{"id":41899,"date":"2026-06-10T07:24:52","date_gmt":"2026-06-10T05:24:52","guid":{"rendered":"https:\/\/smartfense.com\/?p=41899"},"modified":"2026-06-10T07:24:57","modified_gmt":"2026-06-10T05:24:57","slug":"phishing-simulation-campaign-that-changes-behavior","status":"publish","type":"post","link":"https:\/\/smartfense.com\/en\/blog\/phishing-simulation-campaign-that-changes-behavior\/","title":{"rendered":"Phishing simulation: how to design a campaign that changes behavior"},"content":{"rendered":"

Almost every organization that launches an awareness program starts the same way: send a phishing simulation, count how many people clicked and save the number. A month later they repeat the exercise, compare the two percentages and declare that the program \u201cis working\u201d or that \u201cpeople don\u2019t learn\u201d. In most cases it\u2019s neither. What usually fails isn\u2019t the people, it\u2019s the campaign design.<\/p>\n

The Verizon DBIR 2026<\/a> shows that phishing has stopped concentrating in email: attackers have shifted to mobile, where click rates on text messages and calls run higher. The human factor is still at the center, only now spread across more channels. Training that response is exactly what a simulation is for, but only if it\u2019s built to change behavior and not to produce a percentage. Let\u2019s look at what separates a campaign that moves the needle from one that only generates a report.<\/p>\n

What is a phishing simulation?<\/h2>\n

A phishing simulation<\/strong> is a controlled send that reproduces a social engineering attack (by email, SMS, QR code or voice) in order to measure and train how people respond to that attack, without exposing them to real risk. It works as a rehearsal, not as a trap to \u201ccatch\u201d whoever slips up, and its value lies in what is learned afterward, not in the result of the first attempt.<\/p>\n

From that definition comes the criterion that orders everything else. A good campaign is the one that produces a measurable, sustained change in behavior<\/strong>, not the one that lowers the click rate once. If a design decision doesn\u2019t contribute to that change, it\u2019s surplus.<\/p>\n

Why isn\u2019t the click rate enough to design the campaign?<\/h2>\n

The click rate is easy to measure and that\u2019s why it dominates reports. The problem is that it says very little. An organization can lower its click percentage simply by repeating the same template until everyone recognizes it, without anyone having learned to spot a new attack.<\/p>\n

What\u2019s worth watching is something else: how many people report<\/strong> the suspicious email, how long it takes for the first report to arrive and how the same group evolves over the months. There\u2019s a longer analysis on what an awareness program should really measure<\/a>, but the core idea is simple: the simulation is designed backward, starting from the behavior you want to see, not from the number you want to lower.<\/p>\n

How close to a real attack does the scenario need to be?<\/h2>\n

A simulation only trains if it resembles something that could arrive tomorrow. If people always see a generic template with the logo of a bank they don\u2019t use, they learn to recognize that template and nothing else. When the scenario doesn\u2019t resemble what the organization actually receives, what\u2019s learned stays in the simulation and never reaches the real inbox. That\u2019s why realism is a campaign\u2019s first design decision.<\/p>\n

Designing realism means three concrete decisions:<\/p>\n