How to Run a Phishing Simulation for Your Team

Telling your team to "watch out for phishing emails" is useful. Actually showing them what a convincing phishing email looks like — and seeing how they respond — is far more powerful.

A phishing simulation is a controlled test where you send your own staff a fake phishing email to see who clicks the link, enters credentials, or opens an attachment. It sounds confrontational, but done well, it's one of the most effective ways to build genuine security awareness — not just compliance.

The ACSC and leading security researchers consistently point to phishing as the primary delivery mechanism for malware, ransomware, and business email compromise in Australia. Running simulations is how you find out, before an attacker does, how vulnerable your team really is.

Why Phishing Simulations Work

The gap between what people say they know and what they actually do under pressure is wide. Research from KnowBe4 shows that across industries, an average of about one in three untrained employees will click a well-crafted phishing link. After regular simulation and training, that rate typically drops to under 5%.

What makes simulations effective is the experiential learning element. When someone clicks a link in a safe test environment and is immediately shown "this was a simulated phishing email — here's what gave it away," that moment is memorable in a way that a training video is not. It's personal, immediate, and consequence-free.

Step 1: Choose Your Approach

There are two ways to run phishing simulations: using a dedicated platform or running a basic test manually.

Using a Platform

Platforms like KnowBe4, Proofpoint Security Awareness Training, and Cofense PhishMe handle the technical complexity for you. They provide:

• A library of realistic phishing templates (including Australian-specific ones)
• Automated sending and tracking
• Immediate just-in-time training for staff who click
• Detailed reporting on click rates, credential entry, and improvement over time

Many offer free trials, and small business pricing is typically affordable — often a few dollars per user per month.

Manual Testing

If budget is very tight, you can run a basic simulation manually using a test email account and a Google Form (to simulate credential harvesting). This approach requires more manual effort and provides less sophisticated reporting, but it can still be educational. Ensure you're clear on the legal and ethical boundaries before proceeding — see Step 2.

Step 2: Get the Ethics and Legal Aspects Right

Phishing simulations must be done ethically. Key principles:

• Authorisation: Simulations must be authorised by business leadership. Never run one on an organisation you don't own or manage.
• Purpose: The goal is education, not punishment. Results should inform training, not performance reviews.
• Privacy: Individual click data should be used for coaching, not shaming. Consider aggregating results at the team level.
• Communication: Inform staff ahead of time that phishing simulations may occur (without telling them when). This sets expectations and is part of building a security culture.

Under Australian workplace law, employees have reasonable expectations around monitoring. Make sure your employment agreements or IT policies reference the possibility of security testing.

Step 3: Design Your Simulation

Start with a moderate difficulty level — not so obvious that everyone spots it, not so sophisticated that it's unfair. Good starter scenarios include:

• A fake "password expiry" notification from your email provider
• A fake parcel delivery notification (extremely common and effective)
• A fake invoice or payment request from a supplier
• A fake ATO tax notification — highly relevant for Australian businesses
• A fake Microsoft 365 or Google Workspace login prompt

If you're using a platform like KnowBe4, browse their template library for Australian-localised examples, which will be more realistic for your team.

Step 4: Run the Simulation and Measure Results

Send the simulation to your team and track:

• Open rate — did they open the email?
• Click rate — did they click the link?
• Credential entry rate — did they enter a username and password?
• Reporting rate — did anyone report the email as suspicious?

The reporting rate is particularly important — it shows whether your team has the confidence and the mechanism to flag suspicious emails, not just the knowledge to avoid clicking.

Step 5: Follow Up With Education, Not Blame

This is the most important step. What happens after the simulation determines whether it builds culture or destroys trust.

• For people who clicked: Provide immediate, supportive education. Most platforms deliver this automatically. Follow up with a brief conversation — not a reprimand.
• For everyone: Share aggregate results at the team level. "30% of us clicked this week — here's what the email looked like, and here's how to spot similar ones."
• Celebrate reporters: If anyone forwarded the suspicious email or reported it, acknowledge that. That's exactly the behaviour you want to reinforce.

Step 6: Run Simulations Regularly

A single simulation is a baseline measurement. To actually change behaviour, you need to run them regularly — at least monthly for most teams. Vary the difficulty and type over time. As your team improves, introduce more sophisticated scenarios.

Track your phishing click rate over time. The trend line — hopefully heading downward — is a meaningful indicator of your security culture's health.

Key Takeaways

• Phishing simulations are one of the most evidence-backed techniques for reducing real-world click rates among staff.
• Platforms like KnowBe4 and Proofpoint make running simulations accessible and affordable for small teams.
• Always run simulations ethically: get authorisation, inform staff that testing may occur, and use results for education — not punishment.
• Start with realistic, moderately difficult scenarios relevant to Australian business contexts (ATO emails, parcel notifications, invoice requests).
• Follow up every simulation with supportive, team-level education — and celebrate staff who report the test as suspicious.

Want to understand your team's broader security posture? Run a free cyber risk assessment at flagged.com.au — a 10-minute check-up built for Australian small businesses.