Phishing simulations have become a standard fixture of corporate security awareness programmes. The logic is sound: if you regularly expose employees to realistic phishing scenarios and train them on what they clicked, they will get better at identifying real attacks. In practice, the results are more mixed than most programmes acknowledge.
Some organisations run simulations, see click rates, and report on trends without examining whether the programme is achieving anything meaningful. The click rate goes down good. But does that translate into different behaviour when a real attack arrives? That question is harder to answer, and most simulation programmes do not try.
What Simulations Do Well
Well-designed phishing simulations serve several useful purposes. They establish a baseline you cannot improve what you cannot measure. They surface high-risk individuals and departments that need additional support. They create training moments that have more impact than abstract awareness content because the lesson follows an actual mistake.
Simulations also help organisations understand whether their technical controls work alongside human judgement. If a simulation email bypasses your email gateway cleanly, that is worth knowing regardless of whether anyone clicks it.
Where Programmes Go Wrong
The most common problem is simulation realism. Templates that look nothing like real business email, scenarios that employees can identify as tests because of a previous experience, or simulations that arrive at predictable intervals all teach employees to spot simulations not to spot phishing.
Punitive approaches create the wrong culture. Employees who are named and shamed for clicking, or who face consequences for failing simulations, learn to avoid clicking anything including legitimate emails and to hide mistakes rather than report them. A blame-free reporting culture is more valuable than a low click rate.
Frequency matters. Annual phishing tests barely register. Monthly or quarterly simulations, varying in sophistication and pretext, produce meaningful behavioural data and reinforce learning over time.
The Relationship Between Simulations and Penetration Testing
Phishing simulations test employee awareness. Penetration testing tests whether your defences hold when someone actually tries to exploit a weakness. They measure different things, and most organisations need both.
Best penetration testing company for your environment will typically be able to include social engineering and phishing elements within a wider engagement. This is more rigorous than a standalone phishing simulation because the goal is to achieve actual access rather than to measure click rates.
The findings from a penetration test that includes social engineering give you different data: which pretexts succeeded, what access was gained as a result, and what the real-world impact would have been. That is more useful for risk quantification than a percentage.
Making Simulations More Effective
Tailor scenarios to your sector and your organisation. A firm in financial services faces different pretexts than a healthcare provider or a manufacturer. Generic simulations produce generic results.
Combine simulations with targeted training rather than generic modules. When someone clicks a credential harvesting simulation, the training should address credential harvesting specifically, not phishing in general.
Measure outcomes beyond click rates. Reporting rates, time-to-report, and the quality of reports submitted are more useful indicators of a healthy security culture than any single click metric.
If you want a comprehensive view of your human and technical risk surface, getting a penetration test quote that includes social engineering testing is a logical next step.
