In September 2022, a single employee at Uber clicked a link in a social engineering attack. The threat actor, reportedly affiliated with Lapsus$, used that foothold to access internal systems, Slack channels, and cloud infrastructure. The breach made global headlines — not because Uber's security tools failed, but because a human did exactly what humans do: they trusted a message that looked legitimate.

That's why the concept of a phish tour — a structured, ongoing campaign of simulated phishing attacks rolled out across your organization — has become one of the most effective weapons in a security team's arsenal. It's not a one-time test. It's a tour, hitting every department, every role, every attack vector, until your people develop the muscle memory to spot and report threats before damage is done.

This post walks you through what a phish tour actually looks like, why it works better than annual training slides, and how to build one that produces measurable results. If you're responsible for protecting an organization of any size, this is the playbook.

What Exactly Is a Phish Tour?

A phish tour is a planned series of simulated phishing attacks deployed across an organization over weeks or months. Think of it as a roadshow for your security awareness program — each "stop" on the tour targets different departments, uses different attack techniques, and escalates in sophistication as employees improve.

Unlike a single phishing test that gives you a snapshot, a phish tour gives you a trend line. You see who improves, who doesn't, and which social engineering tactics are most effective against your specific workforce. That data is gold for prioritizing training resources.

The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved the human element — including phishing, stolen credentials, and social engineering. A phish tour directly addresses the most exploited attack surface in your organization: your people. You can read the full DBIR at Verizon's DBIR page.

Why One-and-Done Phishing Tests Fail

I've seen this pattern dozens of times. An organization runs a single phishing simulation, gets alarming click rates, sends out a sternly worded email, and moves on. Six months later, nothing has changed.

Here's what actually happens with one-off tests: employees remember the embarrassment for about two weeks. Then muscle memory takes over. They go back to clicking links on autopilot because their daily workflow rewards speed, not suspicion.

A phish tour fixes this by creating sustained pressure. When employees know that simulated attacks could arrive at any time — disguised as shipping notifications, password resets, HR policy updates, or invoice requests — they start treating every message with healthy skepticism. That behavioral shift is the entire goal.

The Forgetting Curve Is Real

Research on the Ebbinghaus forgetting curve shows that people forget roughly 70% of new information within 24 hours unless it's reinforced. One training session per year doesn't create lasting behavior change. A phish tour spaces out reinforcement naturally, turning each simulated attack into a micro-training moment.

The $4.88M Reason to Start Your Phish Tour Now

IBM's 2022 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.35 million. In the United States, that number climbed to $9.44 million. Phishing was the second most common initial attack vector, behind only stolen credentials — and phishing is often how credentials get stolen in the first place.

Those aren't abstract numbers. That's the cost of forensic investigations, legal fees, regulatory fines, customer notification, brand damage, and lost business. A well-run phish tour costs a fraction of a single incident response engagement.

CISA has repeatedly emphasized phishing-resistant practices as a core defense. Their guidance on Shields Up specifically calls out the need for organizations to train employees against social engineering and implement multi-factor authentication as layered defenses.

How to Build a Phish Tour That Actually Works

Running a phish tour isn't just about sending trick emails and shaming people who click. Done poorly, it destroys trust and teaches nothing. Done right, it transforms your security culture. Here's the framework I recommend.

Step 1: Baseline Without Warning

Your first simulation should go out with zero advance notice. Use a moderately convincing phishing template — something like a password expiration notice or a shared document link. This gives you an honest baseline click rate. Industry averages hover between 20-30% on a first test, but I've seen organizations hit 45%.

Record who clicked, who reported it, and who ignored it. All three categories matter.

Step 2: Immediate, Blame-Free Education

When someone clicks a simulated phishing link, redirect them instantly to a short training page. Explain exactly what red flags they missed. Keep it under 90 seconds. No shaming, no public leaderboards, no punitive HR actions.

This is where platforms like our phishing awareness training for organizations become critical. The training that lands within seconds of the mistake has dramatically higher retention than a lecture delivered weeks later.

Step 3: Escalate Sophistication Over Time

Your phish tour should get harder as it progresses. Start with generic mass-phishing templates. Then move to spear phishing that uses department-specific language. Then try pretexting — emails that reference real internal projects or recent company announcements. Finally, introduce smishing (SMS phishing) and vishing (voice phishing) if your program is mature enough.

Each stop on the tour should test a different tactic:

  • Credential theft — fake login pages for Microsoft 365, Google Workspace, or VPN portals
  • Malicious attachments — macro-enabled documents or PDF lures
  • Business email compromise — impersonation of executives requesting wire transfers or gift cards
  • Urgency manipulation — "Your account will be locked in 2 hours" messages
  • Curiosity traps — "Here's the salary spreadsheet for Q4" subject lines

Step 4: Measure What Matters

Track these metrics across every stop on your phish tour:

  • Click rate — percentage of employees who clicked the link or opened the attachment
  • Report rate — percentage who used the "Report Phishing" button or forwarded to your security team
  • Credential submission rate — percentage who actually entered usernames and passwords on fake pages
  • Time to report — how quickly the first report came in after the simulation launched
  • Repeat offender rate — employees who click on multiple simulations across the tour

The report rate is arguably more important than the click rate. A healthy security culture isn't one where nobody makes mistakes — it's one where mistakes get flagged fast enough for the security team to respond.

Step 5: Pair Simulations with Broader Training

A phish tour works best when it's part of a comprehensive security awareness program. Simulations teach recognition through experience; structured training fills in the knowledge gaps around ransomware, zero trust principles, password hygiene, and incident reporting.

Our cybersecurity awareness training program covers these foundational topics and pairs well with ongoing simulation campaigns. Together, they create both the knowledge base and the practical reflexes your workforce needs.

What Does a Phish Tour Schedule Look Like?

Here's a realistic 12-week phish tour schedule for a mid-size organization:

  • Week 1: Baseline test — generic password reset email to all staff
  • Week 2: Training rollout — foundational phishing awareness modules
  • Week 4: Second simulation — department-specific lure (e.g., fake HR benefits enrollment for HR, fake invoice for finance)
  • Week 6: Third simulation — business email compromise attempt impersonating the CEO
  • Week 8: Fourth simulation — malicious attachment disguised as a shipping notification
  • Week 10: Fifth simulation — credential harvesting page mimicking your actual SSO portal
  • Week 12: Final assessment — most sophisticated attack. Measure improvement against baseline.

Between simulations, share anonymized results with departments. Celebrate improvements publicly. Address persistent vulnerabilities with targeted coaching, not punishment.

The Repeat Offender Problem — And How to Solve It

Every phish tour reveals a small group of employees who click every single simulation. In my experience, this group is typically 5-10% of the workforce. They're not stupid — they're usually the busiest people in the organization, processing hundreds of emails a day.

For repeat offenders, escalate the intervention:

  • After the second click: one-on-one conversation with their manager and a security team member
  • After the third click: mandatory supplemental training session
  • After the fourth click: restrict email link access or add additional technical controls for that user

The goal isn't punishment — it's risk reduction. Some people need more help, and that's fine. But ignoring the pattern puts your entire organization at risk.

Technical Controls That Make Your Phish Tour More Effective

A phish tour doesn't replace technical defenses. It complements them. While you're training your humans, make sure these controls are in place:

  • Multi-factor authentication (MFA) on every externally facing system. CISA lists this as a top priority, and it directly mitigates credential theft even when an employee enters their password on a fake page.
  • Email authentication protocols — SPF, DKIM, and DMARC configured at enforcement level to reduce spoofed emails reaching inboxes
  • Browser isolation for high-risk users who handle sensitive financial transactions
  • Zero trust architecture — never trust a device or user based on network location alone. The NIST Zero Trust Architecture framework (NIST SP 800-207) provides the blueprint.
  • Phishing report button integrated into your email client so reporting suspicious messages takes one click

When technical controls and trained humans work together, a threat actor's job gets exponentially harder.

How Long Does It Take to See Results from a Phish Tour?

Most organizations see a meaningful drop in click rates within 90 days of starting a structured phish tour. A typical progression looks like this: baseline click rate of 25-30%, dropping to 10-15% after three simulations, and settling at 3-8% after six months of consistent testing.

Report rates usually follow the opposite trajectory — starting near zero and climbing to 40-60% as employees build the habit of flagging suspicious messages. That's the metric that tells you your security culture is actually changing.

The key word is "consistent." Organizations that run a phish tour once and then stop see click rates creep back up within four to six months. This needs to be a permanent program, not a project with an end date.

Getting Executive Buy-In for Your Phish Tour

If you're pitching a phish tour to leadership, speak their language: risk and money. The FBI's Internet Crime Complaint Center (IC3) reported over $10.3 billion in cybercrime losses in their 2021 annual report, with business email compromise and phishing ranking among the costliest attack categories. Those numbers get attention in a boardroom.

Frame the phish tour as a risk reduction initiative with measurable ROI. Show the baseline click rate, project the improvement curve, and quantify what even one prevented breach would save in incident response costs.

Include executives in the simulations. Nothing accelerates buy-in faster than a CFO clicking a simulated phishing link and realizing how convincing it was.

Your Phish Tour Starts With One Email

You don't need a massive budget or a 20-person security team to run a phish tour. You need a plan, a set of realistic templates, a mechanism to deliver immediate training after clicks, and the commitment to keep doing it month after month.

Start by establishing your baseline. Build your simulation schedule. Pair it with structured cybersecurity awareness training and targeted phishing simulation exercises. Measure your results relentlessly.

The threat actors aren't slowing down. Your training program shouldn't either.