—
Industry avg click rate
70%
Risk reduction after training
3×
Repeat simulation reduces clicks
72 hrs
Avg time to report a breach
Immediate Actions
Do these within the next 48 hours
Employee Training
Teach your team to spot and report phishing
Technical Controls
Harden your email and IT infrastructure
Suggested Roadmap
Your 90-day security improvement plan
Manager Communication Templates
Copy-paste these to communicate results to your team
All-Staff Email — After Simulation
Subject: Important: Our Recent Phishing Security Test — What to KnowHi Team,
We recently ran a simulated phishing test to measure our collective security awareness. The results help us understand where we need to focus our training.
[X]% of staff clicked the simulated phishing link. This is a learning opportunity, not a disciplinary matter — the goal is to make our whole team stronger.
What to do when you receive a suspicious email:
1. Do not click any links or download attachments.
2. Forward the email to IT or your manager immediately.
3. Delete the original email.
We will be running training sessions shortly. Thank you for your attention to this.
[Your Name]
Manager Note — High-Risk Department
Hi [Department Head],Our phishing simulation revealed that [Department] had a [X]% click rate — the highest across our organization. This does not reflect poorly on your team; it tells us where we need the most support.
I'd like to schedule a 15-minute security briefing for your team this week. I'll share what the phishing email looked like and what red flags to watch for.
Could we find 15 minutes in the next 5 days?
[Your Name]