What’s the impact of internal phishing simulations?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You send a fake phishing email to your whole team. Nobody knows it's a test. Then you watch how many people click the link, enter credentials, or download the attachment. That number is your baseline, and it's usually uncomfortable to look at.
Industry benchmarks put click rates on a first simulation somewhere between 25% and 40% for untrained organizations. That sounds alarming, but that's kind of the point. The baseline isn't a verdict on your team. It's a starting number to improve from. Without it, you're guessing at your real exposure.
The metrics that matter most in a simulation report are the click rate (how many people clicked the phishing link), the submission rate (how many actually entered data), and the report rate (how many flagged the email as suspicious before clicking). That last one is the real win condition. You want your report rate going up over time, not just your click rate going down.
For leadership conversations, frame the baseline as a risk quantification exercise, not a blame exercise. "We found that 30% of staff would have handed over credentials to a convincing impersonation email" lands differently than "one third of our people failed a test." The first framing opens a budget conversation. The second one demoralizes people.
What happens if the results are really bad? First, don't name names publicly or call out teams by department. That creates resentment and makes people less likely to report genuine threats later. Instead, follow up with immediate, short training content for everyone who clicked. Keep it non-punitive. The goal is awareness, not performance reviews.
Over time, run simulations quarterly or at least twice a year. Track the shift in behaviour after each training cycle. A well-run program should see click rates drop to under 5% within a year. Report rates climbing above 70% is genuinely good. Those are the numbers that mean your team is actually developing instincts, not just getting better at spotting one test format.
Still one thing to watch for is phish fatigue, where employees start clicking carelessly precisely because simulations happen too often or feel like a gotcha game. The cultural goal is a team that's alert, not a team that's paranoid.
Not sure how to interpret your own simulation results or pitch this internally? Our SOS line is free and we're happy to talk it through with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.