Mako Logics
Call

Resources / Phishing Simulation Starter Kit

Phishing simulation starter kit.

The components you need to stand up a phishing-simulation program that actually changes behavior — and avoids the mistakes that make the program a waste of everyone’s time.

Cybersecurity service →

Published April 21, 2026.

Phishing simulation is not a punishment tool. Programs run punitively produce two outcomes: staff who hide their clicks, and programs that get shut down within 6 months.

Why run this

More than 90% of ransomware and business-email-compromise incidents start with a phishing click. Training alone moves the needle modestly; training plus simulated phishing produces meaningful, measurable behavior change. Cyber-insurance carriers increasingly require evidence of a running program at renewal.

Scope and objectives

  • Program objective (stated clearly): reduce click rate + increase report rate over a 12-month horizon
  • Success metrics defined before launch — click rate baseline, report rate baseline
  • Audience: all employees (not just admins), with role-based training tracks
  • Frequency: minimum quarterly campaigns, monthly in regulated industries
  • Tool budget: per-seat monthly (KnowBe4, Proofpoint, Microsoft ATP Attack Simulator, and similar)

Pre-launch groundwork

  • Executive sponsor identified (ideally the CEO or Managing Partner — not IT)
  • HR briefed on the policy — remedial training, not discipline, for clickers
  • Simulation platform configured; allowlisted in email security gateway so sims land
  • Announcement to employees BEFORE the first campaign (yes, tell them the program is running — the goal is behavior change, not traps)
  • Baseline campaign run before any training so you have a measurable starting point

Campaign cadence (first year)

Month 1 — Baseline

  • One generic phishing lure (package-delivery or Microsoft-login style)
  • No prior training
  • Record click rate and report rate

Month 2 — Foundational training

  • Short training module (15-20 min) covering the three most common lures
  • Everyone completes, tracked in the platform
  • No simulation this month

Months 3, 6, 9 — Quarterly campaigns

  • Rotate lure types: credential phishing, malicious attachment, CEO / vendor impersonation, QR-code
  • Staff who click get routed to remedial training immediately
  • Staff who report get a thank-you message
  • Quarterly metrics report to leadership

Month 12 — Capstone

  • Advanced campaign simulating a real targeted attack (spear-phishing with harvested context)
  • Year-end metrics vs. baseline
  • Program review and next-year plan

What to measure

  • Click rate (primary metric — down-trend expected)
  • Report rate (secondary — up-trend expected, arguably more important)
  • Time-to-report (how fast staff flag a suspicious message)
  • Repeat clickers (identify for targeted additional training)
  • Department / role breakouts (finance + execs usually need extra attention)

Common mistakes that sink programs

  • Running the program as "gotcha" — staff will hide clicks or report every email out of paranoia
  • Sending simulations only to the easy targets so click rate looks better than it is
  • Not following a click with training — the moment of the click is the teachable moment
  • Tying simulation results to performance reviews or bonus — will kill the program in 6 months
  • Skipping the report-rate metric (many programs only track clicks — reporting is the actual defensive behavior you want)
  • Launching without executive sponsorship — first pushback ends it

Communicating results

  • Quarterly leadership report: click rate, report rate, department breakdown, remediation completions
  • Employee-facing: celebrate improvements, name no individuals for clicking
  • Year-over-year trend chart for your cyber-insurance questionnaire
Schedule a 15-Minute Discovery Call