What a Phish Setlist Actually Means for Your Security Team

When the band Phish takes the stage, they never play the same setlist twice. Every show is crafted for the audience. Your phishing simulation program should work the same way. A phish setlist — a curated, rotating collection of phishing attack scenarios used to test and train employees — is one of the most effective tools I've seen for building genuine security awareness.

I've spent years watching organizations run the same stale phishing test quarter after quarter. Same fake invoice. Same "password reset" email. Employees learn the pattern, not the skill. A well-built phish setlist changes that entirely.

The concept borrows from how real threat actors operate. They don't repeat themselves either. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involved a human element — social engineering, credential theft, or simple mistakes. Your employees face novel attacks constantly. Your training needs to match that reality.

Why a Static Phishing Test Fails Every Time

Here's what actually happens at most organizations. The IT team sends a fake phishing email once a quarter. It looks like a shipping notification or a password expiry warning. After the second round, half the office recognizes the template. They think they're "phishing-proof." They're not.

Static tests create a dangerous false confidence. Employees learn to spot that specific email, not the underlying tactics. A real threat actor won't send them a carbon copy of your last simulation. They'll craft a targeted spear-phishing message referencing a real vendor, a real project, or a real executive's name.

This is where the phish setlist approach proves its value. By rotating through dozens of realistic scenarios — each designed around current threat intelligence — you train pattern recognition, not template recognition.

How to Build a Phish Setlist That Actually Works

Start With Real Threat Intelligence

Don't guess what attacks to simulate. Use real data. CISA's cyber threat advisories publish active phishing campaigns regularly. The FBI IC3 annual report catalogs the most common social engineering schemes targeting businesses. Your setlist should reflect what's actually hitting inboxes right now.

In my experience, the most effective setlists pull from five categories:

  • Business Email Compromise (BEC): Fake executive requests for wire transfers or sensitive data
  • Credential Harvesting: Fake login pages for Microsoft 365, Google Workspace, or internal tools
  • Vendor Impersonation: Spoofed emails from real suppliers, software providers, or partners
  • Urgency Exploits: Tax deadline notices, HR policy updates, benefits enrollment deadlines
  • Current Events Lures: Disaster relief, regulatory changes, industry news

Each category should have 5-10 variations in your setlist. Rotate them unpredictably. Never send the same scenario to the entire company at once.

Segment Your Audience

Not every employee faces the same risk. Your finance team gets targeted with invoice fraud. Your executives get hit with whaling attacks. Your developers get lured with fake GitHub notifications or package dependency alerts.

A strong phish setlist is segmented by department, role, and risk level. Tailor the scenarios to match how each group would actually be targeted. This is the same approach threat actors use — and it's the same approach your training should mirror.

Escalate Difficulty Over Time

Start with obvious red flags: misspelled domains, generic greetings, suspicious attachments. As your team improves, escalate. Introduce near-perfect domain spoofs, personalized content, multi-step attacks that combine a text message with a follow-up email.

The goal isn't to trick people. It's to build muscle memory for recognizing social engineering in all its forms.

What Belongs on a Phish Setlist in 2026?

The threat landscape shifts fast. Here's what I'm seeing threat actors deploy right now and what should be on your phish setlist this year:

  • AI-generated phishing emails: Near-perfect grammar, personalized details scraped from LinkedIn and company websites
  • QR code phishing (quishing): Malicious QR codes in fake HR documents, parking notices, or benefits forms
  • MFA fatigue attacks: Repeated multi-factor authentication push notifications designed to wear down the target
  • Deepfake voice phishing: AI-cloned executive voices in voicemail or Teams messages requesting urgent action
  • Fake collaboration invites: Spoofed Slack, Teams, or Zoom invitations leading to credential theft pages

If your phishing simulation program doesn't include these scenarios, you're training for last year's threats. The FBI IC3 annual reports consistently show that phishing and BEC remain the top reported cybercrimes. Your setlist needs to keep pace.

How Often Should You Run Phishing Simulations?

This is the question I get asked most. The answer: more often than you think, but less predictably than you'd expect.

Monthly is the minimum. But don't send them on the same day each month. Vary the timing, the scenario, and the delivery method. Some should arrive at 7 AM on a Monday. Others at 4:45 PM on a Friday. Threat actors don't respect business hours, and your phish setlist shouldn't either.

For high-risk roles — finance, HR, executive assistants, IT administrators — I recommend bi-weekly simulations with higher-difficulty scenarios. These are the people a ransomware gang will target first.

Measuring What Matters: Beyond Click Rates

Most organizations fixate on click rates. "Only 8% clicked the link this quarter!" That's a vanity metric. Here's what actually tells you if your phish setlist is working:

  • Report rate: What percentage of employees reported the phishing email to your security team? This is the metric that matters most.
  • Time to report: How quickly did reports come in? Speed kills attacks.
  • Repeat offenders: Are the same people clicking every time? They need targeted intervention, not another all-hands webinar.
  • Credential submission rate: Did they just click, or did they actually enter their username and password on a fake page? That's a critical difference.

Track these metrics over time. A well-managed phish setlist should show improving report rates and declining credential submissions across quarters.

Training That Sticks: Pair Simulations With Education

Simulations without education are just gotcha moments. They build resentment, not resilience. Every phishing simulation should be immediately followed by a brief, specific training module explaining what red flags were present and how the attack works.

This is where structured cybersecurity awareness training makes the difference. Employees need context, not just consequences. They need to understand why a zero trust security model matters and how their individual actions connect to your organization's broader defense.

For organizations looking to build a dedicated phishing training track, our phishing awareness training for organizations provides scenario-based modules that map directly to the types of attacks you'd include in your setlist.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. The majority of those breaches started with a phishing email. Not a sophisticated zero-day exploit. Not a nation-state actor. A convincing email that one employee clicked.

Your phish setlist is your front line. It's not a compliance checkbox. It's the difference between an employee who reports a suspicious email in 30 seconds and one who hands over credentials to a threat actor on a fake Microsoft login page.

Build the setlist. Rotate it constantly. Measure the right things. And train your people like the attacks are real — because the next one will be.