforce that is intuitive enough to identify that something is amiss from a mile away. In case you feel that the outcomes of the simulations fell short of your expectations, take time to retrain employees.

Use a Multi-Faceted Approach

Emails are not the only threat vector from which cybercriminals can gain access to your most valued data through phishing. As such, you should switch to a multi-faceted approach in your phishing simulations instead of only concentrating on ticking off the threshold requirements. Embrace using attack simulations in the form of social media campaigns, SMS or even through calls.

Additionally, involve all security sectors of your organizations. Employees need to know exactly what they should do after receiving a phishing email. Should they delete it or forward it to the relevant IT teams?


A single rogue email can launch a cybersecurity crisis for your organization. Luckily, with employees as part of your security assets, the chances of this happening are reduced. Embrace using phishing simulations to raise a formidable workforce in the fight against social engineering.