phis3dSign up
← All posts
·7 min read

How to Run a Phishing Simulation on Your Team (Step by Step)

A practical, no-jargon guide to running your first employee phishing simulation: planning, sending, tracking clicks, and turning the results into real training.

A phishing simulation is a safe, fake phishing attack you send to your own team so you can see who would click, before a real attacker finds out for you. Done right, it is the single fastest way to turn "we think our people are careful" into a number you can actually act on.

You do not need a security team or a six-figure platform to run one. Here is the whole process, start to finish.

Step 1: Get sign-off and set the goal

Before you send anything, get a yes from whoever owns the people side: an owner, an office manager, HR, or leadership. A simulation should never feel like a trap set by IT to embarrass people. The goal is coaching, not catching.

Write down one goal. For a first run it is almost always: "establish a baseline click rate so we know where we stand." That is it. You are taking a measurement, not grading individuals.

Step 2: Build your recipient list and verify your domain

Export a simple list of names, work emails, and (if you are testing text messages) mobile numbers. Start with everyone, or one department if you want a smaller first test.

A reputable tool will make you verify that you own the domain you are testing before it sends anything. This matters: domain verification is what separates a legitimate simulation from a tool that could be used for real phishing. If a product lets you blast any address with no checks, walk away.

Step 3: Pick a realistic lure

The lure is the fake message. The best ones look boring and plausible, not dramatic. Think:

  • A password-expiry notice from "IT."
  • A shared document or invoice that needs review.
  • A delivery or package notification.
  • An HR or payroll update.

Match the lure to your business. A law firm and a warehouse get fooled by different things. Avoid anything cruel (fake bonuses, fake layoffs); it damages trust and teaches nothing.

Step 4: Choose your channel: email, SMS, or both

Most teams only test email. Attackers do not stop there. SMS phishing (smishing) now slips past the email filters most tools rely on, and it lands on the device people trust most. If your team uses phones for work at all, test both. We dug into the data in Email vs SMS phishing.

Step 5: Send, then track what happens

Schedule the campaign and let the tool send each person a uniquely tracked message. You are watching four things move:

  1. Delivered: did it reach the inbox or phone.
  2. Opened: did they open it.
  3. Clicked: did they click the link.
  4. Submitted: did they actually enter credentials on the fake page.

That last step is the one that matters most. A click is a stumble. Entering a password is the failure a real attacker is counting on.

Step 6: Always show the reveal

Anyone who falls for it should immediately land on a friendly "this was a training test" page that explains what they missed and how to spot it next time. The reveal is where the learning happens. No real password should ever be stored, only the fact that one was entered.

This is also what keeps the program positive. People who get safely caught, see the reveal, and laugh about it are the people who pause on the real thing six weeks later.

Step 7: Measure the right things

A first-run click rate around 30 percent is completely normal for an untrained team; 2026 industry data puts the untrained average near a third of all recipients. After a year of regular testing, 3 to 5 percent is considered the gold standard. See the full click-rate benchmarks by industry.

But click rate is not the only number. Track your reporting rate (how many people reported the message instead of clicking) and time to report. A team that reports fast is a team that is actually defending itself.

How often should you run them?

Once is a snapshot. A program is what changes behavior. Quarterly is a fine way to start while you tune your lures, then move toward one campaign every four to six weeks. Frequent, low-drama tests normalize the habit far better than one big annual event.

Common mistakes to avoid

  • Punishing clickers. It kills participation and drives people to hide mistakes.
  • Using only easy or only impossible lures. Vary the difficulty.
  • Testing email only. You miss the fastest-growing channel.
  • Running once and stopping. Behavior change needs repetition.

Ready to run your first one?

phis3d is built for exactly this: upload a list, verify your domain, launch an email or SMS simulation in minutes, and watch who clicks in real time. No security team required. Sign up now and we will include a free baseline test for your team.

See who on your team would click.

phis3d runs email and SMS phishing simulations in minutes, no security team required. Sign up and we'll get you started with a free baseline test.

Sign up now

Keep reading