What’s the impact of internal phishing simulations?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You send a fake phishing email to your whole team. Nobody knows it's a test. Then you watch how many people click the link, enter credentials, or download the attachment. That number is your baseline, and it's usually uncomfortable to look at.

Industry benchmarks put click rates on a first simulation somewhere between 25% and 40% for untrained organizations. That sounds alarming, but that's kind of the point. The baseline isn't a verdict on your team. It's a starting number to improve from. Without it, you're guessing at your real exposure.

The metrics that matter most in a simulation report are the click rate (how many people clicked the phishing link), the submission rate (how many actually entered data), and the report rate (how many flagged the email as suspicious before clicking). That last one is the real win condition. You want your report rate going up over time, not just your click rate going down.

For leadership conversations, frame the baseline as a risk quantification exercise, not a blame exercise. "We found that 30% of staff would have handed over credentials to a convincing impersonation email" lands differently than "one third of our people failed a test." The first framing opens a budget conversation. The second one demoralizes people.

What happens if the results are really bad? First, don't name names publicly or call out teams by department. That creates resentment and makes people less likely to report genuine threats later. Instead, follow up with immediate, short training content for everyone who clicked. Keep it non-punitive. The goal is awareness, not performance reviews.

Over time, run simulations quarterly or at least twice a year. Track the shift in behaviour after each training cycle. A well-run program should see click rates drop to under 5% within a year. Report rates climbing above 70% is genuinely good. Those are the numbers that mean your team is actually developing instincts, not just getting better at spotting one test format.

Still one thing to watch for is phish fatigue, where employees start clicking carelessly precisely because simulations happen too often or feel like a gotcha game. The cultural goal is a team that's alert, not a team that's paranoid.

Not sure how to interpret your own simulation results or pitch this internally? Our SOS line is free and we're happy to talk it through with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a simulation plan tailored to your org

We're planning to run phishing simulations at organization name. Based on our situation, can you help with the following? Please rank each by priority for our context. 1. What baseline metrics should we expect before any training (click rate, submission rate, report rate) and what benchmarks are realistic for industry or team size? 2. How should we structure the post-simulation follow-up so it builds awareness rather than resentment? 3. What talking points and numbers will make the strongest case to leadership for ongoing investment? 4. How do we balance simulation frequency to avoid phish fatigue while keeping staff genuinely alert? Our current situation: [describe your team size, whether you've run simulations before, and any relevant context about your security culture]

Edit the yellow boxes, then send to the AI of your choice.