Running phishing tests for businesses – best practices & tips

Published Sep 22, 2022 by Xiph

Nearly one-third of all cyber security breaches involve phishing or human error (or both) and it’s not hard to see why − businesses send and receive millions of emails each year, making phishing attacks hard to catch among a sea of electronic messages. Many employees don't even know what phishing is or how deceptive a seemingly innocent email can be.

Phishing tests for businesses

That’s where phishing tests come in, to assess your business’ susceptibility to social engineering attacks. This type of testing can make all the difference between employees clicking on a malicious attachment and leaking sensitive data, or having a potential cyber threat flagged and avoided without incident. We cover everything you need to know about phishing simulations below.

What’s a phishing test?

A phishing test − otherwise known as a phishing simulation – is an exercise that tests your business employees’ responses to real-world phishing scenarios and similar attacks. It involves sending your employees realistic but fake phishing emails or correspondence to monitor their reporting and click rate and thus measure their readiness to potential threats to your business. Phishing simulations help your employees and contractors better identify, understand, and respond to different types of phishing attacks and social engineering scams.

Additionally, because phishing tests are controlled, IT can build a baseline metric − often referred to as the phish-prone percentage or phish-prone rate – that measures click and response rates to the simulated malicious emails, links, and attachments to work out what percentage of your business was successfully ‘phished’ or avoided the trap. This information can then be used to improve your employees’ cyber awareness and to foster security cultures within organisations.

How does a phishing test work?

Enterprises and organisations use phishing tests to test their employees’ knowledge and handling of common cyber security threats using a real-world scenario – mainly a phishing attempt.

This works by sending a deceptive email or attachment to targeted users (usually employees and internal teams), to trick them into clicking an embedded link or opening a file in the email. Any user who clicks on the simulated link will then be directed to a landing page and be told they’ve failed a phishing test and may be required to undertake more cyber security training. Once tests are conducted, results will include the number of users who failed the test divided by the number of users who received the test, which will give you a phish-prone percentage.

Phishing simulations are typically handled by cyber security professionals or your business’ IT team, and should form part of your overall cyber security strategy to ensure your employees can detect and avoid phishing or social engineering threats. In fact, real-time phishing simulations double employee awareness retention rates, and provide a near 40% return on investment (ROI), compared to more traditional cyber security training tactics, according to a Ponemon Institute study.

How does a real phishing attack work?

Phishing is a type of social engineering attack that typically involves sending an email or using some type of official messaging (i.e. including messaging apps for businesses like Slack or Teams) that appears to come from a legitimate source, like a contractor, or external stakeholder. A phishing attack aims to trick the recipient(s) of the email or correspondence into handing over sensitive information or clicking a link that contains some type of malware.


Read more: Common types of malware & how to avoid them


How often should your business conduct a phishing test?

Businesses should conduct phishing tests at least monthly, if not bi-monthly; depending on the industry, organisation size, and the nature of their operations. Regular phishing tests will improve your employees’ security awareness and skills. Most phishing simulations can be automated to send messages periodically and mimic topical scams, and most can be tailored to even focus on specific departments or even individuals. Ideally, businesses should run phishing tests as needed to reduce their phish-prone percentage to below 2%.

10 best practices for conducting a successful phishing test

Below are some helpful tips to conduct a successful phishing testing campaign:

  1. Use the right phishing test tool for your organisation: Compare different phishing test tools on price, scope, and features including phishing templates, reporting plugins, user metrics, reporting, automation, etc. There are lots of phishing test tools out there − free and paid – including open-source and proprietary, simple-to-use, and highly advanced. Most phishing simulators are offered as software-as-a-service (SaaS).
  2. Plan your phishing campaign carefully: Before launching any phishing simulation campaign, clearly outline the aim, scope, and measurable outcomes of each phishing test, including which departments or staff will be targeted, which techniques and templates will be used, and which metrics will determine success or failure.
  3. Notify employees in advance: While this may seem counterintuitive, this will help you maintain trust with your workforce. Honesty is the best policy when running phishing campaigns. You don’t need to give them specifics, but tell them you’re conducting a phishing simulation exercise and make it clear to your teams that these campaigns are purely designed to educate them on the dangers of phishing attacks, not to punish or shame them. Employees and companies alike should find value in learning how to avoid phishing attacks.
  4. Phish at all levels of the business: Test from the top down. Managers and CEOs may be on the highest rung of the ladder, but it doesn’t make them immune to cyber attacks. That’s why you should phish at all levels of the business, from people at the front desk to executives and everyone in between. This will give you a truer indication of your organisation’s susceptibility to phishing attacks and help your employees be more receptive to these types of campaigns if they know everyone is being tested.
  5. Don’t phish everyone at the same time: Teaching employees how to spot a phishing attack can be tricky, especially if people are talking to each other and sharing information. Be sure to segment your phishing simulation to a subset and run them at different intervals.
  6. Use real-life and sophisticated scenarios: A phishing campaign should accurately simulate tactics and techniques used by real attackers. This could involve simple scenarios like emails claiming an invoice hasn’t been paid, or ‘password expired’ messages directing users to a login page, to more sophisticated scenarios like downloading an attachment to see the CEO’s latest fireside chat or being asked to approve leave for someone in your own team.
  7. Conduct phishing tests regularly: Run periodic phishing campaigns and vary your phishing approach each time to test your employees’ readiness for different phishing scams and techniques. The aim is to get your employees to treat all new emails and communications with caution, especially if they include links and attachments.
  8. Measure performance: You should at the very least measure your organisation’s reporting rate and click rate for a basic indication of success/failure. This will reveal how many people have engaged with the training, and how many have passed and failed the test.
  9. Offer adequate security awareness training: Once testing is complete, it’s important to provide phishing awareness training to refresh all teams on how to spot and report suspected phishing attempts, how to protect themselves and the company from data breaches, etc.
  10. Strike the right balance between effectiveness and disruption: Phishing simulations can dramatically reduce your business cyber risk but should be conducted with minimal disruptions to teams, internal procedures, and day-to-day workflow.

What to do after a phishing test

You’ve gone phishing and now what? It’s time to see who fell for the hook, line, and sinker. This is otherwise known as the failure rate or phish-prone percentage, which tells you how many of your employees performed an unsafe action during a phishing testing campaign.

Common key metrics measured after a phishing simulation campaign include:

  • Email open rates
  • Link click-through rates (CTR)
  • How many employees leaked sensitive information (i.e. provided a username/password combination)
  • How many employees reported the phishing email (reporting rate)

This information will help you determine the percentage of people in your organisation that are susceptible to phishing attacks. It’s important to keep track of these metrics over time as you run more phishing simulation campaigns to show trends and monitor progress from test to test.

Final word

Simulating advanced phishing attacks within an organisation is an important way to test employees’ cyber security readiness and reflexes. We can help you with a strategy that complements your company’s structure, goals, and budget. Contact us via email: enquiries@xiphcyber.com.


Posted in: Security