Security awareness

How to Run a Phishing Test on Your Employees

Stephen Moramarco
July 26, 2018 by
Stephen Moramarco

Is your company safe from phishing attacks? There are two ways to find out: either through a pre-planned simulation or an actual event. In this article, we’ll show you how to run a phishing test on your employees that will let you know how vulnerable you are before it’s too late.


In order to find out how vigilant your employees are against various forms of phishing attacks, InfoSec Institute has created the SecurityIQ platform and its application PhishSim. PhishSim, as the name implies, is a simulator that sends out phony phishing emails. However, instead of containing a link to a malicious website or virus, PhishSim sends those that click it to a landing page that informs them of their error. This landing page can be customized and branded to your company.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Email Templates

PhishSim makes it very easy to run a test on your employees. We have an Email Template Library that cover a wide range of standard phishing messages. These include templates created by InfoSec Institute as well as those from our user base. They are grouped into subjects such as Banking, Corporate Communications, and even Highest Phish Rate.

The templates all have information such as Difficulty, Open Rate and Phish Rate. You can select an email template that suits your company as-is, or you can duplicate it and modify as you see fit. You can also select New Template to create your own.

A few of the Banking Templates

Additionally, there are Data Entry Templates, which simulate login pages to such things as bank or email accounts. These can be used with Email Templates for a more sophisticated phishing simulation.


Paired with the phishing emails are Educations – a landing page with a message to anyone that clicks on the link, informing them that they have made a mistake. As with other elements of SecurityIQ, there is a library of Educations, which can be customized for your workplace.

Some Educations are a simple message; others include interactive videos. Regardless, whenever an employee clicks on a link and is sent to an Education, you will be alerted to the event.

Best Practices

When creating or choosing emails, it’s best to put on your “Criminal Minds” hat and think like a phisher or hacker. What departments are most vulnerable? Which type of communication is most likely to elicit a click?

While our Template Library is a great place to get started, try creating or customizing one for your company. Create an email with your boss’ name asking for a W-2. Send a phony invoice from a company you actually do business with.

Create a sense of urgency. Many phishing requests try and make the user act quickly without thinking, so emulate that in your email.

Drop subtle clues. Put in typos or misspell the company name. These should be red flags to the recipient.

Batteries and Campaigns

After you’ve created or chosen a selection of Email Templates and Educations, you can create Batteries and Campaigns. A Battery is a group of phishing emails that are sent at once, and a Campaign is a series of Batteries over a period of time. With a Campaign, you control such things as which employees get which emails, as well as the simulation duration.

Creating Batteries and Campaigns can be very easy; there is a Default Campaign that can be used as a good starting point.

The Start Campaign window

Running a Campaign

Once you’ve created or imported your employee address list and decided on the duration, you can start your Campaign. (It’s a good idea not to tell anyone that this is happening, so as to get a truer gauge of their vigilance.)

During the Campaign, you can view a variety of different reports from your Dashboard; they can also be emailed to you weekly. This will show you how many of your emails were opened or clicked, as well as those avoided or marked as spam.

The Phish Campaign Run Status details specific actions taken by individuals. You can use this information to require them to take further training courses in the AwareEd section of SecurityIQ.

A PhishSIM report


This is a very general overview of PhishSim and how to run a phishing test on your employees. SecurityIQ is intuitive to use, but this platform also has highly-advanced features to ensure you are truly raising awareness about the dangers of phishing.

The best way to get started is sign up for a free account. You can explore the different areas and even do a simulated Campaign with “learner bots” that can teach you more about how PhishSim works.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Don’t wait another day – start phishing your employees today before someone else does!

Stephen Moramarco
Stephen Moramarco

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.