Recommended Plan for Phishing Training

 

🎯 Who should be targeted, and when?

We recommend that all of your users should be included in phishing training throughout the year.

Regular exposure helps employees stay alert and build lasting habits. We recommend running ongoing simulations rather than one-off simulations.

And for users who have previously clicked phishing links, you should increase the frequency of their training. 

 

---

📅 How often should I run simulations?

For most organizations, around 8 simulations per year is a good baseline. 

You may want to send more simulations if: 

• You have high employee turnover

• Your organization faces elevated phishing risk

For your users who are vulnerable to phishing, you should increase the frequency of their simulations: 

• These users should get about 1 simulation every 14 days, including company-wide simulations, until they are no longer part of the phishing vulnerable group.

 

 

---

🔁 How should phishing signs be used?

We recommend that you rotate through all phishing signs across your organization over time.

This ensures that users are exposed to a wide range of tactics and are better prepared for real-world attacks.

 

📩 Recommended phishing training order

Phishing training is most effective when it gradually increases in complexity while keeping users engaged.

• If simulations are too easy → users lose interest
• If simulations are too difficult → users get discouraged

At the same time, the training should balance these three factors:

1. Realistic risk exposure (based on average click rates)
2. Progressive skill development
3. Sustained engagement over time

Our recommended simulation order is designed to establish a strong baseline and introduce realistic social engineering tactics early, while alternating difficulty to maintain engagement. 

 

Here's the order we recommend training phishing signs in: 

1. Time Sensitivity

2. Media

3. Trust / Authority

4. Curiosity

5. Do the Right Thing

6. Context

7. Rewards

8. Fear
   
   

We'll go through each of the phishing signs and what they mean next. 

 

---

📌 What each phishing sign teaches

Time Sensitivity

Urgency is one of the most common phishing tactics and it appears in nearly every every attack type. Our simulations based on this sign consistently produce high click rates across organizations.

The aim of training this sign is to teach users to pause before acting on urgent requests.

By starting with this sign, you: 

• Establish a realistic, measurable baseline
• Teach the most important defensive habit first (pausing before acting)
• Build awareness without feeling overly complex

 

Media

After teaching users to slow down, we shift to structural awareness.

You can expect to usually receive these emails, but are you sure the sender is legitimate?

Media-based phishing focuses on: 

• Sender and format
• Platform

This early introduction prevents the training from feeling too basic and signals that phishing is not only about emotional triggers, but also about evaluating how information is delivered.

It moves users from impulse control to analytical thinking. 

 

Trust / Authority

Although this sign has lower click rates on average, it represents a high real-world risk and high-impact attacks.

The goal of trust/authority simulations is to train users to question messages from “trusted” sources like managers or IT.

Introducing it:

• Reflects signs commonly used by criminals

• Challenges users beyond obvious phishing patterns

This stage reinforces that signs of authority are important red flags.

 

Curiosity

This sign trains users to be aware of natural impulses like wanting to “see more” or check something interesting.

Curiosity-based simulations often have a high click rate, because they test emotional impulses in a subtle way. 

By the time your users get to this simulation/stage of the phishing training, 

• They have learned to pause (Time sensitivity)
• They evaluate structure (Media)
• They question sender credibility (Authority)

A curiosity-based simulation keeps training engagement high while reinforcing emotional self-awareness. 

 

 

Do the Right Thing

This sign typically has very low click rates, but it's culturally important because it exploits our desire to be helpful and cooperative — for example, requests asking users to assist or cooperate.

Placing it here in your schedule will

• Test organizational cultural maturity
• Encourage verification before assisting
• Reinforce that phishing is not always aggressive or urgent

At this stage, users are ready to evaluate social dynamics, not just email content.

 

Context

Context-based phishing encourages users to ask themselves:

• Was I expecting this?

• Does this make sense right now?

Scheduling this simulation later ensures users have enough experience to spot when something doesn’t fit the situation.

 

Rewards

This sign generates high click rates, but if it's overused early, it can make your phishing simulations feel simplistic or predictable. That's why we place it later in your schedule.

The rewards sign tests users' reactions to incentives like prizes or offers. When you put it later in your simulation schedule, 

• Users are tested after building analytical maturity
• The organization avoids early "free gift" fatigue
• Emotional impulse is tested again in a more realistic scenario

It works as a stress test after users have already bult strong thinking and evaluation skills. 

 

Fear

Fear-based phishing creates strong emotional reactions and can feel highly realistic. Simulations using this sign challenge users to stay calm under pressure in scenarios that feel serious or urgent.

Although average click rates are lower in these simulations, fear-based attacks:

• Can trigger panic-driven behavior
• Often resemble real security incidents

• Require emotional regulation and calm decision-making

Placing fear last in your plan ensures that your users

• Have learned to pause
• Can analyze structure and content
• Are prepared to manage emotional pressure