How to Run a Phishing Test for Employees: Process, Costs, and Results

What is a phishing test for employees - and what is it not?

A phishing test for employees - also called a simulated phishing attack or phishing simulation - is a controlled exercise in which your organization, or a vendor acting on its behalf, sends staff a realistic but harmless fake phishing email and measures the response. Nothing is stolen and nothing is infected. The output is data: who opened the message, who clicked, who submitted credentials, and who reported it.

The case for testing is simple. The ENISA Threat Landscape 2025 identifies phishing as the leading initial intrusion vector, present in roughly 60% of analysed incidents. Mail filters catch most of it; a phishing test tells you what happens when one message gets through.

It is just as important to be clear about what a phishing test is not:

• Not a trap for individuals. The unit of measurement is the organization, not the employee. A test of employee security awareness answers "how exposed are we?", never "who do we fire?".
• Not a real attack. A well-built simulation records interaction events only - it never stores the passwords typed into the fake login page and never delivers malware.
• Not a one-off checkbox. A single campaign is a snapshot. Useful programs repeat, compare, and improve.

What does a phishing test reveal? Click rate, credential submissions, report rate

A phishing campaign produces a funnel: delivered, opened, clicked, submitted, reported. Three of those numbers matter most.

Click rate

The share of recipients who clicked the link or opened the attachment. KnowBe4's 2025 Phishing by Industry benchmark, built on 67.7 million simulated emails across 62,400 organizations, puts the average baseline at 33.1% - and 24.6% for companies with fewer than 250 employees. If a third of your staff clicks on a first test, you are normal, not negligent.

Credential submission rate

The share who clicked and then typed their username and password into the fake login page. This is the closest proxy for real damage: in an actual attack, those credentials would now be in a criminal's hands. It usually runs well below the click rate - and it is the number your management will remember.

Report rate

The share who flagged the email to IT or through a report button. This is the most important metric and the only one you want to go up. Reporters are your human sensor network: they give the security team a head start measured in minutes.

Speed is why reporting matters. Verizon's Data Breach Investigations Report measured a median of just 21 seconds to click a phishing link after opening the email, and another 28 seconds to enter data - under a minute end to end. Compare your funnel against published phishing click-rate benchmarks before deciding how worried to be.

How does a phishing test work, step by step?

A first baseline test takes about two weeks from kickoff to a finished report. Here is how to phishing-test employees without disrupting the business:

1. Define scope and ownership (day 1). Decide who is tested (ideally everyone, including management), which metrics you will track, and who may see individual-level results. Get written management sign-off - never run a simulation without it.
2. Prepare the technical setup (days 2–4). Allowlist the simulation's sending domain in Microsoft 365 or Google Workspace so spam filters do not silently absorb the campaign and skew your data.
3. Pick the scenario (days 3–5). Choose a template that mirrors what your staff actually receives - a password-reset notice, a shared document, an invoice. Browse real phishing test examples for inspiration, and match the language your employees work in.
4. Launch (start of week 2). Send in randomized batches over several hours or days rather than all at once.
5. Run the campaign window (3–7 days). Track opens, clicks, submissions and reports as they happen. Good platforms show a short micro-training page the moment someone clicks - the most teachable second of the year.
6. Close and report (end of week 2). Freeze the data, compile the report, and schedule the follow-up communication.

What does a phishing test cost?

In the Slovak and Czech markets you can buy a phishing test three ways: a one-off engagement from an agency, a self-service platform subscription, or a free baseline campaign. Published Slovak price lists in 2026 advertise one-off simulated phishing tests from €199 (a promotional rate, typically capped at around 100 employees), with standard rates of €400–1,000 per test depending on headcount and scenario customization. Czech providers mostly quote individually, on the same order of magnitude.

The rule of thumb: if you plan to test more than once - and every regulation pushing you toward testing assumes you will - recurring per-employee pricing beats paying agency rates repeatedly. A 50-person company can often run a year of campaigns on a platform for the price of one or two agency engagements. PhishGun publishes transparent per-employee pricing, so you can do that math before talking to anyone.

What a good phishing test report looks like

The report is the real deliverable - it is what you show management, auditors and, in aggregate, employees. A useful one contains:

• Executive summary: one page with the three headline rates, a benchmark comparison, and the trend if this is not your first test.
• Campaign parameters: scenario used, sender domain, audience size, send and close dates. Auditors ask for exactly this.
• The full funnel: delivered → opened → clicked → submitted → reported, each as a count and a percentage.
• Timing data: time to first click and median time to report. These show how fast a real incident would unfold.
• Breakdown by department or location - aggregated. A good report never ranks named individuals.
• Repeat-click handling: how people who click repeatedly receive additional training, without naming them in circulated documents.
• Recommended next steps: the scenario and difficulty for the next campaign, plus the training topics the data points to.

Is it legal to phishing-test your employees? The 60-second GDPR answer

Yes - phishing testing of employees is lawful across the EU when done correctly. The legal basis is legitimate interest under Article 6(1)(f) of the GDPR; Recital 49 explicitly recognizes ensuring network and information security as a legitimate interest of the controller. You do not ask employees for consent: announcing each campaign would invalidate the measurement, and in an employment relationship consent is rarely considered freely given anyway.

Legitimate interest is not a blank cheque. To rely on it, do five things:

1. Run and document a legitimate-interest assessment (balancing test) before the first campaign.
2. Tell employees in your security policy that phishing simulations are part of the program - without revealing timing or templates.
3. Minimize data: record click and report events, never the passwords people type into the simulated page.
4. Restrict access to individual-level results to a small, named group; report to everyone else in aggregate.
5. Set a retention period, and involve your DPO - and the works council, where one exists.

How to communicate results without blaming employees

A phishing test fails the moment employees fear it. People who expect to be shamed do not report real phishing - they delete it quietly, or worse, click and say nothing. Communication is part of the test design, not an afterthought:

• Announce the program before the first campaign, in general terms, and explain why: attackers test you anyway, without permission.
• Publish aggregate results to the whole company within days. Transparency builds trust faster than secrecy.
• Celebrate reporters. Thank the first people who flagged the email and make reporting the visible win.
• Frame clicks as a control gap, not carelessness. "31% clicked" means the filtering, the training and the reporting process need work.
• Train at the moment of the click. A 30-second micro-lesson right after the mistake beats a quarterly slide deck.
• Give people a tool, not a lecture: share a practical checklist for recognizing phishing emails and a one-click way to report suspicious messages.

From a first baseline test to an ongoing program

One test is a snapshot; behavior changes only with repetition. KnowBe4's 2025 benchmark shows the average click rate falling from 33.1% at baseline to 4.1% after twelve months of regular simulations and training - an 86% reduction. Quarterly campaigns are the realistic minimum, monthly the common standard, with scenarios rotating in type and difficulty.

Regulation now assumes the same. In Slovakia, vyhláška NBÚ č. 227/2025 Z. z. requires regulated entities to maintain a documented security-awareness development plan, evaluate its effectiveness and keep records - including test results. In Czechia, vyhláška č. 409/2025 Sb. under the new cybersecurity act sets equivalent expectations for entities in the higher-obligations regime. If NIS2 applies to you, see our breakdown of the NIS2 security awareness training requirements.

The practical path looks like this:

1. Run a free baseline campaign and capture your click, submission and report rates.
2. Share the aggregate numbers and announce the ongoing program.
3. Set a cadence - quarterly at minimum - and increase difficulty gradually.
4. Track the report rate quarter over quarter; that is your real KPI.
5. File every report as audit evidence for NIS2, ISO 27001 or DORA.

PhishGun was built by Haxoris, an EU-based offensive-security company, for exactly this loop: realistic campaigns with localized Slovak, Czech and English templates, micro-training at the moment of the click, and audit-ready reporting. Run your first phishing campaign free - no credit card, real baseline numbers in about two weeks.