The most well-meaning phishing simulation program we have audited in 2026 was producing single-digit click rates, glowing quarterly reports to the board, and — in the same period — a 47 percent click rate when an actual phishing crew targeted the organization. The simulation program was, in technical terms, working perfectly. It was also measuring the wrong thing. The exercise of resisting a corporate phishing test — generic in tone, sent at predictable cadence, themed around topics employees had been trained to expect — had nothing in common with resisting a targeted, well-researched, time-pressure campaign. The program had become a compliance ritual rather than a defense.
Phishing simulation, run well, is one of the most useful disciplines a security program can sustain. Run as a checkbox, it produces false confidence and worse outcomes than no simulation at all. The Verizon DBIR has consistently flagged phishing as the dominant initial-access vector. The Microsoft Digital Defense Report tracks the steady professionalization of phishing operations. CISA has issued repeated guidance noting that simulated-phishing click rates do not predict real-world resilience unless the simulations actually reflect attacker tradecraft.
This brief is written for security leaders, CISOs, and executives whose phishing simulation program is producing reports the board likes and outcomes the responder team does not. We will walk through three engagements, the patterns that connect them, and the redesigned simulation discipline that actually moves the needle.
Why Most Phishing Simulation Programs Quietly Fail
The structural reason most simulation programs fail is that they optimize for click-rate metrics rather than for resilience. The vendor’s monthly campaign sends a generic phishing template to ten thousand users; the click rate is reported up; the trend looks favorable; the board nods; the program continues. But click rate on a generic template is a measure of how well employees recognize a generic template, not of how well they recognize the actual phishing they receive. The actual attackers, meanwhile, have moved on — their campaigns are targeted, contextual, and often built from public information about the specific employee. Mandiant’s M-Trends has documented this asymmetry repeatedly.
“A phishing simulation program that produces a five percent click rate against a generic template tells you almost nothing about how the company would perform against a targeted spear-phishing campaign. The two are different muscles.”
Senior security awareness practitioner, iSECTECH engagement notes
Three Engagements That Defined Our Phishing Simulation Playbook
Engagement One: The 3% Simulation Rate That Hid a 47% Real-World Click Rate
The anchor engagement involved a financial-services firm whose simulation program produced a 3 percent click rate across the prior year. The CISO presented the trend to the audit committee with appropriate confidence. Six weeks later, the firm was hit by a targeted credential-harvesting campaign that referenced a recent earnings call, used the actual CFO’s writing style, and arrived at the moment a quarterly close was completing. Forty-seven percent of finance-team employees clicked. Twelve provided credentials. Four of those credentials were active for privileged access. The post-mortem produced the conclusion that anchored our redesigned playbook: the simulation program had been training employees to recognize the wrong patterns.
Engagement Two: The Healthcare Provider Whose Simulation Vendor Reused Templates Across Industries
The second engagement involved a healthcare provider whose simulation vendor was using the same template library for every customer in every industry. Employees who had received the same templates in their previous job were unsurprised to receive them again. The simulation results showed near-zero click rates because employees had memorized the templates. The actual phishing the organization received bore no resemblance to the templates. We helped the security team commission a custom simulation campaign that drew on the organization’s real employee directory, real internal terminology, and recent organizational events. The first run produced a 31 percent click rate — a useful, honest baseline rather than the prior aspirational fiction.
Engagement Three: The Consulting Firm That Punished Clickers Until No One Reported Suspicious Email
The third engagement is the human-system variant. A consulting firm had implemented a punishment-based phishing program: employees who clicked simulated phishing were enrolled in mandatory remedial training, and repeat clickers were referred to HR. The simulation click rate dropped beautifully. The reporting rate — the rate at which employees forwarded genuine suspicious email to security — also dropped, because employees had learned that engaging with security tooling carried personal risk. When a real campaign hit the firm six months later, no one reported it for three days. The program had improved its dashboard while degrading its actual defense. We helped the firm redesign the program around recognition and reporting rather than punishment.
The Five Principles That Define a Phishing Simulation Program That Works
The programs that produce real defensive value share five principles. The first is realistic content: simulations draw on real organizational context, real attacker tradecraft, and real time-pressure cues. The second is graduated difficulty: the campaign mix includes generic templates (low difficulty), industry-themed templates (medium), and targeted spear-phishing (high). The third is reporting as the primary metric: the question that matters is not “what percent clicked” but “what percent reported the suspicious email to security.” The fourth is no-blame culture: clickers are coached, not punished. The fifth is alignment with real campaigns: when actual phishing hits the organization, the patterns are added to the simulation library so the workforce learns from real-world signals.
“The most useful number a phishing simulation program produces is the reporting rate. The click rate tells you what the program looks like. The reporting rate tells you whether the program works.”
iSECTECH security awareness review summary
Why the Reporting Rate Matters More Than the Click Rate
The shift from click-rate optimization to reporting-rate optimization is the single most important architectural choice a security awareness program can make. A workforce that reports suspicious email at high rates produces an early-warning system that no amount of automated detection can replicate. The first employee who reports the campaign is, in real terms, the most valuable detection asset the organization has that hour. Forrester research on security awareness has reinforced this pattern repeatedly: the organizations with the lowest phishing-related incident rates are the ones whose reporting rates are highest, often regardless of the simulation click rate.
“The first employee to report the phishing campaign is more valuable than the last employee to click it. Programs that understand this design themselves around reporting; programs that do not, optimize for the wrong metric.”
Theresa Payton, former White House CIO, public commentary on awareness programs
What Boards Should Demand This Quarter
The most useful question a board can ask the CISO this quarter: “What is our reporting rate, and how does it compare to our click rate?” A high reporting rate against a moderate click rate is a healthy program. A low click rate paired with a low reporting rate is the signature of a program optimizing for compliance optics. The boards that handle this well also ask whether the simulation library reflects the actual campaigns the organization has received in the past quarter. If it does not, the program is testing for the wrong threat.
How This Connects to the Rest of Your Security Program
Phishing simulation interacts with every other discipline. The CEO deepfake patterns we covered in our CEO deepfake fraud playbook share the same human-decision threat model. The MFA fatigue compromises we discussed in our MFA fatigue brief usually begin with a successful phishing campaign. And the executive dark-web exposure we covered in our executive dark-web audit brief is often the source of the personal context attackers use in spear-phishing.
What to Do This Week
Three actions before Friday. First, ask your security awareness team to produce both your simulation click rate and your reporting rate for the past quarter, side by side. Second, review the most recent five real phishing campaigns the organization received and ask whether any of those patterns appear in your simulation library. Third, review your program’s escalation path for clickers and confirm that it produces coaching rather than punishment. Authoritative external references include the Verizon DBIR, CISA phishing advisories, and the Microsoft Digital Defense Report.
Talk to a Senior Security Awareness Practitioner
If your phishing simulation program is producing reports the board likes and outcomes the responder team does not, that gap is worth closing this quarter. iSECTECH’s senior practitioners run security awareness audits that quantify the gap between simulation performance and real-world resilience. Book a confidential security awareness review with our senior team.
Why AI-Generated Phishing Has Reset the Difficulty Floor
The arrival of high-quality generative AI has reset the difficulty floor for phishing in a way most simulation libraries have not yet caught up to. The grammatical errors, awkward translations, and generic salutations that defined phishing detection training for two decades have largely disappeared. A 2026 phishing email written by a competent attacker with generative tooling is indistinguishable, in writing quality, from internal corporate correspondence. The training muscle that taught employees to look for spelling errors no longer applies. The new muscle — questioning the legitimacy of urgent requests regardless of writing quality, verifying through a known channel, refusing to act on unexpected financial or credential prompts — has to be built deliberately. The simulation programs that produce real-world resilience in 2026 reflect this shift in their content and in their coaching language.
The Quiet Power of an Easy Reporting Button
One of the highest-leverage interventions a security awareness program can make has nothing to do with content. It is the deployment of a one-click reporting button in every employee’s email client. The button must be unmissable, the action must be frictionless, and the response must be acknowledgment rather than silence. Programs that combine an easy reporting button with prompt acknowledgment of every reported message see reporting rates rise from single digits to thirty or forty percent within a quarter. The cultural signal is what produces the lift: employees report when they believe their reports will be read and that no harm comes from a false positive. The technical work to deploy the button is usually a matter of days. The cultural work to honor it is the longer effort.
Continue Reading: Week 4 Field Notes
Our Week 4 briefs extend the human-system conversation: why the most damaging insider cases are rarely malicious, a senior practitioner Sunday letter on cyber risk appetite, and why most AI security findings are mundane access-control failures.