A Single Phish Email Cost One Company $37 Million
In 2024, Orion SA disclosed that a single employee fell for a business email compromise scheme and wired approximately $60 million to a threat actor's accounts. The company recovered some funds, but the net loss still exceeded $37 million. One email. One click. One person who wasn't trained to spot the phish.
If you think your organization is too small, too savvy, or too well-protected for this to happen, I've got bad news. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, social engineering, credential theft, or simple mistakes. Attackers don't need to defeat your firewall. They just need one person to take the bait.
This post is a practical guide to running phishing simulations inside your own organization — the right way. I'll walk you through why you should phish your own people, how to set it up without destroying trust, what metrics actually matter, and how to turn results into lasting behavior change.
Why Threat Actors Still Phish in 2026
Every year, someone predicts the end of phishing. And every year, phishing volumes go up. The FBI's Internet Crime Complaint Center (IC3) has consistently ranked phishing and its variants as the most reported cybercrime category, with hundreds of thousands of complaints annually.
The reason is simple economics. A phish campaign costs almost nothing to launch, scales infinitely, and only needs a tiny success rate to pay off. Credential theft through phishing gives attackers a legitimate login — no malware, no exploit, no alarm bells from your endpoint protection.
Phishing Has Evolved Beyond the Obvious
The days of the Nigerian prince email are long gone. Modern phishing uses AI-generated text, cloned login pages with valid HTTPS certificates, and deeply personalized pretexts scraped from LinkedIn and corporate websites. I've seen campaigns that mimic internal HR portals down to the pixel, complete with the target's manager's name in the signature line.
Attackers also exploit urgency. A message about a payroll error, a failed MFA prompt, or a shared document from the CEO — these all create emotional pressure that bypasses rational thinking. That's social engineering at its core.
What Does It Mean to Phish Your Own Employees?
A phishing simulation is a controlled, authorized test where your organization sends fake phishing emails to employees to measure who clicks, who reports, and who enters credentials. It's the cybersecurity equivalent of a fire drill.
When done correctly, a phishing simulation tells you exactly where your human vulnerabilities are — by department, by role, by seniority. It's the single most actionable metric in security awareness. No amount of policy documents or annual compliance videos gives you this level of insight.
Simulations Are Not Gotcha Moments
I want to be direct about this because I've watched organizations get it catastrophically wrong. If you phish your employees and then publicly shame the people who fail, you've just destroyed your security culture. People will stop reporting suspicious emails because they're afraid of punishment. That's the opposite of what you want.
The goal of a phishing simulation is education, not humiliation. Every failed simulation should immediately redirect the employee to a brief training module that explains exactly what they missed and how to spot it next time.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's Cost of a Data Breach Report in 2024 pegged the global average cost of a data breach at $4.88 million. Phishing was among the most common initial attack vectors. Organizations with security awareness training programs and incident response plans consistently showed lower breach costs — sometimes by over a million dollars.
That's not a soft, theoretical benefit. That's a measurable reduction in financial exposure. When your board asks what the ROI of security awareness is, that's your number.
Investing in phishing awareness training for your organization isn't just a compliance checkbox. It's a direct countermeasure against the most prevalent attack vector in cybersecurity.
How to Run a Phishing Simulation That Actually Works
Here's the step-by-step process I recommend to organizations of every size. You don't need a massive budget. You need a plan and consistency.
Step 1: Get Executive Buy-In First
Before you send a single simulated phish, you need written authorization from leadership. This protects you legally and operationally. I've seen IT managers launch simulations without telling the CEO, who then panicked and called the incident response team. Not a good look.
Frame it as a risk reduction exercise. Show leadership the Verizon DBIR data. Explain that you're testing processes, not punishing people.
Step 2: Baseline Without Warning
Your first simulation should be unannounced. This gives you a true baseline click rate. Industry averages for first-time simulations typically land between 20% and 35% — meaning roughly a quarter of your workforce will click a well-crafted phish on the first try.
Don't panic at that number. That's normal. That's why you're doing this.
Step 3: Use Realistic Scenarios
Your simulated phish emails should reflect real threats your organization faces. Generic templates are fine for a start, but the real value comes from scenarios tailored to your industry and your internal processes. Consider these categories:
- Credential harvesting: Fake login pages for Microsoft 365, Google Workspace, or your VPN portal.
- Business email compromise: Spoofed messages from executives requesting wire transfers or sensitive data.
- Delivery notifications: Fake package tracking or invoice emails with malicious links.
- IT support pretexts: Password reset requests, MFA enrollment prompts, or security alerts.
Rotate scenarios every simulation. Attackers don't use the same template twice, and neither should you.
Step 4: Measure What Matters
Track these metrics per simulation, per department, and over time:
- Click rate: Percentage of recipients who clicked the link.
- Credential submission rate: Percentage who actually entered a username and password. This is the critical number.
- Report rate: Percentage who used the "Report Phishing" button or forwarded to IT. This is the number you want to increase.
- Time to first click: How quickly the first person clicked. Shorter times indicate higher impulsivity and lower scrutiny.
A good program sees click rates drop below 5% within three to four quarterly simulations. Report rates should climb above 60%.
Step 5: Train Immediately After Failure
Anyone who clicks or submits credentials should be redirected to a short, specific training module within seconds. This is called "teachable moment" training, and it works because the lesson is tied to an emotional experience — the realization that they just got caught.
For organization-wide training that goes deeper than a single module, I recommend enrolling your team in cybersecurity awareness training that covers phishing, social engineering, credential theft, ransomware, and more.
Step 6: Repeat Quarterly at Minimum
One simulation per year is theater. Threat actors phish your employees every single day. Quarterly simulations with varied difficulty levels keep awareness sharp. Monthly is better if your organization can handle the operational load.
Phishing Simulations and Zero Trust: They Work Together
If you're building a zero trust architecture — and in 2026, you should be — phishing simulations are a critical complementary layer. Zero trust assumes breach and verifies every access request. Multi-factor authentication reduces the impact of credential theft. But MFA isn't bulletproof. Adversary-in-the-middle (AiTM) phishing kits can intercept MFA tokens in real time.
That's why CISA has repeatedly emphasized that technical controls and human awareness must work together. Their cybersecurity best practices guidance highlights phishing-resistant MFA alongside user training as essential defenses.
Your zero trust policy catches the credential theft after it happens. Your phishing simulation program prevents it from happening in the first place.
What Happens When You Don't Phish Your Own People
I've consulted with organizations that considered phishing simulations "too aggressive" or "bad for morale." In more than one case, they suffered a real phishing-driven breach within the following year. One mid-sized manufacturer lost access to their entire file server environment for two weeks due to ransomware deployed through a phishing email that a single accounts payable clerk clicked.
The employees weren't stupid. They were untested. Nobody had ever shown them what a modern phish looks like. Nobody had ever given them a safe environment to fail, learn, and build pattern recognition.
That's what simulations provide — the chance to fail safely before failing catastrophically.
How Often Should You Phish Your Employees?
At minimum, run phishing simulations quarterly. Organizations in high-risk sectors — financial services, healthcare, government contractors — should run them monthly. Vary the difficulty: start with obvious red flags, then escalate to sophisticated pretexts that mirror real advanced persistent threats.
Between simulations, reinforce learning with short, targeted content. A two-minute video on spotting URL manipulation. A weekly Slack tip on verifying sender domains. These micro-lessons compound over time.
Building a Culture Where People Report, Not Hide
The single most important outcome of a phishing simulation program isn't a low click rate. It's a high report rate. If your employees see something suspicious and immediately flag it, your security team gets early warning. That early warning can be the difference between a contained incident and a full-scale data breach.
To build this culture:
- Make reporting easy. Deploy a one-click "Report Phish" button in every email client.
- Celebrate reporters. Publicly thank people who report simulations. Some organizations give small rewards.
- Never punish failure on simulations. Redirect to training. That's it. Punishment drives underreporting.
- Share results transparently. Tell the organization what the click rate was. Make improvement a team effort.
Your Next Step: Start This Week
You don't need months of planning to begin. Pick a realistic phishing scenario, define your audience, set up a landing page that captures clicks without actually harvesting credentials, and send it. Measure the results. Train the clickers. Repeat.
If you want a structured program to pair with your simulations, explore the phishing awareness training at phishing.computersecurity.us for simulation-ready content, or start with the broader cybersecurity awareness training at computersecurity.us to build a foundation across your entire workforce.
Attackers are going to phish your employees. The only question is whether your team recognizes the attack — or funds the attacker's next campaign.