July 2024

How to Run a World-Class Phishing Simulation in 6 Steps – and 5 Big Mistakes to Avoid

Benjamin Netter, CEO, Riot
Benjamin Netter
CEO

“Yes, this will be included in the test.”

In the classroom, hearing these words means it’s time to listen up. The same rule applies to your cybersecurity awareness training – putting people to the test creates a stronger incentive to pay close attention to your tips and best practices for avoiding harmful scams.

That’s why phishing simulations are so effective at reducing your vulnerability to cyber attacks and keeping your team safe. But what makes a great simulation, and how can you get started?

Here, we share our six-step guide to running a world-class phishing simulation, and share five of the biggest mistakes to avoid when testing your team.

Let’s dive in by looking at a few basics.

What are phishing simulations, and why should you run them?

Phishing is the practice of fraudulently impersonating a person or company over emails, text message, or other messaging platforms in order to induce a victim to reveal sensitive information, download malware, or transfer money.

These attacks remain one of the most persistent cyber threats, with scammers sending an estimated 3.4 billion phishing emails every day. In fact, 91% of all successful cyber attacks begin with a phishing attempt. Even worse? Successful phishing attacks can cost organizations an average of $4.91 million in disruption, lost revenue, and reputation damage.

But here’s the thing: Because our spam filters have become so good at detecting phishing attempts, these emails don’t make it to our inboxes all that often. That’s why it’s critical to teach your team how to identify those that do make it through, and what they should do in response.

That’s where phishing simulations come in.

Riot phishing simulation

By giving you the tools to mimic real attacks, a phishing simulation platform lets you evaluate your team’s vulnerability, familiarize them with the range of different scams out there, and reinforce crucial cybersecurity best practices – all in total safety.

But how can you craft a phishing simulation campaign that really boosts your team’s cybersecurity awareness? It’s all about six simple steps:

  1. Make a clear set of goals to guide your simulation
  2. Set your foundation with a simple phishing campaign
  3. Launch tailored campaigns for different audience segments
  4. Feed your results into an employee support action plan
  5. Offer post-simulation training people actually love
  6. Keep your team sharp with ‘always-on’ phishing simulations

Enough with the steps, let’s phish!” Get started here in just minutes. 🎣

#1: Make a clear set of goals to guide your simulation

Before you start designing your phishing simulation, ask yourself: What are you hoping to achieve? Of course, every simulation reduces your exposure to cyber attacks – but being clear about your specific objectives can help you shape a campaign that tests your team the right way.

For example, if you’re currently rolling out awareness training, you might want to test how well people are applying what they’ve learned so far. Alternatively, you might be establishing a baseline vulnerability rate to help make a case to leadership for investing in the right training.

Here are a few other key questions to answer:

  • Audience: Who do you intend to target with your test campaign? Front-line staff, managers, senior leadership, or all of the above? Remember, scammers can target anyone within your organization, so selecting a broad audience is a good first step.
  • Desired outcome: Are you trying to increase your phishing reporting rates, or show which teams are most at risk? Are there specific weaknesses you’d like to test, such as vulnerability to malware? This will help guide your choice of templates and difficulty levels.
  • Hooks: Are there any social engineering techniques scammers might use to target you right now? For example, if you’re going through a public acquisition, fraudsters might tempt your team with a bogus list of roles to be restructured. You could mimic a campaign like this to show people the kinds of scams they might encounter.

These factors will help inform the design of your campaign and give you a framework for what a successful simulation looks like. With those details confirmed, it’s time to get started.

Learn more: A Culture of Cybersecurity Awareness Helps Manage Risk and Boost Your ROI – Here’s How

#2: Set your foundation with a simple phishing campaign

With your foundational goals confirmed, you can now launch your first phishing campaign. Ideally, you should start with something simple to give you a set of results to guide future campaigns, and to boost your team’s level of awareness around the threats they face.

In addition to confirming the details in step one (intended audience, desired outcome, choice of social engineering hook), consider the following elements:

  • Templates: A good phishing simulation platform offers a range of templates, from dummy Salesforce leads through to spoofed Gmail logins and even portals to vote on a new company logo. Which template will you use, and how will you customize it to tempt your team?
  • Timing: We recommend sending your first campaign simultaneously to all recipients, as this makes it harder for people to warn each other. However, you might wish to stagger future campaigns across different times to try to catch people out during moments of downtime.
  • Awareness training: How will your test campaign reinforce what people are already learning through your cybersecurity awareness training? Based on your course completion rates, are there any specific types of phishing you want to demonstrate in practice?

Once you’ve confirmed these details, you’re all set to go ahead with your first campaign!

Riot phishing simulation templates

With Riot, you can automate these steps and launch a great first campaign in just minutes. We make this happen with our wide range of phishing templates, and our ‘smart groups’ feature enabling easy audience segmentation and vulnerability assessment. Our phishing reporter button empowers learners to report test emails, creating a feedback loop with your awareness training.

#3: Launch tailored campaigns for different audience segments

With your first phishing campaign completed, you now have a set of baseline results and a deeper understanding of how your teams are applying cybersecurity best practices. You know who has a good level of awareness, and who might need some extra help.

But your work isn’t over. Now, you need to get even more creative – and even more sneaky.

Imagine the world’s cleverest scammer. How might they target your teams? Would they tempt marketing with a spoofed email about an influencer endorsement, or finance with a fake late invoice alert? Or would they choose a classic, like a bogus list of staff salary adjustments?

You can also target particular cohorts, for example, new arrivals with a fake onboarding portal, or recently promoted managers with a scam invitation to a leadership strategy meeting. You might also like to read up on recent cybersecurity news to get a sense of the most common threats.

Whatever you decide, you should give your learners a better sense of the phishing scams they might encounter in the real world, and strengthen their defenses against them.

Timing-wise, you can stagger these campaigns to be sent during moments of downtime for the individuals you’re targeting – especially if your teams work across different time zones. Once again, Riot’s phishing simulation platform makes this quick and easy to organize, with hundreds of tailored templates to choose from.

#4: Feed your results into an employee support action plan

Now that you’re running targeted phishing simulations, you can feed your results into an action plan for employee support. In other words, what happens next, and how do you plan to strengthen your defense against phishing attacks over time?

Be sure to set a baseline of vulnerability, then update this baseline to reflect the results of different campaigns. In particular, you should track a few key cybersecurity metrics:

  • The percentage of people clicking on links
  • The percentage of people opening attachments
  • The percentage of people submitting login credentials

These metrics should inform your wider cybersecurity strategy and your future awareness training. For example, if your teams are vulnerable to sharing their login credentials, you might want to consider investing in password management software.

Phishing simulation

And on the positive side, don’t forget to celebrate people who successfully identified the phishing emails. Positive reinforcement and recognition goes a long way towards building a great culture of cybersecurity awareness.

#5: Offer post-simulation training people actually love

These days, most people don’t expect much from cybersecurity training – but you can always surprise them. That’s why you should follow up your tests with the kind of post-simulation cybersecurity training your team won’t just tolerate, but will actually love.

With the results from your initial tests, you can offer additional training on how to identify phishing attempts and respond safely. And remember, we’re all pressed for time these days – so delivering punchy and impactful phishing training is crucial. You want a training solution that can get the critical points across in just minutes with story-driven conversations.

Riot phishing simulation

Without this additional training, anyone who has failed a simulation won’t get the chance to improve. This can have a negative impact on team morale, and can even lead people to switch off whenever you mention cybersecurity. So, complete the cycle and help people improve.

If you’re ready to start offering the kind of cybersecurity training your team deserves, we’d love to chat.

#6: Keep your team sharp with ‘always-on’ phishing simulations

To finish up, let’s remember one unfortunate fact: Scammers are relentless. Right now, they’re working hard to find clever new ways to trick your team and get access to your sensitive data, login credentials, and money. That’s why you need to be just as relentless with your simulations.

Now that you’ve launched your first set of phishing simulations and turned your results into an action plan, it’s time to keep the ball rolling with ‘always-on’ phishing simulations.

By running continuous campaigns, you’ll boost your team’s capability to identify and manage phishing threats. You’ll also see your key metrics start to move in the right direction, with fewer people getting tricked over time thanks to their increased awareness.

Looking for more guidance on what makes a great simulation? Get our free checklist 🎣

Riot phishing simulation checklist
5 Things all Great Phishing Simulations Get Right

5 common mistakes to avoid with your phishing simulation

Phishing simulations can be hard to get right, and there are plenty of factors you need to juggle to make your tests as impactful as possible.

So, now that we’ve covered what to do with your simulations, here’s what not to do:

  1. Don’t phish in a vacuum: Phishing simulations are an excellent way to reinforce awareness training – but if you run them without this training, you’re missing half of the puzzle. Give them the training they need to respond safely to phishing attempts and other cyber attacks.
  2. Don’t let your simulations become predictable: Scammers seldom use the same tactic twice – and you shouldn’t either. Keep people on their toes by running a mix of simulations at different times, using a range of social engineering hooks and templates.
  3. Don’t put team morale at risk: Simulations are important, but not important enough to risk causing anger or resentment. For example, if bonuses are a touchy subject, don’t use them as bait – especially if people have been under a lot of pressure lately. And don’t let people panic if they’ve failed a test – they should know right away that it wasn’t a real scam.
  4. Don’t exclude leadership: Leaders and managers hold the keys to some of your most valuable assets and information, making them top targets for phishing scams. Be sure to include them in your simulations – it’s also great for morale to see them getting phished, too.
  5. Don’t run simulations manually: No matter how many campaigns you run, your phishing simulations shouldn’t take you more than a few hours each week. You can save time and energy by investing in the right automation tool.

A great phishing simulation shouldn’t be hard to launch

So, you’ve read our six-step guide, and you’re ready to start crafting phishing simulations sneaky enough to trick your most security-conscious colleagues. Congrats!

With these steps, you have a blueprint for getting your first test up and running, iterating over time, and using your results to make a clear action plan for employee support. The most important step of all? Choosing a smart simulation platform that lets you phish with ease.

Sign up for a free simulation with Riot today, and you could be testing your team with world-class phishing simulations in just minutes.