As phishing simulations become a common method of testing employee vulnerability to phishing attacks, there are a variety of approaches and styles used to run these types of campaigns, which are often driven by different objectives from various stakeholders.

For example, the CFO may require them for cyber insurance, while the COO may require them for operational risk reduction.

Live phishing simulations, which rely on sending fake email messages to employees without warning, are often expected to yield simple metrics for determining employee vulnerability.

But regardless of the drivers, there are many variables involved when conducting phishing simulations that most executives and even IT Security staff don’t often appreciate.

This article identifies three key variables that must be considered when trying to create an optimal phishing awareness program.

Frequency, difficulty, impersonation

It’s been a “super-fantastic” experience to see people learning and talking about security threats.

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

These variables are frequency, difficulty and impersonation, and they are particularly difficult to control in a live email context.

Whether they are defined by explicit or implicit decisions, these variables will directly impact costs, risks and unexpected outcomes. For this reason, they need to be understood and carefully considered by management in order to get maximum value from these kinds of live tests.


The more frequently phishing simulations are run, the more likely it is that live phishing simulation messages will be “avoided” by employees. When employees learn to “spot the test” they recognize subject lines that are likely to be from live phishing tests. This means that their skills at analyzing email senders, links and body content are not being exercised.
Even worse, the “click rates” will decrease despite any improvement in employees’ actual ability to spot the real clues in a phishing message. This also results in employees reporting far more “false positives”, with legitimate emails being marked as being suspicious, which can hurt productivity.

I recommend conducting live phishing simulations no more than 4 times per year to avoid the problems caused by doing them too frequently.

If your organization requires simulations for employee awareness of phishing threats more than quarterly, then it will obtain more value by using live tests every 3 months, plus immersive, 3-minute virtual phishing simulations on a monthly basis, which each contain multiple email examples as exercises.


One of the most challenging aspects of running live phishing simulations is that each message used has subjective qualities that vary its level of difficulty for employees to detect as suspicious. Changing one word, or even one letter in the subject line, domain or body content can easily impact how many people will click on the link or report a message. For this reason, live phishing test metrics only provide a low degree of precision on the organization’s vulnerability.

Most executives want to use phishing simulations as a measure of employee vulnerability, so the difficulty level of each message needs to be kept as constant as possible from campaign to campaign. But IT Security staff’s perception of difficulty can be biased or inconsistent over time.

I recommend including between 3 and 5 clues in each message that employees can use to identify them as being suspicious.

When an organization wants to train and assess employees on more difficult phishing messages used by attackers, then immersive, virtual simulations provide more value by using positive indicators of completion and proficiency. In other words, you know which employees have been assessed, and their abilities on specific types of phishing threats without unexpected backlash or negative outcomes.


Virtually every phishing attack has an element of impersonation, as the attacker is trying to exploit the trust employees have in some person or entity that is sending them the message. The most common impersonations in phishing attacks involve either trusted internal employees or systems, or trusted external entities such as service providers.

Internally, phishing simulations may aim to impersonate an authority such as Payroll, Human Resources or the Service Desk. However, managers in these areas often have concerns about their team being impersonated in an operational environment, as it can impact their effectiveness in handling real work, and can damage their team’s reputation across the organization.

As a result, time and effort must be spent to ensure minimization of operational risks and plan an acceptable phishing scenario for each impersonation campaign.

For external impersonations, such as service providers or government authorities, there are also risks that involve abuse of trademarks. Law suits have refuted the claims of phishing awareness vendors that the use of well-known brands for live simulations are protected under “fair use” laws.

Unexpected employee reactions such as forwarding messages externally, contacting the impersonated brand, or posting on social media can cause unwarranted costs or damage to the brand’s image. It can even cause employees to be less likely to trust legitimate messages from that service, supplier or authority. The Government of Canada recently saw this with a simulation that impersonated a charity partner of a department.

Therefore, any external brands being impersonated in phishing simulations should require explicit permission from the brand before launching the campaign.

I recommend that live phishing simulations mostly involve only internal impersonations. Where it is feasible, external brands can be used occasionally, with their permission.

It is much easier to impersonate automated systems (even fictitious ones) in ways that effectively exercise employees’ skills without causing excessive effort or unexpected responses. Most often, the Service Desk will need to respond to these types of live simulation campaigns.

If an organization requires more extensive training and assessment on internal or external impersonations for employees, then it is more productive to use immersive, virtual phishing simulations. This allows for many more examples of potential brands and roles that may be impersonated in real phishing attacks.

Optimization of employee phishing simulations

When an organization is concerned about improving and tracking employees’ ability to spot phishing attacks, it should use an optimal mix of frequency, difficulty and impersonation in its live simulation campaigns.

You can almost always benefit from using more immersive, virtual phishing simulations to produce more effective learning, and more reliable and meaningful vulnerability metrics.

If you would like to learn more about how easy it is to deploy Optimized Phishing Simulations in a mix of live and virtual modes that minimizes unexpected costs and negative outcomes, contact Click Armor for a free trial or a Quick Start Optimized Phishing Simulation Bundle that includes one live simulation and one immersive, virtual simulation for up to 1,000 employees.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.