One in three untrained employees will click a phishing email. That's not a worst-case estimate, it's the global phish-prone percentage sitting at 33.1% for organizations with no active simulation program. In sectors like hospitality and education, that number climbs past 50%. If you've never run an employee phishing test inside your organization, you're operating with a blind spot the size of your entire workforce.
Most security teams know they should be running phishing simulations. The hesitation comes from not knowing how to do it without creating chaos, damaging employee trust, or generating a pile of click-rate data that nobody acts on. That's exactly what this guide solves. The seven steps below walk you through everything from goal-setting through reporting, so your first employee phishing test is built to change behavior, not just measure it.
Modern phishing simulation platforms have redefined what a first test looks like. Instead of generating a spreadsheet of failures, every employee who clicks a simulated link receives an instant, bite-sized training lesson tailored to what they just fell for. That shift from "gotcha" to "teachable moment" is what separates programs that drive meaningful, sustained click-rate reductions over time from those that don't move the needle at all.
Key takeaways
- Run your first campaign as a moderate-difficulty baseline test with no preceding training to capture an honest phish-prone percentage.
- Align HR, legal, and leadership first; simulation data must never feed performance reviews or employees stop reporting real threats.
- Track click rate, reporting rate, and time-to-report together; the reporting-to-failure resilience ratio holds the real signal.
- Deliver training at the moment of the failed click, not days later, when the teachable-moment context is still fresh.
- Use a rolling deployment of one department per week to avoid alert spikes and social contagion that invalidate results.
- A click rate above 33% is normal for untrained organizations, so judge your first run against your industry baseline.
1. Define your goals for your employee phishing test before you design a single email
Most first-time phishing simulations fail not because the templates were bad but because no one defined what success looks like before sending. Before you open any tool, decide what this campaign is actually for. Is the goal to establish a baseline phish-prone percentage, generate compliance evidence, or demonstrate risk reduction to leadership? Your answer shapes every decision that follows.
Your first campaign should almost always be a diagnostic baseline test, not a behavior-change test. Run it at moderate difficulty, against a broad employee group, without any preceding training. The point is to capture where your organization actually stands before you start optimizing. Starting with a hard scenario skews your baseline and makes results uninterpretable as your program matures.
Choosing the right metrics to track from day one
Three metrics matter most in any phishing awareness test: click rate, reporting rate, and time-to-report. Click rate tells you how many employees took the bait. Reporting rate tells you how many recognized the threat and escalated it. Time-to-report tells you how quickly your workforce acts as a detection layer. Click rate alone tells you almost nothing; the ratio between reporting rate and failure rate is where the signal lives.
That ratio is the resilience ratio, calculated by dividing your reporting rate by your failure rate. A financial services team might show a ratio of 8.23, while education typically sits around 1.27. If your first employee phishing test produces a click rate above 33%, don't panic. That's normal for untrained organizations, and it gives you a credible, compelling starting point for the program's story.
2. Get HR, legal, and leadership aligned before you send anything
A phishing simulation that catches employees off guard without organizational backing can become an HR incident fast. In the U.S., obtaining individual employee consent for internal security training is generally not required, but informing employees that periodic phishing tests will occur is widely considered a legal and ethical best practice, and may be mandated by specific state regulations or sector requirements. You don't disclose specific dates; you disclose the existence of the program. Consult legal counsel to confirm what applies in your jurisdiction.
Consult HR and any union representatives before launching. Frame the entire program explicitly as skill-building, not surveillance or performance evaluation. Simulation data must never feed into performance reviews. Employees who feel that failing a phishing test could hurt their standing at work will report real threats less often because they fear judgment, which is the opposite of what you're trying to achieve.
Certain lure types are off-limits entirely for ethical and legal reasons. Never simulate fake layoff notices, medical emergencies, or bonus announcements. These create emotional distress without any security training benefit and expose your organization to unnecessary liability. Stick to workplace scenarios grounded in plausible, everyday contexts.
3. Choose a phishing simulation platform that does the heavy lifting
What to require from a modern platform
The tool you choose determines how much of the program your team has to manage manually versus what runs automatically. A modern phishing simulation platform should include a pre-built template library, role-adaptive targeting, immediate post-click training delivery, and dashboards that generate audit-ready compliance reports. Anything short of that puts the burden back on your team.
Open-source vs. commercial phishing email simulation tools
Open-source tools like GoPhish are free and fully customizable, but they don't include built-in training content, risk scoring, or compliance evidence. For organizations that need to demonstrate measurable behavior change or satisfy NIS2, ISO 27001, or DORA requirements, that's a significant gap. A platform that tracks human risk scores per employee and triggers employee security awareness training automatically on failure is an entirely different category of tool.
Phishing Simulation Software is designed to cover that full stack in a single platform: AI-driven simulations across email, Slack, and Microsoft Teams, role-specific micro-training triggered by every failed click, and a real-time human risk score per employee that security leaders can bring into board-level conversations. For SMBs with small security teams and enterprises that need consolidated reporting, that kind of integration can replace several point solutions that would otherwise need to work together. If you're evaluating vendors, it's also useful to review third-party rundowns of the best phishing simulation tools to compare feature sets and deployment models.
4. Design scenarios your employees will actually fall for
The scenario you choose determines whether your test measures real susceptibility or just familiarity with obvious lures. Effective phishing simulation scenarios mirror the exact pretexts attackers use against your industry. AI-powered phishing attacks now achieve click rates up to 54% through hyper-personalization, which is why role-specific scenarios outperform generic templates by a wide margin.
For a first run at moderate difficulty, focus on the lure types most likely to land by department:
- Credential reset notifications for any employee using Microsoft 365 or Google Workspace
- HR direct-deposit verification requests for finance and HR teams
- Fake invoice approval requests for accounts payable
- QR-based "quishing" lures for employees who routinely scan codes in their workflow
Each of these mirrors a real attack pattern and feels immediately plausible to the target.
Keep your scenarios ethically grounded. Do not use real government logos or insignia. U.S. federal law (31 U.S.C. § 333) prohibits impersonating government agencies, and using IRS or law enforcement branding exposes your organization to legal risk. When an employee clicks your simulated link, the landing page should deliver a brief microlesson, never capture real credentials or redirect to any external site.
5. Target and schedule your campaign for clean, accurate data
Sending a single organization-wide blast on one day is the most common first-test mistake. It creates an alert spike, generates social contagion ("did you get the weird email?"), and invalidates results before half your employees have even seen the simulation. A rolling deployment fixes all of that.
Target one department per week on a rotating schedule so every group receives a simulated phishing test roughly monthly without a high-volume disruption day. Segment by department, seniority level, and role so you can calibrate difficulty appropriately, a sophisticated spear-phishing attempt isn't the right first exposure for new hires or warehouse staff. Rolling deployment also prevents word from spreading across the organization before everyone has been tested.
For cadence, a monthly baseline (every four to six weeks) works for most employees. High-exposure roles in finance, HR, and executive support benefit from biweekly simulations. New hires should receive a baseline simulation within their first two weeks, followed by two additional touchpoints across their first 60 to 90 days. Employees who fail repeatedly need targeted phishing test scenarios every two to three weeks until behavior shifts. For practical measurement frameworks and program evaluation guidance, see resources that explain how to measure a phishing simulation program effectively.
6. Act immediately when an employee phishing test click occurs
The interval between a failed click and remediation training is the single most important factor in whether your simulation actually changes behavior. Security awareness training literature consistently shows that training delivered at the moment of failure is dramatically more effective than a training link emailed a week later. By the time that email arrives, the psychological context of the mistake is gone.
When an employee clicks a simulated phishing link, their brain is still processing the context of that email. A brief, immediate micro-lesson, delivered before they close the tab, explaining exactly what red flags they missed and why the lure worked, is what researchers call a teachable moment. This is the mechanism underlying HookPhish's click-to-teach model: every failure becomes an immediate, non-punitive lesson tied to that specific tactic. For step-by-step guidance on what to do if someone actually clicked a malicious link, consider referencing advice on what to do after clicking a phishing link.
The framing of post-click communication matters as much as its timing. Employees who feel publicly shamed after failing a simulation become less likely to report real phishing attempts. Remediation must feel like skill-building, not discipline. For employees who fail three or more simulations in a rolling period, assign targeted spear-phishing scenarios and mandatory short-form training. No disciplinary notices, no public callouts.
7. Read your phishing test metrics and plan what comes next
A raw click rate is not a security outcome. This is where many first-time programs stop short: they run the simulation, pull the click rate, and file it away. The data's real value is in what it tells you about your next campaign and where targeted investment will move the needle fastest.
Use peer-industry benchmarks to contextualize your first-run numbers. A click rate above 33% is normal for untrained organizations. Financial services and tech companies typically sit around 28.5% untrained; healthcare can reach 48%. A reporting rate above approximately 18.6%, the current global average per industry benchmarks, is a meaningful positive signal. The goal for a mature program running three or more years is a click rate under 2% and a credential-entry rate under 0.5%. Your first campaign isn't measured against those targets; it's measured against your own industry baseline. For recent industry click-rate baselines and benchmarking data, review the 2026 phishing benchmarks and industry click rates.
Use first-run data to sharpen your second campaign. Identify the departments with the highest click rates and increase their simulation frequency. Which lure types performed best? Rotate those into future scenarios. Most importantly, examine your resilience ratio. A high click rate paired with a high reporting rate suggests employees recognize threats but still click out of habit, a training problem. A low click rate with a low reporting rate suggests avoidance without active vigilance, a culture problem. Those are two very different diagnoses that call for two very different solutions. For additional hands-on guidance on running simulations and interpreting results, see our Phishing Simulation: A Practical Guide.
Your first test is the foundation, not the finish line
An employee phishing test is only as valuable as what happens after the click. The seven steps in this guide turn a one-time audit into a repeatable, measurable behavior-change engine. Organizations that sustain meaningful click-rate reductions over time share one thing: their simulations are built to teach, not just to catch.
That's the architecture HookPhish is built on. Every failed click triggers an instant lesson. Every campaign generates a human risk score per employee, team, and department that you can track over time and bring into compliance conversations. If you're ready to move from knowing you should be running phishing simulations to actually running them well, explore HookPhish, see real-world outcomes in our Customer Case Studies & Results, and see what a modern simulation program looks like from day one.
Frequently asked questions
What is an employee phishing test?+
An employee phishing test is a controlled simulated phishing email sent to staff to measure how many click, report, or ignore it. The best programs pair every failed click with an instant micro-lesson, turning the test into phishing simulation that changes behavior rather than just measuring it.
What is a good click rate for a first phishing simulation?+
A click rate above 33% is normal for untrained organizations, so a high first result is not a failure. Your first campaign is measured against your own industry baseline, not against the under-2% target that mature programs reach after several years.
Do I need employee consent to run a phishing simulation?+
In the U.S., individual consent for internal security training is generally not required, but informing employees that periodic phishing tests will occur is considered a legal and ethical best practice. You disclose that the program exists without revealing specific send dates, and you should confirm requirements with legal counsel for your jurisdiction.
Which phishing scenarios should I avoid in a simulation?+
Never simulate fake layoff notices, medical emergencies, or bonus announcements, since they create emotional distress with no security benefit. Avoid real government logos too, because U.S. federal law prohibits impersonating agencies like the IRS and exposes your organization to legal risk.
How often should employees receive phishing simulations?+
A monthly baseline every four to six weeks works for most employees, while high-exposure roles in finance, HR, and executive support benefit from biweekly tests. New hires should get a baseline within two weeks and repeat clickers need targeted scenarios every two to three weeks until behavior shifts.
Why deliver training immediately after a failed click?+
The interval between a failed click and remediation training is the single biggest factor in whether a simulation changes behavior. A lesson delivered before the employee closes the tab catches the teachable moment, whereas a training link emailed a week later loses the psychological context of the mistake.
Authoritative sources & further reading
This guide is informed by recognized industry and government cybersecurity resources. For primary research and standards, see:
Written and reviewed by the HookPhish Security Team
HookPhish builds phishing detection, phishing simulation, security awareness training, dark web monitoring and human risk management for security teams. Our guides are written and fact-checked by the same practitioners who run the platform. About HookPhish · Why HookPhish
Last reviewed July 10, 2026.
See Phishing Simulation in action
Book a personalized demo, or explore how HookPhish delivers phishing simulation on one platform.
