Beyond Click Rates: Phishing Simulation Best Practices for 2025
Move beyond vanity metrics with these proven strategies for running phishing simulations that actually improve security behavior.
Phishing simulations have become a staple of enterprise security programs. Yet most organizations measure success the wrong way—obsessing over click rates while missing the behaviors that actually matter.
After analyzing thousands of phishing campaigns across hundreds of organizations, here are the practices that separate effective programs from security theater.
The Click Rate Trap
The average enterprise phishing simulation click rate hovers around 15-20%. Security teams celebrate when this number drops, but here's the uncomfortable truth: click rate alone tells you almost nothing about your actual security posture.
Why Click Rate Is Misleading
- Template quality varies wildly - A 5% click rate on a generic template is worse than 15% on a highly targeted spear-phish
- It ignores the tail - The same 3% of employees may be clicking every time
- It misses positive behaviors - Employees who report phishing attempts are your greatest asset
- Seasonal effects - Click rates spike during busy periods regardless of training
Metrics That Actually Matter
1. Report Rate
The percentage of recipients who correctly identify and report the simulation. This is your most valuable metric because:
- It measures the behavior you want to encourage
- High report rates correlate with lower real phishing success
- It identifies your security champions
Target: Industry-leading organizations achieve 30-40% report rates.
2. Time to First Report
How quickly does someone in your organization identify and report a threat? Faster is exponentially better because:
- Early reports enable faster takedown of real threats
- It demonstrates security awareness is top-of-mind
- Quick reporters can be leveraged for peer influence
Target: First report within 5 minutes of campaign start.
3. Repeat Offender Rate
The percentage of clickers who have clicked on previous simulations. This identifies employees who need intensive intervention:
- One-time clickers often need just awareness
- Repeat offenders need different approaches
- Chronic clickers may need access restrictions
Target: Less than 5% should be repeat offenders across 3+ simulations.
4. Credential Submission Rate
Of those who click, how many actually enter credentials on the phishing page? This measures the depth of compromise:
- Clicking a link is concerning
- Entering credentials is a breach
- Track the ratio to measure awareness depth
Running Effective Campaigns
Tailor Difficulty to Risk Level
Not everyone needs the same test. Segment your simulations:
| Employee Segment | Simulation Difficulty |
|---|---|
| High-risk (executives, finance) | Maximum realism, targeted content |
| Standard employees | Moderate difficulty, common scenarios |
| Previous clickers | Progressive difficulty, educational focus |
| New hires | Basic scenarios, learning-oriented |
Vary Your Approach
Employees learn to spot your simulations if you always use the same style:
- Rotate themes (shipping, HR, IT, external)
- Mix email and SMS (smishing)
- Include attachment-based tests
- Test during different times and days
Make Reporting Easy
The harder it is to report, the lower your report rate:
- Integrate a report button directly in email clients
- Don't require multiple steps or tickets
- Acknowledge reports immediately
- Show employees the impact of their reports
Close the Loop
Every simulation should end with learning:
- Immediate feedback - Show clickers what they missed
- Positive reinforcement - Thank reporters
- Trend sharing - Help teams understand organizational progress
- Recognition - Celebrate security champions
When Employees Click
Traditional approaches shame clickers with embarrassing "gotcha" pages. This backfires—employees become resentful and less likely to report real threats.
Better Approaches
- Educational landing pages - Explain what indicators they missed
- Micro-training - 2-3 minute refresher on the specific technique
- Manager notification - For repeat offenders, involve leadership
- Score impact - Connect to their security score (if using risk scoring)
For Repeat Offenders
Employees who click repeatedly need different interventions:
- One-on-one coaching sessions
- Role-specific training (e.g., finance-targeted attacks)
- Temporary additional controls
- Manager involvement and accountability
Measuring Program Effectiveness
Beyond individual campaigns, track your program's overall impact:
Year-over-Year Trends
- Is your click rate trending down across similar difficulty levels?
- Is your report rate increasing?
- Are repeat offenders decreasing?
Correlation with Real Threats
- Track actual phishing attempts and clicks
- Compare simulation clickers to real-world clickers
- Measure if training actually reduces real incidents
Benchmark Against Industry
- How do you compare to similar organizations?
- What's your percentile for report rate?
- Where are your biggest gaps?
Common Pitfalls to Avoid
- "Gotcha" culture - Simulations should educate, not embarrass
- Infrequent testing - Monthly is minimum; weekly is better
- Predictable patterns - Vary timing, sender, and content
- Ignoring context - Don't test during major company events
- No follow-through - Training without accountability fails
The Bottom Line
Effective phishing simulations are about behavior change, not catching people. Focus on building reporters, not reducing clickers, and measure the metrics that actually predict real-world resilience.
Want to see how TIDALBAY integrates phishing simulation with comprehensive security scoring? Start a free trial today.
Head of Security Research
Former threat researcher at Mandiant. Specializes in human-targeted attacks and security awareness.