As a Security Technician, a big part of my role is helping clients strengthen their defenses against one of the most common and successful cyber threats out there: phishing. Phishing simulations have become one of the most effective ways to do that. They don’t just provide metrics; they uncover how an organization responds, where the risks are, and how prevalent a security-first approach is within the workplace.
Phishing simulations are critical because they address one of the biggest vulnerabilities in security: human error. Phishing is still the number one attack vector. In fact, independent research has shown that 91% of all cybersecurity attacks start with a phishing email.
Attackers today have shifted away from just hacking systems. They’re focused on hacking people because it’s often easier to trick someone into giving up credentials or downloading malware. Phishing simulations give us a way to measure how vulnerable a team really is to these tactics, and more importantly, they help strengthen that overall security posture.
More Than Just “Who Clicked”
A lot of people think phishing simulations are only about seeing who clicks the link. That’s not the case.
Phishing Simulations provide a much deeper view into an organization’s security culture and readiness. They answer questions like:
- Do employees report suspicious emails?
- Which departments are more vulnerable?
- Are repeat offenders actually improving after training?
- Do employees feel comfortable questioning emails—even ones that look like they came from leadership?
Phishing simulations aren’t just a compliance checkbox. I look at them as a behavioral and technical stress test. They tell a story about how well training sticks in real-world situations and where the biggest risk points still exist.
The First Metrics I Look At
When I review results, the first things I pay attention to are the click rate and the report rate.
The click rate shows me the percentage of users who fell for the simulation. That’s our baseline measure of susceptibility. A high click rate is a clear sign of immediate vulnerability and the need for targeted training.
The report rate shows me how many employees recognized the threat and escalated it. Even if someone clicks, a strong reporting culture can reduce risk because it enables a fast response.
Where it gets interesting is when you put those two numbers together. For example:
- A low click rate paired with a low report rate suggests employees are just ignoring suspicious emails instead of reporting them. That’s still a risk.
- A high click rate with a high report rate means awareness is there, but behavioral and technical gaps still remain.
From there, I’ll dive into things like repeat offenders, departmental patterns, and response times to get the full picture.
Talking to Leadership About Results
One of the things I always keep in mind is that raw numbers don’t mean much to leadership unless you translate them into business impact.
So instead of just saying “your click rate was 15%,” I’ll explain what that really means: in a real attack, 15% of your sensitive data or credentials could have been compromised. That strikes a different chord within.
I also like to point out trends. “Are things improving after training”, or “Do we see recurring weaknesses?” And then I make recommendations that leadership can act on, like targeted training for high-risk groups or adjustments to security policies. The goal is to take technical data and turn it into a clear story about risk and the path to reducing it.
It’s Not a Gotcha
Something I always emphasize is that phishing simulations shouldn’t feel like a “gotcha” test. They’re meant to be constructive learning experiences.
That starts with communication and letting employees know the goal is to strengthen awareness and protect the company, not call people out. When reviewing results, I avoid shaming and instead highlight positives, like those who reported the email. I also provide immediate feedback and follow-up training tailored to what the simulation revealed.
If employees see it as a growth opportunity and not a punishment, they’re way more likely to engage and actually retain the knowledge.
How Phishing Tactics Are Evolving
Phishing has grown beyond just email. Under that umbrella you’ve got things like spear phishing, whale phishing, and even “vishing,” which is phishing done over the phone or VoIP.
What I’m seeing is that bad actors are putting way more effort into research. First, they’ll gather open-source intelligence (OSINT) on their targets. This might include combing through social media, finding public records, using satellite imagery, or even physically stalking a person. Then, they’ll use that information to craft a message or voicemail that is uniquely personal and often urgent. Emotional manipulation is the name of their game.
And while we have solid technologies that block a lot of phishing attempts, attackers are constantly finding ways to get around filters. That’s why I believe education is the most important defense.
At EMBER, we make sure our clients are consistently doing phishing simulations, engaging with the results, and using those metrics to build actionable improvements. We can’t stop attackers from evolving, but we can prepare people to recognize and respond to those threats.
Wrapping Up
To me, phishing simulations are about resilience. They’re not about embarrassing someone for clicking a link. They’re about uncovering risks, reinforcing a security-first culture, and making sure employees feel empowered to act when something doesn’t look right.
Because at the end of the day, it really only takes one click to create large-scale exposure. And the best way to stay ahead of that is to keep learning, keep testing, and keep building stronger defenses together.