Phishing Simulation: How to Test Your Employees Safely

What a phishing simulation actually is

A phishing simulation is a planned security exercise in which your testing provider sends crafted, benign phishing messages to a defined group of your employees, then records what each person does. Nobody is breached, no real credentials are stolen and no malware is delivered. The point is to measure behaviour under realistic conditions so you understand your genuine human attack surface rather than guessing at it. For most UK organisations, people remain the single most exploited route into the network, so testing that route deliberately beats waiting for a real attacker to do it for you.

A good simulation reproduces the techniques criminals actually use against UK businesses: invoice fraud and supplier impersonation, fake Microsoft 365 login prompts, HR and payroll lures, parcel-delivery notifications, and timely themes tied to tax deadlines or internal events. Each scenario is designed to be plausible without being cruel, and every click is logged against an outcome so you can see the difference between someone who opened a message, someone who entered credentials on a lookalike page, and someone who spotted the lure and reported it. That last group matters most, because reporting rate is the metric that most closely predicts how your organisation will fare against a genuine campaign.

How a safe phishing simulation is run, step by step

Safety in a phishing simulation comes from process, not luck. A professional engagement follows a defined sequence so that nothing reaches a customer, lands in a regulator’s inbox, or causes real operational harm.

• Authorisation and scoping: a signed engagement defines exactly which mailboxes are in scope, the campaign themes, the volume and timing, and the named internal sponsor who can pause the exercise at any point.
• Scenario design: our testers build lures that match your sector and real-world threat intelligence, then agree the wording with you so nothing references genuine pending payments, live legal matters or anything that could cause panic.
• Safe infrastructure: emails are sent from controlled domains and landing pages capture only the action taken, never a real password. Allow-listing is configured with your IT team so messages are delivered, not silently blocked, which would invalidate the test.
• Controlled delivery: messages are released in waves to avoid overwhelming the helpdesk, and the reporting process is monitored live so genuine concern is acknowledged quickly.
• Measurement and debrief: results are aggregated into delivery, open, click, credential-submission and report rates, then turned into prioritised guidance and just-in-time training for the people who need it.

This is the same discipline our CREST-certified testers apply across all adversary-simulation work, and it is what separates a legitimate phishing assessment from a careless prank that damages trust. The aim is to leave staff better prepared and more confident in reporting, not embarrassed.

Testing employees safely and ethically

Running a phishing simulation badly can do real harm: it can humiliate individuals, breach data-protection expectations, and teach your workforce to distrust the very security team that should be helping them. Testing safely means designing the exercise around learning, not catching people out.

In practice that means three commitments. First, results are handled at an aggregate and team level for reporting to leadership, so the narrative is about organisational resilience rather than blaming named individuals. Second, lures avoid genuinely distressing themes such as fake redundancy notices, bereavement or fabricated disciplinary action, which can cause real distress and are rarely necessary to prove a point. Third, anyone who clicks is met with brief, supportive education at the moment of the click, reinforcing what to look for next time instead of issuing a reprimand.

There is a UK data-protection dimension too. Because a simulation processes information about how identifiable employees behave, you should reflect it in your staff privacy notice, base it on a clear lawful basis, and keep results proportionate and securely held. A reputable provider will help you document this so the programme supports your obligations rather than creating new risk. Handled this way, simulations become a trusted part of your security culture and people start to see the reporting button as a normal, valued habit.

What good results look like and how to act on them

The output of a phishing simulation is only useful if it changes behaviour. A strong report goes beyond a single click percentage and breaks results down by department, by role and by repeat-clicker, because a finance team that handles supplier payments carries very different risk from a warehouse team that rarely receives external email.

The headline metric to watch over time is the ratio of reporters to clickers. A campaign where ten percent click but forty percent report a suspicious message is in a far healthier position than one with the same click rate and almost no reporting, because rapid reporting is what lets your security team contain a real incident in minutes rather than days. Track that ratio across repeated rounds and you will see whether your training is genuinely landing.

Acting on results should be specific. Direct short, role-relevant training to the groups that struggled, tighten technical controls such as external-sender warnings, multi-factor authentication and link rewriting where the simulation exposed gaps, and rerun a fresh scenario after a reasonable interval to confirm improvement. A one-off test tells you where you stand today; a recurring programme, ideally quarterly, is what builds durable resilience.

Phishing simulation as part of wider security testing

A phishing simulation measures the human layer, but attackers rarely stop at the inbox. The real question for most boards is what happens after a credential is captured, and that is where social-engineering testing connects to your wider penetration testing programme. A mature assessment can take a simulated credential compromise and, with prior authorisation, demonstrate the onward path an attacker would follow into your systems, so you understand the full chain rather than just the front door.

This is why phishing testing sits naturally alongside external network, web application and internal testing, and is a common component of red-team engagements. Cost depends on scope: a standalone phishing simulation is a small, well-bounded piece of work, while combining it with broader testing increases the tester days involved. All of our work is delivered by senior and principal testers at a typical UK day rate of around £1,200 to £1,300, with price driven by scope complexity measured in tester days. For how scope translates into budget, see our guide to penetration testing cost in the UK, and review the full range of engagements on our services overview.

How EJN Labs approaches this

EJN Labs is a CREST-accredited UK penetration testing firm, and we also hold Cyber Essentials, Cyber Essentials Plus, ISO 27001 and ISO 9001 certification. That accreditation matters for social-engineering work in particular, because it means our handling of sensitive employee data, our authorisation process and our reporting are independently assessed rather than self-declared. Every phishing simulation is designed and delivered by senior and principal testers who build realistic, sector-relevant scenarios and then translate the results into clear, actionable improvement.

We run simulations as a learning exercise, not a trap: results are reported at team and organisation level, training is supportive and delivered at the point of need, and the whole programme is documented to support your data-protection obligations. Pricing is fixed and scope-based, agreed before any email is sent, with no day-rate creep. Where a finding warrants deeper validation, we include free retests so you can evidence genuine improvement to auditors, insurers and clients. You can explore the service in detail on our phishing assessments page.

Frequently Asked Questions

Is a phishing simulation legal and safe for employees?

Yes, when it is properly authorised. A legitimate phishing simulation is run with signed permission, uses harmless lookalike emails that never capture real passwords, and reflects the exercise in your staff privacy notice with a clear lawful basis. Handled this way it is safe, ethical and a recognised part of building security awareness.

How is a phishing simulation different from real phishing?

A real phishing attack is criminal and aims to steal credentials, money or data. A phishing simulation reproduces the same techniques but is authorised, harmless and measured. No malware is delivered, no genuine credentials are stolen, and the only outcome recorded is the action each employee took, which is then used to guide supportive training.

Should we name employees who fail a phishing simulation?

No. Naming and shaming damages trust and discourages reporting, which is the behaviour you most want to encourage. Good practice is to report results at team and organisation level, provide brief education to anyone who clicks, and focus leadership reporting on overall resilience rather than individual blame.

How often should we run a phishing simulation?

A single test gives you a useful baseline, but resilience is built through repetition. Most UK organisations run a recurring programme, typically quarterly, with varied scenarios. This lets you track the ratio of reporters to clickers over time and confirm that training is genuinely changing behaviour rather than fading after one round.

How much does a phishing simulation cost?

A standalone phishing simulation is a small, well-bounded engagement, while combining it with wider testing adds tester days. All work is delivered by senior and principal testers at a typical UK day rate of around £1,200 to £1,300, with price driven by scope. See our penetration testing cost guide for how scope translates into budget, and request a fixed-price quote for an exact figure.

Test your human defences with confidence

If you want to know how your people would respond to a realistic phishing attack, a properly scoped simulation is the safest way to find out before a criminal does. Our CREST-certified testers will design an exercise that improves resilience without undermining trust. Request a fixed-price quote through our CREST penetration testing quote form, or read more about how we run a controlled phishing assessment.