One Band's Name Became Cybersecurity's Favorite Metaphor

In 2024, the FBI's IC3 report documented over 298,000 phishing complaints — making it the most reported cybercrime category for the fifth consecutive year. And yet, most organizations still run phishing simulations like they're checking a compliance box: one generic email per quarter, same template, same obvious red flags. That's not training. That's theater.

If you've ever followed the jam band Phish, you know their fans obsess over setlists — the carefully curated sequence of songs played at each show. No two shows are alike. The order matters. The surprises matter. The variation keeps the audience engaged and on their toes.

That's exactly how you should think about your phishing simulation program. A phish setlist is your structured, evolving plan for the phishing scenarios you deploy against your own employees. It's the playlist of social engineering attacks you rotate through — each one designed to test a different instinct, exploit a different emotion, and build a different layer of resilience. This post gives you the framework to build one that actually works.

What Exactly Is a Phish Setlist?

A phish setlist is a planned rotation of phishing simulation scenarios used to train employees over time. Rather than sending one type of simulated attack repeatedly, a phish setlist sequences different attack types — credential theft pages, invoice fraud, CEO impersonation, urgent IT requests, package delivery lures — across a defined schedule. Each "song" in the setlist targets a different vulnerability in human behavior.

The concept borrows from the music world for good reason. Just like a concert setlist builds energy and variety, a phish setlist builds progressive difficulty and realistic exposure. Your employees face different threat actor tactics each time, preventing them from pattern-matching their way through your program without actually learning anything.

Why Most Phishing Programs Fail Without One

I've audited dozens of security awareness programs over the years. The ones that fail share a common trait: no variation. They send the same "Your password expires in 24 hours" email every quarter and wonder why click rates stay flat.

Here's what actually happens without a phish setlist. Employees learn to spot one specific template. They share tips about the simulation in Slack. The word spreads: "If it mentions password expiry, it's fake." Meanwhile, a real threat actor sends a convincing DocuSign request, and someone in accounts payable hands over their credentials without a second thought.

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse of credentials. That number hasn't moved much in years. The reason is simple: our training isn't keeping up with the attacks. A structured phish setlist changes that by ensuring employees face the same diversity of tactics that real attackers use.

The Pattern-Matching Problem

Human brains are wired to recognize patterns. That's usually a strength, but in phishing training it becomes a weakness. When your simulations are predictable, employees learn to spot the simulation — not the attack. They develop what I call "test-taking skills" instead of actual threat recognition.

A well-designed phish setlist deliberately breaks patterns. It mixes urgency-based attacks with curiosity-based lures. It alternates between emails that impersonate internal executives and ones that mimic external vendors. Some use links. Some use attachments. Some use QR codes. The unpredictability is the point.

Building Your First Phish Setlist: The Framework

Here's the practical framework I use with organizations. Think of it as building a 12-month concert tour, where each month features a different "song" — a different phishing scenario designed to test a specific human vulnerability.

Step 1: Inventory Your Threat Landscape

Start with what's actually hitting your industry. Pull data from CISA's threat advisories and the FBI IC3 annual report. If you're in healthcare, business email compromise (BEC) targeting billing departments is your top concern. In manufacturing, it might be vendor impersonation tied to supply chain attacks. In education, credential theft campaigns dominate.

List the top 8-12 attack types that are most relevant to your organization. These become the tracks on your setlist.

Step 2: Map Attacks to Emotional Triggers

Every effective phishing attack exploits an emotion. Your phish setlist should cover all the major ones:

  • Fear: "Your account has been compromised — reset immediately."
  • Authority: "The CEO needs this wire transfer processed today."
  • Curiosity: "Someone shared a document with you in Google Drive."
  • Urgency: "Your package delivery failed — confirm address now."
  • Greed: "You're eligible for a $500 employee bonus. Claim here."
  • Trust: "IT Department: Please install this security update."

Map each of your 8-12 scenarios to a primary emotional trigger. Make sure you're covering at least four different triggers across your annual rotation. This is what separates a phish setlist from a random collection of templates.

Step 3: Sequence by Difficulty

Don't start your program with a pixel-perfect Microsoft 365 credential harvesting page that would fool a security analyst. Start with scenarios that have 2-3 obvious red flags — misspelled sender domains, generic greetings, suspicious URLs. Build from there.

Here's a sample progression:

  • Months 1-3: Obvious indicators — wrong domain, generic greeting, suspicious link on hover. Goal: establish baseline click rate.
  • Months 4-6: Moderate difficulty — correct branding, plausible sender, but subtle URL mismatch or unusual request. Goal: test attention to detail.
  • Months 7-9: Advanced — highly targeted spear-phishing using role-specific language, real vendor names, current events. Goal: test critical thinking under pressure.
  • Months 10-12: Mixed difficulty with multi-channel attacks — combine email with SMS (smishing) or voice (vishing) where possible. Goal: comprehensive resilience testing.

Step 4: Schedule and Randomize

Don't send simulations on the same day every month. Threat actors don't attack on a schedule. Vary the day of the week, time of day, and even the gap between simulations. Some months, run two campaigns two weeks apart. Other months, go five weeks between them. This prevents the "Oh, it's the first Tuesday — watch for the phishing test" effect.

The $4.88M Lesson in Every Click

According to IBM's Cost of a Data Breach Report 2024, the global average cost of a data breach hit $4.88 million. Phishing remained the most common initial attack vector. Every employee who clicks a real phishing link is one step closer to that number landing on your balance sheet.

But here's what the data also shows: organizations with security awareness training and phishing simulation programs reduced their breach costs significantly compared to those without. The training works — when it's done right. A phish setlist is how you do it right.

If your organization hasn't invested in structured phishing awareness training for your team, you're leaving your most exploitable attack surface completely undefended.

What Belongs on a 2026 Phish Setlist

Attack techniques evolve. Your phish setlist should reflect what threat actors are actually doing right now in 2026, not what they were doing in 2020. Here are the scenarios I'm recommending to every organization this year:

QR Code Phishing (Quishing)

QR code attacks exploded in 2023-2024 and haven't slowed down. Attackers embed malicious QR codes in emails that bypass traditional link-scanning tools. Your setlist needs at least one quishing scenario — perhaps a fake parking validation or multi-factor authentication reset request delivered via QR code.

AI-Enhanced Spear Phishing

Threat actors are using generative AI to craft phishing emails that lack the traditional grammatical errors and awkward phrasing that employees were trained to spot. Your simulations need to reflect this reality. Include at least two scenarios with clean, professional copy that requires employees to verify through channels other than the email content itself.

MFA Fatigue Attacks

Attackers now routinely bombard targets with multi-factor authentication push notifications until the victim approves one out of frustration. While this isn't a traditional phishing email, your setlist should include educational modules about MFA fatigue and pair them with credential theft simulations that show how stolen passwords lead to these attacks.

Vendor and Supply Chain Impersonation

BEC attacks impersonating vendors represented a significant portion of social engineering losses in the FBI IC3's 2024 reporting. Build scenarios where the phishing email appears to come from a real vendor your organization uses — an invoice update, a payment portal change, or a contract revision request.

Internal IT and HR Impersonation

These never go out of style. "Open enrollment benefits update," "mandatory security training — click here," "new PTO policy — review and sign." HR and IT lures work because employees are conditioned to comply with internal requests. Your phish setlist should always include at least two of these per year.

Measuring What Matters: Beyond Click Rates

Most organizations track one metric: click rate. That's like judging a concert by ticket sales alone. A mature phish setlist program tracks multiple indicators:

  • Click rate: Percentage of employees who clicked the simulated phishing link. Track this over time per scenario type.
  • Report rate: Percentage who reported the simulation to IT or used a phishing report button. This is arguably more important than click rate.
  • Credential submission rate: Of those who clicked, how many actually entered credentials on the fake page? This measures depth of compromise.
  • Time to report: How quickly did the first employee flag the simulation? Faster reporting means faster response during real incidents.
  • Repeat clickers: Which employees click on multiple simulations? These individuals need targeted intervention, not just another email.

Track these metrics per scenario type and per department. You'll quickly identify which emotional triggers your organization is most vulnerable to — and that tells you exactly where to focus your next quarter's setlist.

Turning Clickers into Champions

The goal of a phish setlist isn't to shame employees who click. It's to build organizational muscle memory. When someone clicks a simulated phishing link, the immediate response matters more than the click itself.

Deploy instant training moments — a brief, specific explanation of what red flags they missed in that particular scenario. Keep it under 60 seconds. Make it relevant to the exact email they just clicked. Generic "be careful with emails" training is worthless.

For repeat clickers, assign targeted modules from a comprehensive cybersecurity awareness training program. Focus on the specific attack type they keep falling for. Someone who clicks CEO impersonation emails needs authority-bias training, not a general overview of ransomware.

A Sample 12-Month Phish Setlist

Here's a starter setlist you can adapt for your organization. Adjust the specific scenarios to match your industry and threat landscape:

  • January: Password reset (fear/urgency) — Easy difficulty
  • February: Shared document via cloud platform (curiosity) — Easy difficulty
  • March: CEO wire transfer request (authority) — Moderate difficulty
  • April: Tax document from HR (trust/seasonal) — Moderate difficulty
  • May: Vendor invoice update (trust) — Moderate difficulty
  • June: QR code for benefits enrollment (curiosity) — Moderate difficulty
  • July: Package delivery failure (urgency) — Easy difficulty (mid-year baseline reset)
  • August: IT security update installation (authority/trust) — Advanced difficulty
  • September: Spear-phish using LinkedIn data (personalized) — Advanced difficulty
  • October: Multi-channel: email + SMS combination (urgency) — Advanced difficulty
  • November: Black Friday employee discount scam (greed) — Moderate difficulty
  • December: Year-end bonus claim (greed/seasonal) — Advanced difficulty

Notice the variation in emotional triggers, difficulty levels, and attack channels. That's what makes a phish setlist effective. No two months feel the same.

Zero Trust Starts With Your People

Every zero trust architecture conversation focuses on networks, endpoints, and identity verification. But the most critical zero trust principle applies to your people: never trust, always verify. A phish setlist trains that instinct into your workforce through repeated, varied exposure to realistic social engineering tactics.

Your firewall won't stop an employee from entering their credentials on a convincing fake login page. Your endpoint detection won't flag a legitimate-looking email that asks someone to "verify" their identity. Your people are your last line of defense — and your phish setlist is how you sharpen that line.

Start building your setlist today. Pull your threat data, map your emotional triggers, sequence your difficulty, and commit to 12 months of intentional, varied phishing simulations. Your data breach risk drops with every employee who learns to pause, verify, and report instead of click.