Introduction
Phishing simulations are often treated as a simple, one-off test. Send an email, see who clicks, measure the results. But in reality, they tell you a lot more than that.
When you run them regularly, patterns start to appear. Not just in who clicks, but in how people make decisions, how they respond under pressure, and where risk actually shows up in day-to-day work.
We’ve ran plenty of penetration tests both internally and for clients, so we thought we’d share some of the key lessons that tend to come out of phishing simulations.
The short answer is…
Most IT environments don’t need replacing, they need refining. Businesses often already have the tools they need, but they’re underused or misaligned. Small, targeted changes can improve security, reduce complexity, and increase efficiency without major disruption.
#1 It’s not always about awareness
Most people know what a phishing email is. They’ve had training, they’ve seen examples, and they’re generally aware that these threats exist. But that doesn’t always carry through into the moment when an email lands in their inbox.
Phishing simulations consistently show that awareness alone isn’t enough. Decisions are often shaped by timing, context, and how convincing something feels at a glance. Knowing a threat exists, is not the same as being able to deal with it in the moment.
#2 Context matters
The emails that perform best aren’t always the most sophisticated, and that’s true in both simulations and actual attacks. The most effective ones are the ones that feel relevant.
Emails about internal processes, deliveries, password resets, or something that aligns with the person’s role tend to perform far more effectively than generic “suspicious” examples.
It’s not always about how sophisticated the attack is. It’s about how believable it feels in that moment.
#3 Your staff move quickly
One consistent pattern is how quickly decisions are made.
Emails are opened, scanned, and acted on in seconds. There isn’t always time for a detailed check, especially when someone is focused on their workload.
Phishing simulations highlight how often decisions are based on instinct rather than careful review. That’s important to understand, because real attacks rely on exactly that behaviour.
#4 Workarounds and habits influence outcomes
How your people typically work plays a big role in the effectiveness of an attack.
If someone is used to clicking links to access systems, they’re more likely to do it again. If they regularly deal with external emails or requests, they’re more likely to trust something that looks familiar. If they’re regularly asked to break process to get something over the line, they’ll break those processes for a phishing attack too.
Phishing results often reflect existing habits rather than isolated mistakes.
#5 Reporting is just as important as avoiding
Click rates tend to get most of the attention, but reporting behaviour is just as important.
How quickly do your people flag a suspected phishing attempt? Do they report it at all or just ignore it? Do they know how to report it and are they confident enough to do so?
A strong reporting culture can significantly reduce the impact of an attack, even if someone does interact with it initially.
#6 One-off tests don’t tell the full story
A single phishing simulation gives you a snapshot, but running them regularly shows trends.
You can see:
- whether behaviour is changing
- whether certain risks are reducing
- whether training is having an impact
Over time, that gives a much clearer picture of where attention is needed.
In conclusion
Phishing simulations aren’t just a way of testing users. They offer insight into how people actually work, how decisions are made, and where risk shows up in practice.
Used in the right way, they help shift the focus from individual mistakes to understanding behaviour more broadly. That’s where they become most valuable.
At Novem, we use Virtual Penetration Testing to run phishing simulations alongside wider security testing. This gives a clearer view of both technical vulnerabilities and how users interact with potential threats, helping businesses understand where improvements will make the biggest difference.
Want to keep in the loop?
Sign up for our Newsletter and get helpful articles like this one delivered straight to your inbox.
FAQ
What is a phishing simulation?
A controlled test where realistic phishing emails are sent to users to understand how they respond.
Why are phishing simulations useful?
They highlight real behaviour, not just theoretical awareness, showing how people react under pressure.
Does training stop people from clicking?
Not entirely. Awareness helps, but decisions are often influenced by context, timing, and workload.
What should businesses focus on after a simulation?
Patterns in behaviour, reporting rates, and where people are more likely to take risks.
Is clicking always the main concern?
No. Reporting suspicious activity quickly is just as important as avoiding the click.