Before you launch: goals, scope and the legal basis
Phishing is still how most breaches start. The ENISA Threat Landscape 2025 report attributes roughly 60% of analysed intrusions to phishing as the initial access vector - well ahead of vulnerability exploitation. A phishing simulation is how you find out, safely and on your own terms, what happens when that traffic reaches your people.
Decide what the campaign is for before you touch a template. A first simulation usually has one of three goals: establish a baseline click rate, generate evidence for an audit or insurance questionnaire, or trigger targeted training. Write the goal down. It determines who you test, how hard the template should be, and what you report afterwards.
On the legal side, EU practice is settled: the GDPR basis for processing is the employer's legitimate interest, not employee consent - asking permission before each campaign would invalidate the test. Document a legitimate-interest assessment with your DPO, state in your security policy that simulations happen (without revealing dates), and involve employee representatives where national law requires it. Our phishing test for employees guide covers the legal groundwork in detail.
Step 1: Set the baseline - who to test, when, and how hard
Your first campaign is a measurement, not a training exercise. Treat it like one and keep the variables controlled, so every later campaign can be compared against it.
- Export the full recipient list from your directory - everyone with a company mailbox, including executives, part-timers and contractors. A cherry-picked sample produces a flattering, useless baseline.
- Pick a normal business week. Avoid quarter close, public holidays and the week of an all-hands.
- Choose one template of easy-to-medium difficulty with two or three findable red flags - a generic parcel notice or a password-expiry lure works well.
- Stagger delivery across a morning instead of blasting everyone at 09:00, which looks artificial and triggers a single wave of chatter.
- Record everything: template, difficulty, send window, audience. You will reuse these settings when you re-baseline.
The most common first-campaign mistake is starting too hard. A pixel-perfect clone of your own HR portal announcing salary adjustments will catch a large share of any workforce, security staff included. That result proves only that well-built spear phishing works - which you already knew. Start easier and save the hard scenarios for later campaigns.
And do not exempt management. Executives and finance are exactly who real attackers target, and excluding them signals to everyone else that the programme is theatre.
Step 2: Pick scenarios that mirror real local attacks
Scenario realism beats creativity. The lures that dominate real attack traffic across Central Europe are mundane: parcel-delivery notices, Microsoft 365 sign-in alerts, supplier invoices and shared-document notifications. Your simulation should look like what employees actually face - in the language they work in. Attackers localize fluently now, so a clumsy English template tests nothing in a Slovak or Czech office.
| Lure | Pretext | Difficulty |
|---|---|---|
| Parcel delivery | Failed delivery or a small customs fee from a national carrier, linking to a fake tracking page | Easy–medium |
| Microsoft 365 / Google sign-in | Password expiry, unusual sign-in alert or full mailbox, linking to a cloned login page | Medium |
| Invoice / supplier | Overdue invoice or a change of bank details from a known supplier | Medium–hard |
| Internal IT or HR | VPN update, payroll change or benefits enrolment impersonating your own departments | Hard |
How to choose phishing simulation email templates
Good phishing simulation email templates share three traits: a plausible sender for your environment, exactly one call to action, and red flags an attentive employee can realistically find - a lookalike domain, a generic greeting, a mismatched link. Browse our phishing email examples gallery to calibrate. Avoid emotionally abusive pretexts such as fake layoffs or fake bonuses: they generate HR escalations and resentment, not vigilance.
Step 3: Allowlisting in Microsoft 365 and Google Workspace
Allowlisting is the step people skip, and it is why so many first campaigns produce garbage data. You are measuring humans, not your spam filter. Without an allowlist, Microsoft Defender or Gmail will quarantine some messages, rewrite some links and deliver the rest - and your click rate becomes a coin flip.
Allowlisting a phishing simulation in Microsoft 365
Microsoft provides a dedicated mechanism, the advanced delivery policy, which tells Defender for Office 365 that these messages are a sanctioned simulation:
- In the Microsoft Defender portal, open Email & collaboration → Policies & rules → Threat policies → Advanced delivery.
- Switch to the Phishing simulation tab and choose Edit.
- Add your platform's sending domains, sending IP addresses and the simulation URLs used in emails and landing pages.
- Save, then send a seed test to a test mailbox to confirm nothing lands in quarantine and Safe Links leaves the URLs alone.
Advanced delivery also suppresses alerts and automated investigation for these messages, so your security tooling will not auto-purge the campaign mid-flight.
Allowlisting in Google Workspace
- In the Google Admin console, go to Apps → Google Workspace → Gmail → Spam, phishing and malware.
- Add the platform's sending IP addresses to the Email allowlist.
- In the Spam setting, create an approved-senders list with the simulation domains and enable "Bypass spam filters" for it.
- Allow up to 24 hours for changes to propagate - Google's own documentation says so - and seed-test before launch.
Step 4: Launch, monitor, and handle the first employee reports
Before the first email leaves the platform, brief three groups: the helpdesk, your IT or security admins, and an executive sponsor. The helpdesk gets the campaign window, the sending domain and a canned response - thank the reporter, confirm no action is needed, log the ticket. Nobody else gets details, including department heads, who have a well-documented habit of warning their teams.
Watch the first hour closely. Verify delivery first - if a chunk of messages went to quarantine, pause, fix the allowlist and relaunch later rather than drawing conclusions from partial delivery. Then track clicks and reports as they arrive.
Handle early reporters well; they are your real-world early-warning network, and a one-click report workflow like the one PhishGun provides makes that behaviour measurable instead of anecdotal. Expect some herd alerting - one person posts a warning in the team chat and clicks stop. That is genuine security behaviour worth knowing about, but if you want clean per-user data, stagger sends across teams so a single warning cannot sterilize the whole campaign. Keep landing pages live for three to five business days.
Step 5: Evaluate - click rate, report rate and time-to-report
Resist the urge to reduce the campaign to a single click rate. Four numbers, read together, describe your actual exposure:
| Metric | What it tells you | Healthy trend |
|---|---|---|
| Click rate | Share of recipients who clicked the link | Falls campaign over campaign at comparable difficulty |
| Failure rate | Share who submitted credentials or opened the attachment | Approaches zero on easy and medium templates |
| Report rate | Share who reported the message via button or helpdesk | Rises until it overtakes the click rate |
| Time-to-report | Minutes from first delivery to first employee report | Shrinks; the first report lands before the first click |
Time-to-report is the metric most teams ignore and the one that maps directly to real incidents. Verizon's 2024 Data Breach Investigations Report measured a median of just 21 seconds for a user to click a phishing link after opening the email, and another 28 seconds to enter data. In a real attack, your response window is the gap between the first report and the first click.
Click rate on its own is a vanity metric: it moves with template difficulty more than with awareness. Compare campaigns only at comparable difficulty, segment results by department, and strip out clicks from security scanners that pre-fetch URLs before a human ever sees the message. For context on typical numbers, see our phishing click rate benchmarks.
How often should you run phishing simulations?
For most organizations, quarterly is the floor and monthly is better. A single annual test is a snapshot, not a programme - behaviour changes only with regular, varied exposure, and a year-old click rate convinces neither auditors nor insurers.
| Organization | Suggested cadence | Main driver |
|---|---|---|
| SMB without sector regulation | Quarterly, plus a baseline at onboarding | Behaviour change; cyber-insurance questionnaires |
| NIS2-regulated entities (SK/CZ) | Monthly to quarterly, documented | SK vyhláška č. 227/2025 Z. z. awareness plan; CZ zákon č. 264/2025 Sb. |
| Financial entities under DORA | Monthly to quarterly, role-based | Mandatory awareness and resilience training under Article 13(6) |
| ISO 27001-certified companies | At least quarterly, with records | Clause 7.3 and control A.6.3 effectiveness evidence at audits |
Regulation increasingly sets the rhythm. In Slovakia, the NBÚ decree č. 227/2025 Z. z. requires regulated entities to maintain a security-awareness development plan with regular refresher training and documented effectiveness evaluation - simulation metrics are the cleanest evidence you can file. Czechia's new cybersecurity act, zákon č. 264/2025 Sb., and its implementing decrees impose similar documentation duties. Our breakdown of NIS2 security awareness training requirements covers the specifics.
Cadence does not mean sending the same template to everyone every month. Rotate scenarios, vary send times and audiences, and avoid a predictable first-Monday pattern that employees learn to expect.
After the simulation: feedback, micro-training, and the next campaign
Close the loop within days, not weeks. Share aggregate results with the whole company: the lure used, the click and report rates, and the red flags that gave it away. People talk about the campaign anyway - transparent numbers turn gossip into a lesson.
For those who clicked, the teachable moment lasts seconds. A short, immediate explanation of the exact red flags they missed outperforms a 45-minute e-learning assigned three weeks later. Pair that click-time feedback with our red-flags checklist for employees so the lesson sticks beyond one template.
Then plan the next campaign while the data is fresh: raise difficulty for teams that did well, repeat similar lures where failure rates were high, and broaden scenarios over time. These phishing simulation best practices - informed IT, realistic localized templates, no blame, a steady cadence - compound, and the programme gets more valuable with every cycle.
If you would rather not assemble the tooling yourself, PhishGun - built by the offensive-security team at Haxoris - handles the whole loop: localized English, Slovak and Czech templates, in-the-moment micro-training on click, an employee report workflow, and audit-ready reports for NIS2, ISO 27001 and DORA. You can run your first phishing campaign free, no credit card required.
Frequently asked questions
Is it legal to run a phishing simulation on employees under GDPR?
Yes, when done correctly. The usual legal basis is legitimate interest under Article 6(1)(f) GDPR, not consent - asking permission before each test would defeat the purpose. Document a legitimate-interest assessment with your DPO, announce in your security policy that simulations happen, involve employee representatives where national law requires it, and report results in aggregate rather than naming individuals.
Do I need to allowlist a phishing simulation in Microsoft 365?
Yes. Without an allowlist, Microsoft Defender will quarantine some messages and deliver others, so your results measure the filter, not your people. Use the advanced delivery policy in the Defender portal under Email & collaboration → Policies & rules → Advanced delivery to register your platform's sending domains, IP addresses and simulation URLs, then verify delivery with a seed mailbox before launch.
What is a good click rate for a phishing simulation?
There is no single good number - click rate depends heavily on template difficulty and targeting. Untrained organizations typically see double-digit click rates on a first baseline, while mature programmes drive easy and medium templates into single digits. The more useful signals are the trend across campaigns and whether the report rate eventually overtakes the click rate.
Should employees be punished for clicking a phishing simulation link?
No. Punishing clickers is the fastest way to destroy your reporting culture: people stop reporting both simulations and real incidents to avoid blame. Treat a click as a training trigger and deliver short, immediate micro-training on the red flags that were missed. Reserve escalation for repeat offenders in high-risk roles, and even then prefer additional training over discipline.
How long should a phishing simulation campaign run?
Three to five business days is a sensible window for most campaigns. The bulk of clicks and reports arrive within the first few hours of delivery, but a multi-day window catches part-time staff and people returning from leave. Keep landing pages live for the whole window, then close the campaign, exclude automated scanner clicks, and evaluate the results.