Phishing Strategy Guide


Change doesn’t happen overnight, and you can’t automate it. OK, you can automate it, but just because you can eat pizza for breakfast, lunch, and dinner doesn’t mean you should, right? Security awareness and behavior change that sticks requires thought and intention, not to mention planning, collaboration, communication, and goal setting.

It’s about giving employees the knowledge and tools they need to develop the right security habits—with the ultimate goal of driving organizational success and positive business outcomes. It’s the ultimate win-win, and it creates a positive culture around security awareness.

So stop automating your security awareness and lose the tired “gotcha” scenario by creating a safe, simulated space where employees can learn what phishing looks like and how to report malicious emails. In this e-book, we’ve broken down how to set up and launch your phishing program into three parts:

  • Part I: How to set everything behind the scenes to ensure success

  • Part II: The practical steps for launching the program

  • Part III: How to evaluate your brilliant, successful program

Download a PDF version of this guide by filling out this form, or keep scrolling to read.

Phishing Strategy Guide_Cover.jpg

Chapter 1

Before You Even Get Started

Let’s get straight to it: These are the six steps you must take before even thinking about launching your phishing program.

Step 1: Acknowledge you need it and why.

With security awareness training, the first step is usually someone saying, “We need to do phishing training.” Why? Phishing is the most common type of security awareness training, and people just know it has to be done.

Creating a culture of security has endless benefits, including letting employees work from where they want, when they want, while protecting and securing your company’s data. Security affects everyone—not just the IT and InfoSec teams. It’s important to get everyone on board and make sure employees from the bottom up know how to react to security threats like phishing.

there are a lot of vendors out there

Step 2: Don’t spend too much time on vendor selection.

Companies that are just starting to create a security program or that are reviewing their security awareness training program usually start with a deep dive into vendor selection. But you’re smarter than the average security pro!

Phishing simulation platforms and vendors are a commodity. There are plenty of open-source, free, and paid tools out there—and every vendor is doing the same thing, so don’t spend a ton of time POCing different vendors. The vendor’s platform won’t make or break your phishing program. Success is determined by how you strategize, plan, and manage your program—all of which happen outside the platform.

What about smishing? Smishing, or SMS phishing, requires a specialized vendor and more processes, so it’s important to really consider the goal and impact of running a smishing campaign. If you do pursue a smishing simulation program, consider high-target roles (e.g., the C-suite) or specific individuals who might be at higher risk for responding to a smishing campaign (e.g., the sales team).


people have to report what they find
Step 3: Set up a
“report phishing” button.

If employees have no way—or don’t know how—to report phishing in the first place, you’re starting at a negative. Most vendors offer a “report phishing” button as part of the platform, or you can implement the Microsoft Office 365 button.

A “report phishing” button lets employees notify IT or security teams of suspicious emails with one quick click, and its very existence as an available action reinforces your company's security culture. Once reported, the email is removed immediately from the inbox so the employee isn’t tempted into clicking just to see what happens.

No button? Then you need to set up a phishing reporting email address (e.g., or so employees can easily report nefarious emails.

Step 4: Create a strategy and identify repeat responders.

Before you even start playing around with the phishing platform, create a strategy and internal policy. The strategy and policy should include timelines and all steps that follow this one (technical setup, communications, and the actual launch) and should be decided upon with an advisory board or steering committee comprising key stakeholders, including:

Why? As you introduce the concept of the program, it’s crucial for people to understand the “why” and “how” of what you’re doing and to not make assumptions. This will also allow managers to keep their teams updated on the program. Remember, the goal of the phishing program is not to “test” people—it’s about security awareness reinforcement and education.

Repeat responders

Next up—and this step is non-negotiable—identify what repeat responders look like and how you’ll coach them toward the right habits. Repeat responders are typically identified as people who respond to four or more phishing simulations within a six- to 12-month rolling window, which allows the natural learning component to take effect.

By setting the requirement of four campaigns, you can often reduce the actual number of repeat responders to less than 2 percent of your population. In comparison, identifying repeat responders after only two campaigns could result in 50 percent of your population being labeled as repeat responders, which is neither manageable nor effective. Phishing training takes time—give it time, and give your coworkers time to adapt and learn. Then, work with that smaller number of employees directly to effect change.

Resist the urge to think of repeat responders as repeat “offenders”—they’re just responding to training, which is a good thing. It’s the whole point of the training program, right?

Also, the great thing about these employees is that you don’t need to do anything with them. Just accept that there’s a learning curve, embrace the fact that the average employee engages with at least four campaigns, and label these individuals as repeat responders.

While strategizing how to coach these responders toward ideal habits, we recommend waiting for the magic moment between the third and fourth campaign where the response percentage drops into the single digits. Once you’ve got a crop of repeat responders in the single digits, create an outreach program to deliver the tools and support they need to adopt the right habits.

"Phishing training takes time—give it time, and give your coworkers time to adapt and learn."


you have to include all the right teams

Step 5: Connect with the right teams for technical setup.

This step is a biggie. Here is the who’s who for technical setup:

Email/server team

This team will need to whitelist email servers that can send to your domain. Ask how many filters an email goes through before it lands on the company’s network, because the team will have to add a whitelist for each entry point.

Web filtering analyst

Phishing platform vendors usually offer a bunch of junk websites that are used to host education page templates that you can easily edit and update, but you need to make sure they’re whitelisted by the team responsible for controlling firewall rules. (See more on this in Part II: Step 5.)

Legal/risk management team

Don’t get caught up on the bells and whistles. Not only do most vendors say you can’t use copyrighted names/logos, but stealing a brand’s identity is just plain bad. Plain text emails are just as effective as—if not more effective than—phishing emails that go out of their way to mockup a fake FedEx logo. Whatever your emails and education pages look like, run them by legal and risk management to cover all of your bases.

Information services team

You need this team to help deliver all active company email addresses into the vendor system. Sometimes, you can use single sign-on (SSO) to import, but sometimes you have to get an Excel doc and upload the sheet into the phishing platform manually. At the very least, you need to have contact basics, including:

  • First name
  • Last name
  • Title
  • Department
  • Region
  • Email address

The more granular you can get, the more detailed your reports will be and the more rich your data will be—not to mention more accurate. In order to get good data out of the phishing program, you’ve got to get good data into the platform. Work with the information services team to ensure the contacts are accurate, up to date, and detailed.

What about freelancers? There is a big debate over whether freelancers and contractors should be included in the phishing simulation. Our advice: Anyone who has a corporate email address with the company domain should be included in the training.

If you’re tempted to just pull names and emails without departments, sub-departments, regions, and so on, you won’t be able to tell much of a story. For example, do you want to see how the marketing department is engaging with phishing emails? Or do you want to see how the marketing department’s social media team is responding to phishing emails? Ask yourself what kind of story you want to tell and then make sure you’re pulling the contact details that will let you accurately tell that story.

Help desk

Whether you call it the knowledge base, wiki, or field guide, create a document to help everyone at the company talk about the program using a shared language. Once you start your program, if someone calls or messages a team lead, a manager, or the help desk and asks, “Is this a phishing campaign?” whoever is responding can answer confidently and consistently.

Here’s a sample response script for your wiki:

“Great job! Thanks for reporting that malicious email to us. Keep up the good work by always reporting the email via the phishing reporting button and/or email address as soon as you receive it.”

Pro tip: Best practices for internal processes like these are to never acknowledge the simulation as a training program—just acknowledge that it’s a phishing email and how to report it in the future. People get weird about “training” programs, so don’t let it get weird.


spread the word
Step 6: Tell the company about the program.

You’ve arrived at the sixth and final step. Congrats! Start by sending out an email to the Chief Whatevers and Vice Presidents of Stuff so they can understand what is about to happen—and include a timeline. Then, one to two months prior to the anticipated launch of the first campaign, unleash an email explaining the program to everyone at the company.

Hey there!
We’re the security awareness team, and we want you to know that phishing presents a huge risk to you and the entire company. We’re here to help you identify what phishing emails look like and how to report them.
Remember: Everyone is participating, and this isn’t a test—so you can’t fail! If you get a phishing email and you click on it, here’s how to report it: [give instructions on the button and/or email address].
Your friendly neighborhood security team

If you’re thinking, “But wait, if everyone knows it’s coming, what’s the point!?” then, friend, you’ve missed the point. Trust equals transparency. The quickest way to fail—and to damage the security team’s image and reliability—is to not tell anyone what’s going on. Also, a lot of emails come and go at any company in a month or two, and people will still respond to the simulation, we promise.

Lastly, send out a second email two weeks prior to the campaign launch, reminding everyone how to report phishing emails and what the goal of the campaign is.

OK! Now that you’ve got everything set up, what does the practical phishing simulation campaign look like?

Chapter 2

Unleash the Phishing Campaign

You should already have your employee data loaded into your phishing campaign platform, so it’s time to create your strategy for year one. Wait, what’s that? I need a whole year’s strategy? Shouldn’t I get results immediately?

Nope! Did you know that you have to do six to eight campaigns of three to five days each within a single year before you have healthy data to report on? More often than not, companies will do two campaigns and report to senior leadership and freak out. Why? Because the data isn’t accurate and doesn’t realistically portray what employees are doing. Like a fine wine, you’ve got to give your program time to age.

Pro tip: You can be more aggressive and do one campaign per month, but pretty much nobody recommends it.

Step 1: Get to know the phishing campaigns.

The three main types of phishing emails are:

  1. Emails with links: If someone clicks on the link, they’re responding to the training (medium difficulty).
  2. Emails with data entry: If someone clicks on a link to go to a website to confirm a password or email, they’re responding to the training (medium-hard difficulty).
  3. Emails with an attachment: If someone clicks on a PDF or Word doc attachment, they’re responding to the training (hard difficulty).

We suggest sticking with the first two and leaving the third type for more mature campaigns. Yes, it’s always an option, but attachment campaigns offer limited data and aren’t the best for a new or young program. Instead, run an attachment campaign in year two or at high-target roles (e.g., the C-suite).

creating a campaign strategy is a must

Step 2: Create a campaign strategy.

Switch back and forth between medium and medium-hard campaigns and make the campaigns more complex over time. Also, be aware of actual threats in the news and make employees aware of what’s going on. Working real and current cyberthreats into your overall campaign strategy can be powerful and make the program more relevant—and impactful—to your employees.

Step 3: Establish success metrics.

It takes time to analyze data and determine success, and we recommend starting with these metrics:

  • Decrease in clicks
  • Decrease in help desk calls
  • Increase in reporting
  • Faster reporting times
  • Decrease in repeat responders

For example, if, after the first year, you can say the click rate is 28 percent, then you can establish a goal of cutting that by 50 percent in year two. Or, if after the first campaign you establish a 5 percent baseline reporting rate and by the end of the first year that rate was up to 50 percent, this shows measurable behavior change.

get ready to start testing

Step 4: Create the email.

Although most vendor templates are junk, they’re good enough that you can pick one and modify it so it’s more realistic and not as obvious as a phishing email. You don’t need something fancy, you just need something effective. So keep it simple.

Don’t use images.

Start easy with HTML or plain text emails. You can easily spoof a FedEx email without using the logo by sending an email that says something like this: “Oops, we missed your delivery. Click here to reschedule.”

Make it believable.

Use company language, names, and lingo, including department- or team-specific jargon. If you’re sending a phishing email in which the CEO asks employees to wire money stat for the company-wide hoagie order he just placed but your company is based in Boston, you probably should have used local lingo: It’s a grinder, not a hoagie.

Be smart and legal.

Also, don’t infringe on the rights of private companies or corporations when running your phishing program. Logos are trademarked, so keep it simple and avoid using logos of major companies like Amazon, UPS, and Salesforce. Internal phishing emails perform better than external emails, anyway, because of the inherent trust among employees and their colleagues—after all, everyone knows the CEO loves buying quarterly, company-wide lunch, so they’ll buy into the message and click.

Pro tip: Marketing, sales, and HR departments are often the most susceptible because they have the most interaction with external parties. Play that angle!

Here are some other email ideas:

  • A package notification from a shipping company or Amazon with a link to check the status or reschedule delivery
  • An email from IT with a link saying that the employee needs to reset a password
  • A sweepstakes announcement that seems too good to be true (because it is)
  • HR looking for a quick personal information check and an attached form (carrying malware) to fill out

Step 5: Craft the education page.

When employees click on a phishing link, they’ll be taken to an education page. A lot of vendors pack these pages with tons of information and content about the dangers of phishing, but it’s neither the time nor the place for it. So build your own!

don't keep your teams in the dark

Step 6: Notify your teams.

Once you’re 24-48 hours prior to launching the first campaign, make sure you remind and notify key stakeholders on the technical teams and steering committee. Make sure they have access to (or a copy of) the knowledge base you created in Part I, because employees will undoubtedly be emailing their supervisors and the help desk, so everyone needs to know how to respond. With everyone on the same page, you’ll also avoid a costly incident response because people forgot about the program.

Step 7: Launch day!

It’s here! Send your phishing campaign out into the world, grab a coffee, kick back, and then check in with your teams, stakeholders, and the help desk throughout the day to see if they’ve had an influx of calls or emails. Start watching response rates, click rates, and other metrics you’ve decided to track, too.

(BTW, this is pretty much how people should respond to your email)



If no one is responding, put the coffee down and reach out to the right teams to check your filtering. It’s possible the right sites or servers weren’t whitelisted. Troubleshoot the issue and relaunch if necessary.

Chapter 3

Dig into the Data

Now that you’ve run your phishing simulation, start evaluating how the campaign went by downloading the raw CSE file and filtering the data yourself. Yes, this will take a few days, but we don’t recommend pulling data off the vendor dashboard and using that as your report.

What’s that? You don’t want to pull the raw file and dig through it yourself? OK, that’s cool. If you can guarantee that you’ve used clean, accurate data from the get-go, then go ahead and rely on the phishing platform’s dashboard. If you aren’t 100 percent confident it’s accurate, up to date, and precise, the data is likely inaccurate or skewed because you didn’t start with the best contact info possible.

Be conscious of any missing descriptive fields and inaccuracies in the dashboard. For example, if all HR employees didn’t have “human resources” in the right departmental field, your data about that department could end up being inaccurate.

so what next?

Next Steps and Follow-Up

As you crunch the numbers, note the most susceptible departments, and create a plan for how to provide them with the skills needed to develop the right habits and get better at identifying phishing campaigns. Reach out to employees and relevant departments and teams prior to launching your next campaign with actionable steps and additional information about how to report a phishing campaign.

It’s also a good idea to launch a security awareness ambassador program and create outreach initiatives to help repeat responders master the right habits and to create a company-wide culture of security.

What about reporting to the company how everyone did? There is a lot of debate about whether you should issue a report about how everyone performed, and there are legal risks involved. Whether or not you decide to share the results, run your decision and the results by your legal and risk management teams and key stakeholders first.

Chapter 4


A successful security awareness ambassador program can’t be automated. Building a culture of security awareness takes thoughtful planning and plenty of time to be impactful and effective. Behavior change doesn’t happen overnight—it has to be nurtured, cultivated, and encouraged.

Creating a safe, simulated space where employees can learn what an actual phishing attempt looks like will help create a workplace where people see why security awareness is relevant to everyone and reporting phishing emails becomes second nature.


We're sure that you have questions after reading all that, so let's chat!

Whether you'd like to pick our brains or want to learn more about our process, request a consultation with one of our Habitu8 experts and let's get the conversation started.


close chapters modal

Download a PDF version of this guide by filling out this form

Simply fill out this form to receive a PDF version of our guide.

Phishing Strategy Guide_Cover