Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Blog

3 April 2026

Why We Phish Our Own Clients (and You Should Too)

Running fake phishing campaigns against your own staff sounds cruel. Like setting traps for the colleague who brings in good biscuits. First time clients ask about it, there's always a half-flinch: "won't people be upset?"

Honestly, yes, a few will be the first time. Then it becomes the thing that keeps them safe.

Here's why it works. Cyber security training delivered once a year as a 20-minute video is worthless. Nobody remembers anything. Half the staff click through without watching. Three weeks later a real phishing email arrives, disguised as a message from the managing director asking for an urgent bank transfer, and someone falls for it. That's how most real incidents start.

Simulated phishing flips the dynamic. Instead of telling people what phishing looks like in theory, you send them a realistic-looking email and see what happens. When someone clicks, they get a friendly landing page explaining what it was, what gave it away, and what to do next time. It's over in 30 seconds, it's genuinely memorable, and there's no actual risk.

What happens when you start

First campaign, expect 25 to 40% click-through. That's normal. Even among technical staff. Don't panic and don't blame anyone. The point isn't to shame people, it's to get a baseline.

Second campaign a few weeks later, click-through drops to 10 to 15%. By the third or fourth, you're at 3 to 5% and you have a workforce that notices unusual emails and reports them rather than opening attachments.

How to do it without creating bad feeling

  1. Tell everyone simulations are coming. Not the details, but the general policy. "We run periodic phishing tests as part of our security training." Nobody should be ambushed by the concept.
  2. No naming and shaming. Ever. Don't publish the list of clickers. Don't single people out in meetings. The whole point is learning.
  3. Training as the consequence. When someone clicks, they get a short training module, not a disciplinary. Two minutes, not an hour.
  4. Vary the difficulty. Start with obvious ones. Progress to realistic lookalikes. The finance team should eventually be tested with a fake invoice from a convincing-looking supplier.
  5. Report rate matters more than click rate. What you really want is staff actively reporting suspicious emails, not just avoiding them. A "Report Message" button in Outlook makes that a one-click action.

Tools we use

For clients we manage, usually uSecure or Microsoft Attack Simulator for firms already on a Microsoft 365 E5 licence. Plenty of alternatives out there. The tool matters less than consistency.

Run one every four to six weeks. Keep the results internal. Trend the numbers over time and show them to leadership. After a year you'll have a workforce that treats suspicious emails the way kitchen staff treat sharp knives. Casually, carefully, without cutting themselves.

Want help setting this up for your team? Book a free consultation.