Almost every organization that launches an awareness program starts the same way: send a phishing simulation, count how many people clicked and save the number. A month later they repeat the exercise, compare the two percentages and declare that the program “is working” or that “people don’t learn”. In most cases it’s neither. What usually fails isn’t the people, it’s the campaign design.
The Verizon DBIR 2026 shows that phishing has stopped concentrating in email: attackers have shifted to mobile, where click rates on text messages and calls run higher. The human factor is still at the center, only now spread across more channels. Training that response is exactly what a simulation is for, but only if it’s built to change behavior and not to produce a percentage. Let’s look at what separates a campaign that moves the needle from one that only generates a report.
What is a phishing simulation?
A phishing simulation is a controlled send that reproduces a social engineering attack (by email, SMS, QR code or voice) in order to measure and train how people respond to that attack, without exposing them to real risk. It works as a rehearsal, not as a trap to “catch” whoever slips up, and its value lies in what is learned afterward, not in the result of the first attempt.
From that definition comes the criterion that orders everything else. A good campaign is the one that produces a measurable, sustained change in behavior, not the one that lowers the click rate once. If a design decision doesn’t contribute to that change, it’s surplus.
Why isn’t the click rate enough to design the campaign?
The click rate is easy to measure and that’s why it dominates reports. The problem is that it says very little. An organization can lower its click percentage simply by repeating the same template until everyone recognizes it, without anyone having learned to spot a new attack.
What’s worth watching is something else: how many people report the suspicious email, how long it takes for the first report to arrive and how the same group evolves over the months. There’s a longer analysis on what an awareness program should really measure, but the core idea is simple: the simulation is designed backward, starting from the behavior you want to see, not from the number you want to lower.
How close to a real attack does the scenario need to be?
A simulation only trains if it resembles something that could arrive tomorrow. If people always see a generic template with the logo of a bank they don’t use, they learn to recognize that template and nothing else. When the scenario doesn’t resemble what the organization actually receives, what’s learned stays in the simulation and never reaches the real inbox. That’s why realism is a campaign’s first design decision.
Designing realism means three concrete decisions:
- Localization by context, not by language. A notice from an Argentine tax authority does not train a Spanish company, even if both are in Spanish. The lure has to belong to the real environment of whoever receives it.
- Current vectors. Today’s attacks combine channels: email, SMS (smishing), QR codes (quishing) and voice (vishing). A campaign that only simulates email trains for half the problem.
- Progressive difficulty. Start with obvious lures and raise the level as the group matures. Starting with the most sophisticated email possible only generates frustration and reinforces the idea that “it’s impossible to tell”.
There’s an operational detail that conditions everything above: if simulations need IT to add exceptions to the mail filter, the messages arrive “marked as safe” and the response is distorted. It’s worth understanding why delivering the simulation without requesting a whitelist changes the quality of the data, and how false positives from sandboxes and scanners can contaminate the metrics if the tool doesn’t filter them out.
How often should you send simulations?
Frequency is where most programs run off the rails, by excess or by default. A single campaign a year is a surprise exam: it measures, but it doesn’t teach. A campaign a week saturates, and saturation produces the opposite of the intended effect, because people stop paying attention to what becomes routine.
The reasonable balance for most organizations is a regular, spaced cadence, sustained over time, adjusted to each group’s level of maturity. We develop it in detail in how long phishing campaigns last, but the principle is that learning lives in spaced repetition, not in the one-off event or the barrage.
What happens at the moment of the click?
This is where it’s decided whether a campaign teaches or merely grades. When a person clicks on a simulation, they’re at the moment of maximum attention: they know something happened and they want to understand what. Wasting that moment with a screen that says “you got it wrong” is throwing away the best learning opportunity in the whole program.
A campaign designed to change behavior triggers at that instant a learning moment: brief, immediate content with no punitive tone that shows what clues were in the email and how to recognize them next time. It works because learning sets in when the mistake is fresh, not weeks later in a scheduled training session. It’s the same logic behind how nudges and learning moments shape behavior: intervene at the right moment, with the right dose.
How do you sustain a blame-free culture?
No campaign changes behavior if people experience it as a hunt. If falling for a simulation translates into public exposure or a sanction, people learn to hide the mistake instead of reporting it, and a hidden incident is far more expensive than one reported in time. The goal is to build a reporting reflex, and that reflex only grows in an environment where reporting (even after having clicked) is easy, safe and recognized. The less friction the gesture has, the better: a report button built into the inbox itself turns the alert into a single click and gives the person immediate feedback.
That’s why the most valuable metric of a mature campaign isn’t how many people fall, but how many people report and how fast. An organization where the first report arrives in two minutes has a real window of defense; one where nobody reports has a silent risk.
How does SMARTFENSE solve it?
SMARTFENSE is an awareness platform present in more than 30 countries across LATAM and Spain, and its phishing attack simulation tool is built on these principles. The template catalog is localized per country and refreshed against the real campaigns observed in the region; it covers all four vectors (email, smishing, quishing and vishing); it integrates by API with Microsoft 365 and Google Workspace to deliver simulations into the inbox without requiring a whitelist; and, at the moment of the click, it triggers a learning moment that reinforces learning when attention is high. The metrics don’t stop at the click rate: they include report rate, time to first report and a longitudinal per-user view, fed by a report button that logs every alert in the audit trail and reinforces the habit with instant feedback.
A well-designed phishing simulation isn’t the one that catches the most people. It’s the one that gets a person, next time, faced with a real email, to pause one second before clicking. That second is the whole program. If you want to see how a campaign like this is designed end to end, a SMARTFENSE demo is a good place to start.
Leave a Reply