Phishing Simulations for SMEs — Process, Costs, and What You Actually Learn
Training conveys knowledge. Phishing simulations show whether that knowledge is applied in everyday work. This difference is decisive: most employees know they should not click suspicious links. The question is whether they follow through when a deceptively genuine email arrives in a stressful moment.
Why Phishing Simulations Are More Effective Than Training Alone
Research shows a clear pattern: there is a gap between knowledge and behavior. Employees who answer every quiz question correctly still click phishing links — because the real situation differs from the exercise.
The decisive factor is what research calls Context-Message Fit: when the phishing email fits the recipient's current context perfectly — a delivery notification the day after an order, an IT warning during a real system update — the click probability rises drastically.
Phishing simulations train exactly this reflex: making a decision in the real work situation, in the real inbox, under real time pressure. No quiz and no video can replace that.
How a Realistic Phishing Campaign Works
A professional phishing campaign runs in four phases.
In the preparation phase, the templates are selected. Realistic scenarios are key: CEO fraud, IT support requests, supplier invoices, meeting invitations, or password reset prompts. The templates should fit the company — an "Amazon order" email is less relevant than a "new access to the company VPN" message.
In the execution phase, the emails are sent over a defined period — ideally not all at once but spread over several months. A 365-day challenge with four unannounced campaigns per year is a proven model. This trains vigilance continuously instead of testing it once.
In the tracking phase, measurement takes place: Who opened the email? Who clicked the link? Who entered data? And especially important: who reported the email as suspicious? The report rate is at least as meaningful as the click rate.
In the evaluation phase, the benchmark report is created. It shows the results compared with industry and departments, identifies risk groups, and documents the development over time.
What a Benchmark Report Shows
A good report answers three questions.
How does the company compare? A click rate of 15 percent sounds worrying — but for an initial measurement without prior training it is an average value. Without context, a number is meaningless.
Where are the risks? Typically, certain departments click more often than others. Finance, HR, and assistant roles are often more affected because they work with external emails daily and want to process requests quickly. The report identifies these patterns.
How is the company developing? The greatest value of the report lies in the change over time. A click rate that drops from 22 percent to 7 percent is the strongest proof that the awareness program works.
GDPR-Compliant Execution
Phishing simulations process personal data — email addresses and behavioral data. For GDPR-compliant execution, several points need attention.
Evaluation is anonymized. The point is not to identify individual employees who clicked. The point is aggregated results: departments, locations, development over time. No employee is publicly singled out.
A data processing agreement (DPA) with the provider is mandatory. The data must be processed on EU servers.
Informing the works council is advisable. Phishing simulations are not covert performance monitoring but a protective measure — still, the works council should be informed before the first campaign.
Common Concerns — and Honest Answers
"Will employees perceive this as surveillance?" — That depends on the communication. If management positions the campaign as "we are testing who makes the mistake", it will be perceived negatively. If the message is "we are training as a team to protect each other", acceptance rises considerably.
"What if the click rate is embarrassingly high?" — A high click rate in the initial measurement is normal and no reason to panic. On the contrary: it clearly shows the need for action and makes the value of the training visible. After six to twelve months of regular training and simulations, reductions of 50 to 70 percent are realistic.
Free security awareness training — plus research-based advisory for your own phishing campaign. Learn more in the free security awareness training.
Start for free →