Eight Best Practices To Optimize Phishing Simulations In 2024

Phishing simulation best practices banner image.
Sebastian Salla, Chief Executive Officer at CanIPhish
Sebastian Salla August 27, 2023 (Last Updated: January 02, 2024)

Before we deep dive into best practices, let's cover some facts.

The threat posed by phishing is not going away. In 2023, a shocking 81% of reported cyber incidents have been from phishing attacks.

When we think about it, the reason is simple. Nearly every employee has an email address and some form of public presence. Cybercriminals abuse these two factors to craft highly convincing and targeted phishing emails designed to entice employees to interact with them.

As cyber defenders, we need to train our employees to spot phishing emails and what to do if they fall victim to one.

Jump To Phishing Simulation Best Practices

What You'll Learn In This Article.

  • What phishing simulations are and how they can be used to train employees.
  • How you can run phishing campaigns and the types of tools you can use.
  • Best practices that can be followed to maximize the effectiveness of phishing campaigns.
  • How you can use phishing training with a defense-in-depth strategy to create a human firewall.

What Is A Phishing Simulation?

Phishing simulations are an exercise where businesses attempt to phish their own employees. A key difference between a phishing attack and a simulation is that the simulation is done in a safe and controlled environment where employees receive immediate feedback.

The aim of a phishing simulation is train and educate employees by showcasing how an actual phishing attack can occur and what employees need to look out for when attempting to spot the real from the fake.

Email is the most popular communication channel to conduct phishing simulations, however they can also occur over voice calls, video calls, SMS, and social media direct messages.

How Do You Conduct Phishing Simulations?

At a minimum, you need an email server, a web server, and a database. You use the email server to deliver phishing emails. You use the web server to host phishing websites and also to host an HTTP API, which can be used to track interactions such as email views and attachment opens. Finally, you need a database to store any interaction so you can report on these centrally.

Getting this infrastructure up and running can be extremely difficult, but it's for this reason that various open-source and commercial phishing simulators are available.

  • Open-Source Tools: Such as GoPhish provide software to help orchestrate the infrastructure that you host. You also need to supply the phishing content.
  • Commercial Tools: Such as CanIPhish provide all the software, infrastructure, and phishing content. It's simply plug-and-play for the consumer.

Whether you choose open-source or commercial phishing tools is an age-old question that ultimately boils down to human capital vs. direct financial costs. Depending on how expensive it is to pay your staff, you may choose the option that saves them the most time, regardless of subscription costs.

Best Practices For Phishing Simulations

Now that we know what phishing simulations are and how you can conduct them let's talk about how you can optimize them to get the best results.

1. Use Relevant And Realistic Phishing Emails

The most important step when it comes to phishing is to ensure that you're using relevant and realistic phishing emails. Not every business or employee uses the same services, software, or applications.

When deciding what phishing emails to use, it's essential to:

  • Validate that employees actually use the service that the phishing email is themed to look like.
  • Create phishing emails based on real-world examples from the target service. Don't be afraid to get your hands dirty by signing up for the service to collect a few transactional emails.
  • Embellish where needed. If transactional emails from the legitimate service don't have a strong enough call-to-action, then make modifications to draw the reader's attention.

It's also important to ensure your emails remain up to date. Companies like Microsoft and Google like to refresh their style regularly, so keep an eye out for emails that use old branding or color schemes.

2. Personalize Phishing Emails With Employee Information

After landing on one or more phishing emails, it is essential to personalize them.

Some of the different types of information that can be used to personalize phishing emails include the use of first names, last names, job titles, company names, manager names, colleague names, geographic locations, and so on. Enriching phishing emails with this information will greatly increase the likelihood of an employee interacting with the email.

Personalization is something that cybercriminals commonly abuse to trick victims. With social media, particularly LinkedIn, in such heavy use, finding this information through public sources is relatively easy for a cybercriminal.

3. Allowlist Phishing Emails To Guarantee Delivery

Phishing simulations are a great way to trick employees. Unfortunately, they're not so great at tricking email security technologies.

If you're using an email filtering technology to block or quarantine suspected phishing emails, it will almost certainly detect your simulated phishing campaign.

Each vendor has their own secret sauce that determines how it detects phishing, but in almost all cases, it comes down to a reputation-based system, where if enough indicators are hit, then that email will end up in a quarantine folder or be blocked entirely.

Some of the techniques used to detect phishing emails include:

  • IP reputation checks analyze whether an IP address has historically delivered legitimate emails or has been associated with the delivery of phishing or spam emails.
  • Domain reputation checks analyze whether a domain is newly registered or has been associated with the delivery of phishing or spam emails.
  • Email content scanning includes the analysis of text for keywords that match or look like keywords that are commonly associated with phishing and spam emails.
  • Payload detonation includes the opening of links or attachments in a sandbox environment, where analysis of the payload can occur in a safe and controlled manner.

This is just to list a few, but there are dozens and even hundreds of other checks that commonly occur.

Because of this, when we scale phishing exercises across an organization with hundreds or even thousands of employees, it's only possible to guarantee email delivery with allowlisting.

4. Monitor Phishing Email And Payload Interactions

Once you've selected your phishing emails, personalized them, and set up email allowlisting, you're just about ready to begin your simulated phishing campaign!

But before scheduling it, make sure you can monitor employees viewing emails, clicking on links, downloading attachments, responding to emails, executing attachments, or entering credentials into phishing websites.

Many of these interactions indicate whether an employee fell for the phish, and it leads us to the next best practice.

5. Provide Employees With Immediate Education

There is no better time to train employees than directly after they've fallen for a phish. In this short window, employees are acutely aware of the need to educate themselves and are often curious how they fell for a phishing attack and what they can do to spot phishing attacks in the future.

The training should be interactive and walk through the exact phishing email employees fall for. Additionally, short explainer videos should be used to explain various tips, tricks, and statistics that help contextualize the risk of phishing attacks.

6. Identify And Educate High Risk Employees

The hard truth is that some employees are more vulnerable to phishing than others. There are various reasons for this, but the crucial thing is identifying high-risk employees as early as possible so we can correct their behavior.

With each simulation, we begin to draw a picture of who these employees are and can categorize them into low, medium, and high-risk groups.

Employees in high-risk groups can have restrictions applied until they can demonstrate that they aren't at an elevated risk of phishing or social engineering attacks. These restrictions could be the inability to access the business network remotely, loss of administrative privileges, assignment of additional training, participation in more phishing campaigns, etc.

7. Run Frequent Phishing Simulations

Naturally, running frequent phishing simulations comes hand-in-hand with identifying high-risk employees.

An employee's ability to spot phishing attacks is akin to a muscle, and phishing simulations are the exercise that trains that muscle. If you build the muscle up but then stop training it, it'll weaken over time until it's as though you never stengethened it to begin with.

To build and maintain a strong phishing muscle memory, we recommend running phishing training campaigns on a weekly to quarterly basis, depending on the risk profile of each employee. Low-risk employees can be trained quarterly, medium-risk employees trained monthly, and high-risk employees trained weekly.

Phishing Campaigns With A Risk-Based Frequency

Employee risk should be recalculated with each phishing campaign; this allows employees to progressively de-risk themselves as their ability to spot phishing attacks improves.

8. Regularly Report To Management

Phishing campaigns are a relatively technical and obtrusive exercise.

Put simply, employees do not enjoy being phished, and they also do not enjoy being assigned training. However, employees benefit greatly from the educational experience that phishing training provides.

By regularly reporting on phishing campaigns, you can showcase the gradual decrease in phish click tendencies and provide proof that the business as a whole is benefiting.

Additional Tips

While phishing campaigns are great for building your human firewall, it's not the only layer of defense you should implement; it's your last layer! With email security, we additionally need to consider:

  • Email Authentication: If your SPF, DKIM, and DMARC records aren't adequately configured, your domain is going to be vulnerable to email spoofing attacks due to a lack of email authentication. This is like putting a blindfold on your employees, inhibiting their ability to spot phishing attacks! If you're unsure whether your records are configured correctly, simply use our email spoofing tool.
  • Email Filtering: Neither humans nor email filters are perfect at spotting phishing attacks. We can't rely on either to have 100% accuracy, no matter how much time, effort, or money we throw into training and configuring them. However, if we layer email filters as the first line of defense, with humans as the second line, we can greatly improve our odds.


If you're looking to run your first simulated phishing campaign, you're in luck! The CanIPhish Cloud Platform is a self-service phishing simulator with an integrated learning system designed to build and maintain your human firewall. Getting started is as easy as creating a free account, onboarding your employees, and sending your first phishing campaign!