All Collections
Initial setup
Tutorial: The CybSafe way to PHISH
Tutorial: The CybSafe way to PHISH

Our recommended approach to running your phishing simulations

Benedict Donaldson avatar
Written by Benedict Donaldson
Updated over a week ago


This tutorial will empower you to design, run, and analyse effective phishing simulations, the CybSafe way.


Step-by-step guide

Step 1: Set a goal

We recommend any of these three goals to begin with:

  • Gather insights into your organisation's susceptibility to phishing

  • Identifying your highest risk users

  • Increase phishing incident reporting

Step 2: Notify affected teams

  • Identify who needs to be notified: Communications teams, senior leaders, and security teams (who will experience an increase in phish reports) will all need a heads up.

  • Secure buy-in: Gain support from any required internal stakeholders who need visibility to ensure your campaign rollout will go smoothly when you launch.

    Example email:

    Dear <team>

    We’re writing to let you know that we’re soon going to launch a simulated phishing campaign using our partner CybSafe!

    CybSafe PHISH is an effective tool at helping people learn about new threats, and helps with a measurable increase on phishing report rates.

    Simulations will be delivered by email, at random times. You can find more information on PHISH here:


Step 3: Create a campaign

Head to the campaign creation page from the admin menu: PHISH > Create phishing campaign

Give it an name and click 'next'

Step 4 : Choose your audience

We recommend leaving this blank, so it applies to your entire organisation, including new joiners (this is automatic if you're set up with Active Directory). You will be shown the 'expected recipients' in a box on this page.

Step 5: Set up a sending schedule

Set your pre-agreed start date and set the campaign to 'continuous' to ensure you’re measuring and managing all year around risk, although you can schedule it for just a limited amount of time too if you wish.

Operating hours can be set to minimise out of hours notifications.

For the frequency of emails, we recommend 2 emails per 4 weeks, for a healthy all year round ratio.

Step 6: Select templates

You can design your own or make a selection from our list, but we’d suggest starting with the 'Fire and Forget' library. It has over 250 examples, complete with simulated landing pages & an intervention page. All you do is set a 'fire and forget' for the campaign.

Review your campaign. and click 'save draft'.

Your draft campaign will then be waiting in the 'deactivated' tab of the phishing campaigns page ready for you to activate.

Step 7: Invite your team to be a part of the solution

  • Inform employees about the campaign and its purpose: you're not trying to catch people out. Repeat this communication for maximum awareness. Need inspiration for these comms? Check out this template below.

    • At CybSafe, our research indicates you’ll get a much better result from your people when they are invited to be a part of the solution rather than broadcasting warnings that create fear of punishment.

  • “Silent” phishing campaigns are fine and necessary to understand baseline risk, but we don’t advise it as a long-term solution as it can impact dimensions of Trust & Fear & Punishment (as measured in GUIDE+ Culture survey). This is because some people feel “tricked” and are more likely to fear the security team.

  • By inviting people, you create engagement touchpoints and you are reinforcing trust in the security team. See at the bottom a suggestion of our invitation template.

  • Our research shows it’s most impactful if you can get leadership or senior folks to announce it with you. You might want to tie it in with any security awareness weeks you might be holding.

Phishing simulation announcement wording

Dear <team>

We're excited to announce the launch of a new program designed to strengthen our company's overall cybersecurity posture: phishing simulations! Fear not, these are not designed to catch you out, they are to help us understand how to help and protect you.

Why do we run phishing simulations?

  • Phishing simulations raise awareness of common phishing tactics so you can easily identify them in the future and help you develop stronger reflexes for handling suspicious emails.

If you think you have spotted a suspicious email, the most important thing is to report it. If you’re unsure how to report a suspected phishing email, we’re here to help.

How to report a suspicious email: [Tweak this based on your organisations process]

  • <provide guidance for reporting process in your organisation>

We'll be providing additional resources and information about phishing scams throughout the program.

Best wishes

<Team Name>

Step 8: Monitor

  • Monitor the reports available to you in CybSafe PHISH in the campaigns first week.

    • You’ll quickly get a sense of open, click & report rates

    • Over time, you’ll be able to study any particular trends in susceptibility techniques

  • Consider reaching out to the first few high risk individuals to seek understanding on the early phishing experience, looking to uncover any unknown frictions or pressures. Why did they click? What was their experience? Why didn’t they know to report?

Additional resources:

Did this answer your question?