Phishing simulations can be one of the quickest ways to tighten up your security culture — or one of the fastest ways to annoy your staff if you get the tone wrong.
The goal isn’t to “catch people out”. It’s to help people spot risky messages in the real world, pause for 5 seconds, and make a safer choice. Done well, simulations build confidence, reduce repeat mistakes, and give you useful insight into where your controls and processes need backing up.
That matters because phishing is still the most common type of cyber attack facing UK organisations. The UK Government’s Cyber Security Breaches Survey 2025 reports the average cost of the most disruptive breach is £1,600 for businesses (and £3,550 when you exclude the ones that reported £0 cost).
So here’s how you run simulations that improve behaviour — without blame, eye-rolling, or naming-and-shaming.
Start with the culture you want (not the “gotcha” you can run)
Before you send a single test email, decide what you’re trying to change.
Good targets are practical and behaviour-based, like:
- “More people report suspicious emails instead of deleting them”
- “Fewer people enter passwords after clicking a link”
- “People feel comfortable asking, ‘Is this legit?’”
- “Managers don’t pressure staff into risky shortcuts”
If your internal IT is stretched, tying this into a broader support plan helps. A lot of businesses bundle awareness and security improvements into ongoing IT Support and Management so it doesn’t become a one-off project that fades after 2 weeks.
Set rules that feel fair
People support what feels fair. Your simulation rules should be clear, consistent, and written down.
A solid “fair play” approach usually includes:
- No public call-outs (ever)
- No “trick” scenarios that rely on humiliation (e.g., fake HR redundancy emails)
- No targeting people on sick leave, parental leave, or new starters in week 1
- No spoofing internal addresses in a way that breaks trust (unless you’ve agreed this upfront)
- A clear point: “This is training, not discipline”
If you’ve got compliance requirements or you’re tightening up overall controls, pair simulations with real protection too — like stronger filtering, endpoint controls, and monitoring through Security Services.
Pick scenarios based on what actually hits UK inboxes
Your templates should reflect real risks your teams see:
- Microsoft 365 password reset prompts
- Shared document links (SharePoint/OneDrive)
- Supplier invoice changes
- Delivery notifications (for office managers and reception)
- “Urgent” requests that try to override process (CEO fraud)
A simple trick: take the top 5 “reported suspicious emails” from the last quarter and build simulations that look like them (without copying real sender details).
For a quick refresher you can share internally, Northern Star’s guide on how to spot a phishing email is a useful baseline.
Make reporting the win (not clicking the fail)
If you only measure clicks, you’ll build a culture of hiding mistakes.
Instead, design your simulation so the “best outcome” is reporting:
- Add a big “Report suspicious” button in your email client (where possible)
- Reward reporting speed and accuracy
- Treat reporting as a positive habit you’re building
Your metrics should reflect that shift, for example:
- Reporting rate (overall and by department)
- Time-to-report (median time)
- Repeat click rate (people who click more than once across campaigns)
- Risky action rate (clicked + entered password)
And if the simulation highlights technical gaps — like weak MFA coverage or risky legacy authentication — that’s a good moment to review your Microsoft stack with Cloud Services / Office 365.
Keep coaching short, specific, and immediate
If someone clicks, the follow-up should be helpful in under 30 seconds.
What works:
- “Here were the 2 signs you could’ve spotted”
- A single tip: “Hover over links before clicking”
- A simple rule: “If money or passwords are involved, stop and verify”
What doesn’t:
- A 10-minute video
- A lecture
- A scary breach story as punishment
If you want behaviour change, make it easy to learn at the moment.
Use “blameless” language in every message
Your internal comms matter more than the simulation template.
Use language like:
- “We’re practising”
- “We’re improving how we spot and report”
- “If you clicked, you’re not alone — this is what attackers are good at”
- “Reporting is what protects the business”
Avoid:
- “You failed”
- “You were caught”
- “We’re testing if staff are the weakest link”
When you keep it blameless, you’ll get better data too — because people won’t hide.
Increase difficulty gradually (and only when you’ve earned it)
Start easy. Build confidence. Then level up.
A sensible progression:
- Obvious phishing (spelling errors, weird domains)
- Better formatting but still clear red flags
- “Realistic” lures (M365 share, supplier change)
- Targeted scenarios for higher-risk teams (finance, HR)
If your organisation is growing or changing systems, make sure simulations reflect real workflows — especially during Migrations when people are already dealing with “new” and are more likely to click.
Back simulations with real-world controls
Simulations are training wheels — not brakes.
If a single click can still lead to a major incident, you’ll want to strengthen the layers around people:
- MFA everywhere it’s practical
- Least privilege
- Good endpoint visibility (EDR)
- Safe browsing controls
- Clear verification processes for payments and supplier changes
For higher assurance, many businesses pair awareness with independent checks like Penetration Testing to validate what would happen if an attacker got further than an email click.
Don’t forget the practical stuff: devices, updates, and support
Sometimes the behaviour issue isn’t “awareness” — it’s that someone’s laptop is slow, their apps prompt constantly, and clicking feels like the fastest way out.
Keeping hardware reliable and users supported reduces risky shortcuts. That’s where structured sourcing and lifecycle planning through Hardware and Software can quietly improve security behaviour without you even mentioning phishing.
Make it easy for people to ask for help
Your staff should know exactly what to do when they’re unsure:
- Who to contact
- How fast they’ll get a response
- What info to include (screenshots, headers, etc.)
If you’ve got multiple locations or cross-border teams, build consistent processes across offices with Global Support and International Projects or local coverage via European IT Support.
FAQs
How often should you run phishing simulations?
For most SMEs, monthly or every 6 weeks is enough to build a habit without fatigue. If you’re starting from scratch, a short burst (e.g., 3 campaigns over 8–10 weeks) can help establish baseline behaviour, then you can settle into a steady rhythm.
Should you tell staff a simulation is happening?
Yes — but you don’t need to share dates. Tell people you’ll be running regular simulations as part of security awareness, and that the purpose is learning, not discipline. When people trust the intent, reporting rates go up and “quiet” mistakes go down.
What should you do if a senior leader clicks?
Treat it the same as everyone else: private coaching, no drama. If anything, leadership participation is powerful — when leaders openly support learning, the rest of the business follows.
How do you handle repeat clickers without blame?
Don’t label them. Look for patterns: role pressure, inbox volume, unclear processes, poor device performance, or lack of confidence. Provide extra support (shorter coaching, practical rules, and an easier way to verify suspicious requests). If needed, review wider controls and workflows with Consulting.
Are phishing simulations worth it for small businesses?
Yes, because phishing is still the day-to-day entry point for lots of incidents, and the UK Government survey shows breaches can quickly lead to real cost and disruption. The key is to run simulations as coaching — not punishment.
Ready to run phishing simulations the right way?
If you want a phishing simulation programme that genuinely improves behaviour (and helps you strengthen the tech around it), speak to Northern Star. Use the Contact Northern Star page to book a callback and talk through a plan that fits your team size, your risk level, and your budget.
