One Click Cost Colonial Pipeline $4.4 Million
In May 2021, a single compromised credential shut down the largest fuel pipeline in the United States. Colonial Pipeline paid a $4.4 million ransom to a threat actor group called DarkSide. The entry point wasn't some exotic zero-day exploit. It was a password — likely harvested through social engineering or credential theft — used on a legacy VPN account without multi-factor authentication.
That's the reality I keep hammering home to organizations I work with: your biggest vulnerability isn't your firewall. It's the person who clicks. And the only way to find that person before a real attacker does is to run a phish tour — a structured series of phishing simulations that map your organization's human attack surface.
This post breaks down exactly what a phish tour is, why a single test isn't enough, and how to build a simulation program that actually shifts employee behavior. If you're responsible for security at your organization, this is the playbook you need right now.
What Exactly Is a Phish Tour?
A phish tour is a planned campaign of multiple phishing simulations rolled out across your organization over weeks or months. Think of it as a roadshow — each "stop" tests a different attack vector, a different department, or a different social engineering technique. One simulation might impersonate IT support requesting a password reset. The next might mimic a vendor invoice. Another might spoof the CEO asking for a wire transfer.
The goal isn't to trick people for sport. It's to build a realistic picture of where your organization is vulnerable and then use that data to deliver targeted security awareness training where it matters most.
Why a Single Phishing Test Falls Short
I've seen organizations send one phishing email, collect a click rate, pat themselves on the back, and call it done. That tells you almost nothing. One test captures a single moment in time with a single lure. Threat actors don't limit themselves to one approach.
According to the FBI's 2020 Internet Crime Report, phishing was the number-one reported cybercrime by a massive margin — over 241,000 complaints. Attackers run their own phish tours against you constantly, rotating pretexts, spoofing different senders, and timing their messages for maximum impact. Your testing program needs to mirror that persistence.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2021 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.24 million — the highest in 17 years. Phishing was the second most common initial attack vector, responsible for 17% of breaches. And breaches caused by phishing cost an average of $4.65 million.
Here's what actually happens when organizations skip phishing simulations entirely: they discover their vulnerability during a real attack. By then, ransomware has already encrypted the file server, or an attacker is sitting in the email system reading every message for weeks before anyone notices.
A phish tour is cheap insurance. The cost of running simulations is a rounding error compared to the cost of incident response, regulatory fines, and reputational damage.
How to Build a Phish Tour That Changes Behavior
Running simulations without a plan is just chaos. Here's the framework I use when advising organizations on building an effective phish tour program.
Step 1: Establish a Baseline
Before you change anything, measure where you stand. Send a realistic but moderate-difficulty phishing simulation to the entire organization. Track three metrics: click rate, credential submission rate, and report rate. The report rate is the most important — it tells you how many employees actively flagged the message as suspicious.
In my experience, first-time baseline tests show click rates between 20% and 35% for organizations without prior training. That number should shock you. It means roughly one in four employees will hand over credentials to a well-crafted fake login page.
Step 2: Segment and Escalate
After your baseline, segment your workforce by department and risk level. Finance teams get business email compromise (BEC) simulations. HR gets fake résumé attachments. Executives get spear-phishing attempts mimicking board communications. IT staff get fake security alerts.
Each stop on your phish tour should escalate in sophistication. Start with generic lures — the "your package couldn't be delivered" type. Move to targeted pretexts that reference internal projects, real vendor names, or current events. The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element. Your simulations need to reflect the creativity real threat actors bring to the table.
Step 3: Train at the Moment of Failure
This is where most programs fall apart. If someone clicks a simulated phish and nothing happens, you've wasted the teachable moment. The instant an employee clicks, they should see a brief, specific explanation of what they missed: the spoofed sender address, the suspicious URL, the urgency tactic.
Pair your phish tour with ongoing cybersecurity awareness training that reinforces these lessons. One-and-done annual training doesn't work. Continuous reinforcement does. The best programs deliver short, focused modules immediately after a simulation failure, then follow up with broader training on social engineering tactics.
Step 4: Measure Progress Over Time
Track your metrics across every stop on the phish tour. You should see click rates declining and report rates increasing over three to six months. If a specific department stays stubbornly high, that's a signal — they need additional hands-on training, not just another email.
Document everything. When auditors, regulators, or your board asks what you're doing about phishing risk, a detailed phish tour report with trend data is the most compelling answer you can give.
What Makes a Phishing Simulation Realistic?
Bad simulations train employees to spot bad simulations — not real phishing emails. Here's what separates an effective simulation from a waste of time.
Use Current, Contextual Pretexts
In 2021, COVID-19 vaccine scheduling emails remain a top phishing lure. So do fake Microsoft 365 login pages, Zoom meeting invitations, and shipping notifications. Your simulations should use the same pretexts that real attackers are using right now. Check CISA's current activity alerts for the latest threats and build your lures around them.
Spoof Realistic Sender Addresses
A phishing email from "[email protected]" is too easy to spot. Use display name spoofing, lookalike domains, and reply-to manipulation — the same techniques actual threat actors employ. The point is to test real-world awareness, not pattern matching against obvious typos.
Include Multiple Attack Vectors
Don't limit your phish tour to email. SMS phishing (smishing) and voice phishing (vishing) are surging. The FBI IC3 data shows BEC and social engineering attacks increasingly use phone calls to validate fraudulent requests. A comprehensive phish tour includes at least one non-email simulation.
Phish Tour Results: What the Numbers Tell You
After running a full phish tour, you'll have data that drives real security decisions. Here's how to read it.
Click rate above 15%: Your organization has significant exposure. Prioritize immediate training intervention and consider tightening email filtering rules.
Credential submission rate above 10%: This is a critical finding. Employees are actively handing credentials to attackers. Deploy multi-factor authentication on every system immediately — it's the single most effective mitigation.
Report rate below 20%: Your employees don't know how to report suspicious emails, or they don't think it matters. Fix this by making the reporting process dead simple (a one-click button in the email client) and celebrating employees who report.
These benchmarks come from patterns I've observed across dozens of organizations. Your mileage will vary, but the direction is consistent: training and simulation reduce click rates by 50% or more within six months when done consistently.
Pair Your Phish Tour with the Right Training
Simulations without education are just gotcha games. Education without simulations is just theory. You need both.
Start with a strong foundation in phishing awareness training for organizations that covers the core tactics: urgency, authority impersonation, credential harvesting pages, malicious attachments, and pretexting. Then use your phish tour results to identify who needs additional reinforcement and what specific topics to cover.
The organizations I've seen make the biggest improvements are the ones that treat their phish tour as an ongoing program — not a one-time project. They run simulations monthly, rotate lure types quarterly, and update training content as new threats emerge.
Zero Trust Starts with Zero Assumptions About Your Users
The zero trust security model gets a lot of attention in 2021, and rightly so. But most conversations focus on network architecture — microsegmentation, least-privilege access, continuous verification. What gets overlooked is that zero trust applies to human behavior too.
You can't assume your employees will recognize a phishing email. You can't assume your executives won't fall for a BEC scam. You can't assume your IT team is immune to social engineering. A phish tour replaces assumptions with data.
Every organization that tells me "our people are pretty savvy" gets a surprise when we run the first simulation. The click rates are always higher than expected. Always.
Getting Started This Week
You don't need a six-figure budget or a dedicated red team to launch a phish tour. Here's a minimum viable plan:
- Week 1: Enroll your team in cybersecurity awareness training to establish foundational knowledge.
- Week 2: Send your baseline phishing simulation to the full organization. Track clicks, credential submissions, and reports.
- Week 3: Deliver targeted remedial training to everyone who clicked. Share anonymized, aggregate results with leadership.
- Week 4: Plan your next three simulations with escalating difficulty and different pretexts.
- Monthly: Run one simulation per month. Review trends quarterly. Adjust training content based on what the data shows.
Within 90 days, you'll have a clear picture of your human risk profile and a measurable improvement trend to show for it.
Your Employees Are Being Tested Right Now
Here's the uncomfortable truth: threat actors are already running their own phish tour against your organization. They're sending test emails, probing for weak links, and refining their approach based on who responds. The question isn't whether your employees will face a phishing attack. It's whether they'll recognize it when it happens.
The only way to get ahead of that curve is to test your people with realistic simulations, train them on what to look for, and build a culture where reporting suspicious messages is second nature. A structured phish tour does all three.
Start measuring. Start training. Start now — because the next real phishing email is already on its way.