Phishing Simulations Done Right:
5 Ways to Avoid Frustrating Your Staff
The Right Way to Run Phishing Tests: Timing, Ethics, and Follow-Up That Actually Works
Phishing campaigns are a fantastic way to teach staff to spot real threats. But done badly, they can frustrate, annoy, or even upset your staff. Here’s how to get it right.
1. Mind the timing
Company events matter. Big changes, like redundancies, leadership shifts, or even major positive news, are sensitive times. Sending a campaign then can feel like bad taste. Pause, plan, and pick a neutral window.
2. Involve the right people
HR, finance, and group communications teams are your allies. They know what’s sensitive and can help shape campaigns so no one feels blindsided. Consult them early, not after someone’s upset.
3. Keep it ethical and realistic
Your campaigns should teach, not traumatise. Avoid personal data or highly sensitive information. Make emails believable but never invasive. Clear learning opportunities are the goal, not public shaming.
4. Prepare for reactions
People will be annoyed. Be ready to reply, politely explain the purpose, and remind them the goal is learning, not trickery. A short “sorry if this caught you off guard” goes a long way.
5. Educate after the test
The point of phishing simulations isn’t just to see who clicks. Follow up immediately with tips, guidance, and examples. Celebrate improvements, share helpful resources, and highlight positive behaviours. Learning is the main event.
If cybersecurity feels like something done with people rather than to them, you are on the right track.
Bonus tips
Mix campaign styles: obvious, subtle, and somewhere in between. Keeps people alert without fatiguing them.
Track engagement trends, not just failures. Reward progress and highlight improvements.
Plan for support requests, as people will ask if emails are real. Have a ready response from security or comms.
Done right, phishing campaigns are a powerful learning tool. Done poorly, they risk annoying staff and undermining your security culture. Plan carefully, involve the right teams, and always prioritise learning over punishment.
Need an extra pair of hands to boost Awareness and build a Cybersecurity Culture?
Get help from a Virtual Security Awareness Manager. Let us do the heavy lifting for you – managed security awareness training and phishing simulations, exciting themed awareness campaigns, onboarding experiences, cyber champion networks and more.
