What Is a Phishing Test for Employees? (And How to Run Them)

What is a phishing test banner image
Author profile photo
Gareth Shelwell October 30, 2023

A phishing test for employees, commonly called a phishing simulation, is a controlled attempt to socially engineer employees into revealing sensitive information or taking actions that could compromise their organization’s security.

The main objective of a phishing test is to evaluate the ability of employees to detect phishing attacks and provide additional education to those who need it.

By providing thorough training and conducting expertly designed phishing tests, organizations can turn their employees from being the weakest link in their cybersecurity defense to becoming their strongest defenders!

Jump To How to Run A Phishing Test

What You'll Learn In This Article.

  • Understanding of the concept and purpose of phishing tests for employees.
  • The latest tactics cybercriminals use to profit from phishing schemes.
  • Insight into why organizations run phishing simulations.
  • How both free and paid services can be used to facilitate phishing tests.
  • A simple step-by-step process showing you how to run a phishing test for employees.
  • The pros and cons of implementing phishing tests in your organization.

How Cybercriminals Monetize Phishing

Cybercriminals have significantly increased the sophistication and resulting damage of their phishing attacks in recent years.

According to the 2023 Verizon Data Breach Investigations Report, the average amount stolen from a phishing-related attack has increased to USD$50,000!

Graphic showing a cybercriminal with flow chart leading to ways to make money from phishing and text showing 5 different ways cybercriminals monetize phishing

The surge in phishing attacks is driven by the increasing number of methods used by cybercriminals to monetize them. Common techniques cybercriminals utilize for financial gain are:

  1. Credential Theft: Phishing attacks often aim to steal login credentials for email, banking, and social media accounts. Stolen credentials can then be used to hack into accounts and steal money or attack other victims using stolen accounts.
  2. Ransomware Attacks: Some phishing attacks involve the delivery of ransomware, which encrypts the victim's data and demands a ransom in exchange for the decryption key. Victims are then coerced into paying to regain access to their files. These attacks typically involve the delivery of a malicious attachment. Once opened, the malware executes, and the victim's computer is infected with ransomware.
  3. Financial Fraud Scams: Phishing attacks may use various financial fraud scams commonly bundled together as business email compromise (BEC). These attacks could include tax refund scams, gift card scams, advance fee frauds, crypto scams, and ad-click fraud. Each of these attacks uses different techniques to achieve their end goal, which is financially motivated.
  4. Blackmail: Cybercriminals may obtain compromising or sensitive information during a phishing attack and use it to blackmail victims. They threaten to expose the data unless a ransom is paid.
  5. Information Trafficking: Stolen data, such as personally identifiable information (PII), may be sold to data brokers or used to build databases for future scams. PII can be used for various criminal activities, including identity theft.

Why Run Phishing Tests for Employees?

Since employees are frequently viewed as the most vulnerable link in cybersecurity—and often don't prioritize it—it's unsurprising that phishing attacks account for more than 90% of all data breaches, according to Cisco's 2021 Cybersecurity Threat Trends Report

Powerful graphic which displays block phishing attacks make up over 90% of all data breaches

Phishing is a low-cost, high-impact strategy employed by cybercriminals globally. The counterstroke is to arm employees with knowledge and preparedness.

Imagine a workplace where every suspicious email is scrutinized, each click is considered, and cyber hygiene is as instinctive as washing hands before a meal. This may sound like a cyber utopia and unachievable; however, it’s attainable with consistent training and well-constructed phishing tests.

How Phishing Tests Help to Protect Against Phishing Attacks

Put simply, phishing simulations test employees' awareness and response to phishing attacks. Phishing tests have quickly become the prominent method for training employees.

By simulating real-world threats in a controlled environment, you allow employees to learn from their mistakes without the consequences of falling for a phish!

It’s important to note that sending a phishing test is only the first step. To maximize the effectiveness of a campaign, it's crucial to provide immediate feedback and take advantage of those crucial seconds after someone realizes they’ve been duped.

That fleeting moment is when they are most attentive and receptive to learning. It’s a moment of heightened emotion, often accompanied by a rush of adrenaline, surprise, or embarrassment. The brain is highly engaged, making it the perfect time to instill learning and awareness, minimizing the risk of them repeating the same mistake!

Another reason why phishing tests help to protect against phishing attacks is that it allows you to determine who your most vulnerable employees are. Knowing who’s susceptible allows you to take preventative steps, whether it be additional training or restricting permissions.

Powerful graphic which advises that knowing who's susceptible allows you to take preventative steps'

Check out our blog post for a complete overview of how phishing simulations contribute to enterprise security!

How You Can Use Both Free and Paid Tools to Run Phishing Tests

Phishing tests can be conducted using both free and paid tools. What sets them apart is that free tools require more expertise to set up and are limited in features and functionality compared to their paid counterparts.

GoPhish stands as a commendable option for those venturing into the world of phishing tests. It's an open-source, customizable platform ideal for on-premise deployments. The initial setup might require a hands-on approach, but once you're set-up, the payoff is a tailored phishing test environment that's 100% free. For organizations seeking a more straightforward initiation and more advanced features, CanIPhish’s perpetual free tier offers a quick, efficient entry point to the world of phishing tests.

For organizations determined to elevate their defense mechanisms and improve their security posture, free tools just won't cut it, and paid tools are the way to go. These platforms offering phishing tests aren't just about identifying vulnerabilities; they are about transforming weaknesses into strengths. With features like customizable content, in-depth reporting, multi-language support, and innovative additions like domain spoofing and dark web monitoring, paid tools are investments in comprehensive, adaptive cybersecurity.

Graphic showing how paid tools are more powerful than free tools

For a deep dive into the differences between free and paid tools, check out our article to help you decide what's right for your organization.

How to Run a Phishing Test

Running a phishing test involves creating a simulated phishing campaign to evaluate employees' awareness and response to phishing attempts. To get the most out of the exercise, it's important to have clear goals, the right tools and understand that it's not a one-time event.

Here's a step-by-step process:

  • 1

    Plan the Test

    First, set your mission! Aim to gauge awareness, find weak spots, or check training effectiveness. Need a spark? Dive into our “Top 5 Phishing Campaign Ideas of 2023”. Don't forget, from remote workers to top brass, everyone's fair game and should be included!

  • 2

    Create the Phishing Email

    Make the email convincing. Use an email address and display name that appears trustworthy. Make sure to use compelling subjects and content to entice a user into taking action, whether that be to click on a link that leads to a fake website, engage in a conversation or download a file. If you want to learn how to create a phishing email, check out our ‘How to Create A Phishing Email’ blog post!

    Need a blueprint for that phony site? We've got a “step-by-step guide to create phishing websites” too!

  • 3

    Send the Emails

    To maximize engagement, send phishing emails during business hours. When testing a large group, send emails in batches and use multiple templates to manage responses and prevent users from alerting one another.

  • 4

    Monitor and Collect Data

    Track how recipients interact with emails and fake websites - who opened them, clicked links, entered credentials, and reported it. Record data ethically and maintain privacy. The goal is to educate and improve, not shame or punish.

  • 5

    Analyze the Results

    Evaluate results to understand employee awareness and vulnerabilities. Address weaknesses. Track progress after each phishing test to measure overall progress.

  • 6

    Provide Feedback and Training

    Share phishing test results with employees, commend those who identified it, offer support to those who fell for it. Modify training based on results to address knowledge gaps.

  • 7


    It is important to conduct regular phishing tests to keep employees alert and to measure the improvement over time. Some organizations in certain industries may have a higher level of security awareness than others. If your employees are not falling for phishing emails, that is great news, but it could also be a sign that you need to step up your game and use more difficult-to-spot phishing tactics.

    Keep things fresh to by covering a broad range of topics and utilizing different phishing tactics.

The Pros and Cons of Running a Phishing Test

Pros of Running a Phishing Test on Employees

  1. Increased awareness: Employees become more aware of phishing attempts and their various forms. This enhances their ability to recognize and avoid them.
  2. Practical learning: Phishing tests provide hands-on experience, which enhances knowledge retention and builds confidence.
  3. Identify vulnerabilities: This helps to identify the weak links in the organization so preventative measures can be put in place. This can be in the form of training or evaluating permissions.
  4. Data-driven insights: Gathering data on employees' interactions with phishing attempts informs decision-making and strategy formulation for cybersecurity.
  5. Cultivate a security culture: Fosters a culture of security within an organization, helping employees understand the collective effort required to reduce the risk of a breach.

Cons of Running a Phishing Test on Employees

  1. Potential anxiety: May cause anxiety or stress, which can lead to reduced morale if not managed well.
  2. Trust issues: Risk of eroding trust between employees and management if the tests are not conducted transparently.
  3. Resource intensive: Can require significant resources, especially when utilizing free tools with limited automation and phishing infrastructure.
  4. Legal and ethical concerns: An organization should ensure they are conducting phishing tests within the legal and ethical boundaries to avoid infringing on privacy or consent issues.

Phishing tests can offer significant benefits to organizations, but it's crucial to plan and execute them correctly while considering the potential negative impacts.

To maximize the advantages, a balanced approach should be taken, focusing on education and improvement instead of punishment and ensuring that ethical considerations are at the forefront.

Immediate feedback and support should also be provided to employees to transform the exercise into a positive learning experience.

If you've decided that phishing tests are right for your organization, get started with a free account today.

Create a free caniphish account!
Gareth Shelwell author profile photo
Written by

Gareth Shelwell

An Ops Manager dedicated to helping you safely swim amongst the internet of phish!