Phishing Simulation: How It Works, What to Measure, and How to Run One in Your Org

Security awareness training alone is not enough. Employees need to be tested under realistic conditions, because attackers are not going to give your team a heads-up before sending a credential-harvesting email. Phishing simulations close that gap by putting your people in front of convincing, controlled attacks and measuring exactly how they respond.

This guide covers the full lifecycle: how phishing simulations work technically, which metrics actually matter, and how to operationalize a program inside your organization without burning trust or creating legal exposure.

What Is a Phishing Simulation and Why Does It Matter

A phishing simulation is a controlled, authorized attack in which your security team (or a trusted third party) sends realistic-looking phishing emails to employees to test their susceptibility. The goal is not to embarrass anyone. It is to identify training gaps, measure behavioral risk, and track improvement over time.

The business case is straightforward. According to consistent reporting across industry, the vast majority of successful breaches involve a human element, and phishing remains the dominant initial access vector. A phishing simulation gives you empirical data about your human attack surface, which is something a firewall report never will.

If you want to understand where your organization's real risk lives before an adversary finds it first, explore what a managed phishing simulation program from Redfox Cybersecurity can do for your team.

How Phishing Simulations Work Technically

The Infrastructure Behind a Realistic Campaign

A convincing phishing simulation requires the same infrastructure a real attacker would use. Cutting corners here produces false results: employees who would fall for a real attack may recognize an obvious simulation, skewing your data.

Core infrastructure components:

• A dedicated sending domain that is aged and warmed up to pass spam filters
• Valid SPF, DKIM, and DMARC records configured correctly on that domain
• A phishing server or landing page to capture credentials or clicks
• A tracker (pixel or redirect) to record open and click events
• Optional: a callback mechanism to log macro execution or attachment opens

A common open-source stack for internal red team phishing operations uses GoPhish as the campaign manager, combined with a cloud-hosted SMTP relay and a custom landing page cloned from the target's real login portal.

Setting Up GoPhish for an Internal Simulation

Below is a minimal GoPhish configuration walkthrough, assuming you are running on a Linux VPS.

Install and configure GoPhish:

wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
./gophish


[cta]

After launch, the admin panel is available at https://127.0.0.1:3333 with default credentials. Change these immediately.

Configure a sending profile with SMTP relay:

{
 "name": "SimulationRelay",
 "host": "smtp.yourmailrelay.com:587",
 "from_address": "it-support@yoursimulationdomain.com",
 "username": "smtp_user",
 "password": "smtp_password",
 "tls": true,
 "ignore_cert_errors": false
}


[cta]

Domain configuration for deliverability (DNS records):

; SPF
yoursimulationdomain.com. IN TXT "v=spf1 include:yourmailrelay.com ~all"

; DKIM (example selector)
mail._domainkey.yoursimulationdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

; DMARC
_dmarc.yoursimulationdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yoursimulationdomain.com"


[cta]

Without these records, your simulation emails will be caught by spam filters before they reach the inbox, which defeats the purpose of the exercise.

Crafting a Realistic Phishing Email Template

Template quality determines whether your simulation reflects real-world risk. A poorly written simulation email trains employees to spot simulation emails, not real ones.

A high-fidelity template for an IT helpdesk credential harvest:

Subject: Action Required: Your Password Expires in 24 Hours

From: IT Support <it-support@yoursimulationdomain.com>

---

Dear {{.FirstName}},

Our systems indicate that your corporate password will expire within
the next 24 hours. To avoid losing access to internal systems,
please update your credentials using the secure portal below.

<a href="{{.URL}}">Update My Password Now</a>

If you have questions, contact the IT helpdesk at ext. 1200.

IT Support Team
[Your Company Name] Information Security


[cta]

The {{.FirstName}} and {{.URL}} tokens are GoPhish variables. Personalization increases click rates significantly, which is exactly what a real attacker would exploit.

Landing Page and Credential Capture

Your landing page should mirror the legitimate portal as closely as possible. You can clone a login page using tools like HTTrack or wget with recursive options:

wget --mirror --convert-links --adjust-extension --page-requisites \
    --no-parent https://login.yourtargetportal.com -P ./cloned-site


[cta]

In GoPhish, import the cloned page and configure it to capture submitted form data. In a real simulation, captured credentials are stored server-side, never actually used, and the employee is immediately redirected to an educational landing page explaining what just happened.

Building Your Target List and Scope

Defining Scope Without Creating Legal Risk

Before launching any simulation, you need written authorization. This is non-negotiable. Your authorization document should specify:

• The sending domains that will be used
• The date range of the campaign
• The employee groups in scope
• Who on the IT and legal side has approved the exercise
• Whether executives are in scope (they often need separate approval)

If you are running simulations against a client organization, a rules of engagement (ROE) document signed by an authorized representative is required before any email leaves your server. The team at Redfox Cybersecurity builds ROE documentation into every engagement as a standard step.

Segmenting Employee Groups

Do not run one flat simulation against your entire organization. Segment by:

• Department (finance, HR, and IT often have different risk profiles)
• Seniority level (executives are targeted differently by real attackers)
• Previous simulation performance (repeat clickers need different interventions)
• Remote vs. on-site status (affects email behavior patterns)

Running segmented campaigns lets you compare risk by group and tailor training accordingly. It also makes your metrics far more actionable.

What to Measure in a Phishing Simulation

The Core Metrics That Actually Reflect Risk

Not all phishing simulation metrics are equally useful. Here are the ones that matter for risk quantification:

• Phish-prone percentage (PPP): The percentage of employees who clicked the link or submitted credentials. This is your headline number. Industry benchmarks suggest organizations without a training program average a PPP in the 30 to 35 percent range. After consistent training and simulation, mature programs get this below 5 percent.
• Credential submission rate: Of the employees who clicked, what percentage went further and submitted credentials? Clicking a link and submitting a password represent very different levels of risk.
• Report rate: What percentage of employees reported the phishing email to the security team or help desk? A rising report rate is one of the most positive indicators of a maturing security culture.
• Time to click: How quickly after delivery did the first clicks occur? Fast click times suggest low suspicion and high reflexive behavior, both of which are high-risk signals.
• Repeat clickers: Which employees have clicked across multiple campaigns? These individuals need direct intervention, not just another email.

Tracking Metrics in GoPhish

GoPhish provides a built-in results dashboard, but for programmatic tracking you can pull campaign data via the API:

import requests

API_KEY = "your_gophish_api_key"
BASE_URL = "https://127.0.0.1:3333/api"

headers = {"Authorization": f"Bearer {API_KEY}"}

# Pull results for a specific campaign
campaign_id = 12
response = requests.get(
   f"{BASE_URL}/campaigns/{campaign_id}/results",
   headers=headers,
   verify=False
)

results = response.json()

clicked = [r for r in results["results"] if r["status"] == "Clicked Link"]
submitted = [r for r in results["results"] if r["status"] == "Submitted Data"]
reported = [r for r in results["results"] if r["status"] == "Email Reported"]

total = len(results["results"])

print(f"Total targeted: {total}")
print(f"Clicked: {len(clicked)} ({len(clicked)/total*100:.1f}%)")
print(f"Submitted credentials: {len(submitted)} ({len(submitted)/total*100:.1f}%)")
print(f"Reported: {len(reported)} ({len(reported)/total*100:.1f}%)")


[cta]

This output feeds directly into your risk reporting dashboards or SIEM integrations.

Benchmarking Your Results

Raw numbers mean little without context. Compare your results against:

• Your own historical data across previous simulation cycles
• Industry-specific benchmarks for your sector
• The specific template difficulty (a highly targeted spear phish should produce higher click rates than a generic blast)

Template difficulty should be tracked alongside PPP. A 20 percent click rate on a generic, obvious simulation is worse than a 25 percent click rate on a highly convincing spear phish. Weight your results accordingly.

Running a Phishing Simulation Program: Operational Steps

Step 1: Get Buy-In and Define Objectives

A phishing simulation program without executive buy-in will stall at the first controversy. When an executive gets caught clicking, there will be pushback unless leadership has agreed to the program's purpose and scope from the start.

Define clear objectives before launch:

• Are you trying to establish a baseline?
• Are you validating the effectiveness of recent training?
• Are you testing a specific threat scenario, such as a vendor impersonation attack?

Step 2: Choose Your Simulation Templates by Difficulty

Run a range of difficulty levels across your program cycles. A good framework:

Low difficulty (establish baseline): Generic IT alerts, password expiry notices, generic HR announcements. No personalization.

Medium difficulty: Branded templates mimicking internal systems or commonly used SaaS tools like Microsoft 365 or Slack. Includes the recipient's first name.

High difficulty: Spear phishing using OSINT gathered from LinkedIn, company websites, or email signatures. May reference real internal projects, managers by name, or recent company events.

High-difficulty simulations are where the most valuable data lives. If you want this level of realism built into your program, the adversary simulation services at Redfox Cybersecurity are designed exactly for this.

Step 3: Run the Campaign and Monitor in Real Time

Once launched, monitor delivery rates, click rates, and report rates as they accumulate. Watch for:

• Emails bouncing due to DNS configuration issues
• Simulation emails being flagged by your own SEG (secure email gateway), which requires allowlisting the simulation IP and domain ahead of time
• Employees forwarding the email to colleagues, which can contaminate your sample

To allowlist your GoPhish server in Microsoft Defender for Office 365, navigate to the tenant's anti-spam policy and add your simulation sending IP to the IP Allow List, or use the dedicated "Advanced delivery" policy for third-party phishing simulations, which is now the preferred method for M365 tenants.

Step 4: Deliver Immediate Teachable Moment Training

The most effective phishing simulations redirect clickers to an immediate educational page rather than leaving them confused. This in-the-moment feedback loop produces measurably better behavior change than training delivered days later.

Your teachable moment page should cover:

• What just happened and why it was a simulation
• The specific indicators they missed (sender domain, urgency language, generic greeting)
• What to do if they receive a real suspicious email
• A link to a short (under five minute) training module

Step 5: Report Results and Drive Training Remediation

Post-campaign reporting should go to both security leadership and HR or department managers, structured so that individual results are protected but group-level data is visible.

A clean executive summary format:

Campaign: Q2 2025 Password Expiry Simulation
Date Range: April 14 to April 18, 2025
Total Employees Targeted: 420
Phish-Prone Percentage: 18.3%
Credential Submission Rate: 9.5%
Report Rate: 11.2%
Repeat Clickers (2+ campaigns): 14 employees

Recommended Actions:
- Enroll all clickers in mandatory 30-minute phishing awareness module
- Schedule direct 1:1 sessions for the 14 repeat clickers
- Run a follow-up simulation in 60 days targeting the same groups


[cta]

Advanced Techniques for High-Maturity Programs

Vishing and Smishing Simulations

Once your email simulation program is mature, extend it to voice phishing (vishing) and SMS phishing (smishing). Real attackers use all three channels, often in combination.

For smishing simulations, tools like SMSsim or commercial platforms allow you to send controlled SMS messages and track responses. For vishing, a red team operator calling employees posing as IT support produces data that email simulations cannot: how employees respond under real-time social pressure.

Integrating Simulation Data with Your SIEM

Feeding simulation results into your SIEM lets you correlate behavioral risk data with other security signals. An employee who clicks phishing simulations repeatedly, has weak endpoint posture, and accesses sensitive data is a compound risk that no single tool surfaces on its own.

A basic webhook integration to forward GoPhish events to a Splunk HTTP Event Collector:

from flask import Flask, request
import requests
import json

app = Flask(__name__)

SPLUNK_HEC_URL = "https://splunk.yourcompany.com:8088/services/collector"
SPLUNK_TOKEN = "your_hec_token"

@app.route("/gophish/webhook", methods=["POST"])
def receive_event():
   data = request.json
   payload = {
       "sourcetype": "phishing_simulation",
       "event": data
   }
   requests.post(
       SPLUNK_HEC_URL,
       headers={"Authorization": f"Splunk {SPLUNK_TOKEN}"},
       data=json.dumps(payload),
       verify=False
   )
   return "OK", 200

if __name__ == "__main__":
   app.run(port=5000)


[cta]

This pattern lets you build SIEM dashboards that track PPP trends over time, flag repeat clickers automatically, and correlate simulation events with real alert data.

Common Mistakes That Undermine Phishing Simulation Programs

Running Simulations Without a Training Program Behind Them

Testing employees without giving them the tools to improve is a compliance exercise, not a security program. Every simulation must be backed by accessible, relevant training content. Otherwise you are measuring failure and doing nothing about it.

Using Overly Obvious Templates

If employees can recognize your simulation emails on sight, you are measuring their ability to spot your simulations, not real attacks. Rotate templates, use varied senders, and include high-difficulty spear phish scenarios regularly.

Ignoring the Report Rate

Security teams that celebrate a low click rate but ignore a near-zero report rate are missing half the picture. Employees who do not click but also do not report suspicious emails are leaving real attacks invisible to your SOC. Build reporting behavior as aggressively as you build resistance to clicking.

Punishing Employees Who Click

Nothing destroys a phishing simulation program faster than using it as a disciplinary tool. When employees fear punishment, they stop reporting real incidents too. Frame the program around improvement, not blame.

Final Thoughts

A phishing simulation program is one of the highest-ROI investments in your security stack, but only if it is run with the right infrastructure, realistic templates, proper metrics, and a genuine commitment to behavioral improvement. The technical setup is achievable with open-source tools. The harder part is operationalizing it consistently across your organization, keeping templates fresh, and translating click rates into meaningful training outcomes.

If you are looking to build or mature a phishing simulation program with professional-grade campaigns, spear phishing scenarios, and integrated reporting, Redfox Cybersecurity can design and run the full program alongside your team.