What a Phish Setlist Is — And Why Your Security Team Needs One

In March 2024, a mid-size accounting firm lost $2.1 million after an employee clicked a single phishing email disguised as a DocuSign request during tax season. The firm had no phishing simulation program. No playbook. No plan. They were improvising their defense against threat actors who absolutely were not.

If you've ever seen the jam band Phish perform live, you know every show has a carefully crafted setlist — a deliberate sequence of songs chosen to build energy, test the audience, and keep things unpredictable. A phish setlist in cybersecurity borrows that same concept. It's your planned rotation of phishing simulation scenarios, sequenced strategically to train employees against real-world social engineering tactics.

This isn't about checking a compliance box. It's about building a living, breathing program that evolves as threat actors evolve. I've built these programs for organizations ranging from 50-person startups to enterprises with thousands of employees. Here's exactly how to do it right.

Why Improvising Your Phishing Program Fails Every Time

The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, pretexting, credential theft, or simple mistakes. That number has barely budged in years. The reason? Most organizations treat phishing awareness like a one-and-done annual training instead of an ongoing campaign.

I've seen security teams send the same generic "You've won a gift card" simulation every quarter and wonder why click rates stay at 25%. That's like a band playing the same three songs at every concert and expecting the crowd to stay engaged. It doesn't work.

A structured phish setlist solves this by giving your program variety, escalation, and measurable progression. You plan scenarios in advance. You rotate tactics. You increase difficulty over time. You track who clicks, who reports, and who improves.

The Anatomy of an Effective Phish Setlist

Start With Your Threat Landscape

Before you write a single simulation email, audit what's actually hitting your organization. Pull data from your email gateway, your SIEM, and the FBI's Internet Crime Complaint Center (IC3) annual report. In 2023, IC3 reported over $2.9 billion in losses from business email compromise alone. That tells you BEC scenarios belong near the top of your setlist.

Map the real phishing emails your employees have received in the past six months. Categorize them: credential harvesting, malware delivery, invoice fraud, CEO impersonation, IT helpdesk spoofing. This is your raw material.

Build Tiers of Difficulty

Every good phish setlist has a difficulty curve. Here's the framework I use:

  • Tier 1 — Obvious: Misspelled sender domains, generic greetings, suspicious attachments. These establish a baseline click rate and give new employees early wins.
  • Tier 2 — Realistic: Spoofed internal domains, timely pretexts (open enrollment, password resets, shipping notifications), branded templates that mirror real services like Microsoft 365 or Slack.
  • Tier 3 — Advanced: Spear phishing using publicly available information from LinkedIn or company websites. CEO impersonation with urgent wire transfer requests. Thread hijacking simulations where the phish appears as a reply in an existing email chain.
  • Tier 4 — Red Team: Multi-channel attacks combining email with voicemail (vishing) or SMS (smishing). These test whether employees recognize social engineering regardless of the delivery channel.

You don't start at Tier 4. You earn your way there. Run Tier 1 scenarios for the first month, then escalate. A phish setlist without escalation is just noise.

Sequence and Timing Matter

Don't send simulations on a predictable schedule. Threat actors don't attack on the second Tuesday of every month. Vary your timing. Send some during Monday morning inbox overload. Send others at 4:45 PM on a Friday when defenses are down.

I typically plan a 12-month phish setlist with one simulation per month for the general workforce and two per month for high-risk departments — finance, HR, and executive assistants. These roles face disproportionate targeting from business email compromise and credential theft campaigns.

What Scenarios Belong on Your Phish Setlist in 2024

Based on current threat intelligence, here are the scenarios I'm running this year and recommending to every organization I advise:

  • Microsoft 365 credential harvest: A fake "Your session has expired" email linking to a cloned login page. This remains the single most common phishing template in the wild.
  • Multi-factor authentication fatigue: A simulation that tests whether employees accept unexpected MFA push notifications. The 2022 Uber breach proved this technique works against even sophisticated organizations.
  • HR benefits enrollment: Timed to coincide with your actual open enrollment period. Threat actors know your calendar.
  • IT password reset: Spoofed helpdesk email asking employees to "verify" credentials via a link. Simple, devastating, and still effective.
  • Vendor invoice redirect: A spoofed email from a known vendor asking to update payment information. This directly mirrors BEC tactics that cost organizations billions annually.
  • Ransomware delivery pretext: A fake shared document from a colleague. The goal is to test whether employees open unexpected attachments without verification.
  • LinkedIn connection follow-up: A spear phishing email referencing a real LinkedIn connection and linking to a credential harvesting page. Tests awareness of social engineering using public data.
  • Smishing (SMS phishing): A text message claiming to be from the CEO asking for a quick favor. Tests cross-channel awareness beyond email.

That's eight scenarios — enough for a robust eight-month rotation before you start cycling in new variants.

How to Build a Phish Setlist: A Step-by-Step Framework

Step 1: Baseline Your Organization

Run one Tier 1 simulation with no prior announcement. Measure the click rate, the report rate, and the time-to-click. This is your honest starting point. Industry average click rates on phishing simulations hover around 17-20% according to multiple security awareness benchmarking reports. If you're above that, you have work to do.

Step 2: Define Success Metrics

Click rate alone is not enough. Track these four metrics for every simulation in your phish setlist:

  • Click-through rate: Who clicked the link or opened the attachment.
  • Credential submission rate: Who actually entered credentials on the phishing page. This is the real danger metric.
  • Report rate: Who used your phishing report button to flag the email. This is the metric that matters most long-term.
  • Time to report: How quickly did the first report come in? Speed kills phishing campaigns.

Step 3: Create Your 12-Month Calendar

Map one simulation per month. Assign a tier, a pretext, and a target audience to each. Here's a sample quarter:

  • Month 1: Tier 1 — Generic package delivery notification. All staff.
  • Month 2: Tier 2 — Microsoft 365 credential harvest. All staff.
  • Month 3: Tier 3 — CEO wire transfer request. Finance and executive assistants only.

Adjust based on results. If Month 1 shows a 30% click rate, don't jump to Tier 3. Add another Tier 1 or 2 scenario and provide immediate training to clickers.

Step 4: Deliver Immediate Training at the Moment of Failure

When someone clicks a simulated phish, redirect them immediately to a training page — not a shame page. Explain what they missed. Show them the red flags. This moment of failure is the highest-teachability moment you'll ever get.

Organizations looking for structured training to deploy at this exact moment should explore the cybersecurity awareness training program at computersecurity.us. It's designed for exactly this use case — reinforcing lessons when employees are most receptive.

Step 5: Brief Leadership Monthly

Your phish setlist produces data. Use it. Show leadership the click rate trends, the departments improving, and the ones that aren't. Tie it to risk in dollar terms. The IBM Cost of a Data Breach Report 2024 pegged the average breach cost at $4.88 million. That number gets executive attention fast.

The $4.88M Lesson Most Organizations Learn Too Late

Here's what actually happens when you don't have a phish setlist: nothing changes. Employees see the same lazy simulations, develop pattern recognition for your simulations only, and remain completely vulnerable to real attacks that look nothing like what you've been sending.

Meanwhile, threat actors are running their own setlists — constantly rotating pretexts, updating templates, and exploiting current events. The Cybersecurity and Infrastructure Security Agency (CISA) regularly publishes advisories on trending phishing techniques. If you're not incorporating those into your program, you're training for yesterday's threats.

A well-structured phishing simulation program with a documented phish setlist is the single most cost-effective security control you can implement. It directly reduces the human risk factor that's present in over two-thirds of all breaches.

What Is a Phish Setlist in Cybersecurity?

A phish setlist is a planned, sequenced rotation of phishing simulation scenarios used to train employees against social engineering attacks. It includes varying difficulty tiers, realistic pretexts based on current threat intelligence, defined success metrics, and a calendar for deployment. The goal is to systematically reduce click rates, increase phishing report rates, and build a security-aware culture through repetition and escalation — not random, one-off tests.

Scaling Your Phish Setlist With the Right Tools

You don't need a six-figure budget to run an effective program. What you need is consistency, realistic scenarios, and training that sticks.

For organizations building or upgrading their phishing simulation programs, the phishing awareness training platform at phishing.computersecurity.us provides structured scenarios and reporting designed for exactly this kind of setlist-based approach. It handles the mechanics so your security team can focus on strategy.

Pair simulation data with a zero trust architecture, enforce multi-factor authentication everywhere, and ensure your email gateway is tuned to catch the attacks your simulations are modeling. Defense in depth means your phish setlist isn't your only line of defense — it's the one that makes every other layer stronger.

Common Mistakes That Destroy Phishing Programs

Shaming Employees Who Click

I've watched entire phishing programs collapse because employees felt humiliated. They stopped reporting real phishing emails out of fear. Your phish setlist should build trust, not destroy it. Positive reinforcement for reporters. Private, constructive feedback for clickers.

Running the Same Scenario Twice in a Row

Employees talk. If you send the same fake FedEx email two months in a row, word spreads. Your click rate drops, but nobody actually learned anything. They just learned to avoid that specific email. Rotate your setlist.

Ignoring Departments With Different Risk Profiles

Your finance team faces different threats than your engineering team. A blanket phish setlist that sends everyone the same simulation ignores this reality. Segment your audience. Customize scenarios. An engineer should get a fake GitHub notification. A finance manager should get a spoofed vendor payment request.

Never Updating Your Setlist

Threat actors don't freeze their tactics in January. Neither should you. Review and update your phish setlist quarterly at minimum. Pull fresh intelligence from CISA advisories, the NIST Cybersecurity Framework guidance, and your own incident data.

Making It Stick: From Setlist to Security Culture

A phish setlist is a tool. Security culture is the outcome. When employees start forwarding suspicious emails to your security team without being asked — that's culture. When a finance employee calls to verify a wire transfer request instead of just processing it — that's culture. When your click rate drops from 22% to 4% over 12 months — that's measurable proof your setlist is working.

I've seen organizations transform their risk posture in under a year with nothing more than a structured phishing simulation program, consistent training, and executive support. No magic technology. No massive budget. Just a plan, executed consistently.

Build your phish setlist this week. Start with your threat data. Map your tiers. Set your calendar. Measure everything. Adjust relentlessly. Your employees are either your biggest vulnerability or your strongest sensor network. The setlist you build decides which one.