Phishy
Cyber Command
← All articles
Best Practices · November 12, 2025 · 8 min read

Phishing Simulation Best Practices for SMBs in 2025

How to run effective phishing tests without shaming employees — a practical guide for organisations with 10–500 people.

Why most phishing simulations fail

The standard playbook goes: send a fake phishing email, wait for someone to click, then hit them with a “gotcha” message. Security teams celebrate low click rates as success. HR sends reminders. Nothing changes.

Research consistently shows this approach does not work. A 2022 paper in the Journal of Cybersecurity found that employees who received surprise phishing tests with immediate negative consequences reported higher anxiety and lower security reporting behaviour over time.

The five principles of effective phishing simulations

1. Make it educational, not punitive

When someone clicks a simulated phishing link, the most important next step is what happens in the next minute. A well-designed feedback overlay — explaining what they should have noticed and what to do next time — is worth more than another blanket reminder email.

2. Start with realistic but not cruel scenarios

Your first simulation should be something a reasonable person might genuinely click. Difficulty should increase as employees improve, not spike immediately for shock value.

3. Segment your employees

Finance teams see different threats than customer support teams. Running the same simulation for everyone wastes the opportunity to teach the right lesson to the right person.

4. Measure what matters

  • Report rate — did employees report the suspicious email before or after clicking?
  • Improvement over time — is click rate falling per employee, not just across the whole org?
  • Bot-filtered click rate — automated email security clicks should not be treated as human failures.

5. Tie simulations to training

A phishing simulation without a training path is just surveillance. Employees who click should be automatically enrolled in a relevant micro-training module — not as punishment, but as context.

Frequency

For most SMBs, monthly simulations across the full employee base is the right cadence — enough to keep awareness active without desensitising people. High-risk roles can receive more frequent tests.

Getting started with Phishy

Phishy is built around these principles. You can launch your first phishing simulation quickly, keep the experience calm, and preserve the reporting trail needed for customers and compliance reviewers.

Try Phishy free for 14 days

No credit card. Full product access. Launch your first simulation today.

Start free trial →