# Make Simulations Challenging but Fair {% hint style="info" %} Simulations are most effective when they mirror real-world threats without blindsiding employees. Too easy, and your team learns very little. Too tricky, and you erode trust, spike anxiety, and teach people to fear your security program instead of embracing it. Simulations in Herd should help employees feel **prepared**, not punished. {% endhint %} *** ### Foundations for Fair and Effective Simulations These principles apply across every simulation type in Herd. #### 1. Start at the Right Difficulty Level Match difficulty to your organization's current security maturity. | Level | Characteristics | | ---------------- | ------------------------------------------------------------------- | | **Beginner** | Generic sender names, clear urgency cues, mismatched URLs | | **Intermediate** | Branded templates, plausible scenarios, subtle red flags | | **Advanced** | Highly targeted content, internal impersonation, multi-step attacks | {% hint style="info" %} In Herd, you can gradually increase simulation sophistication as your users improve over time. {% endhint %} #### 2. Never Use Emotionally Manipulative Content Simulations should test alertness — not exploit personal fears. {% hint style="danger" %} **Avoid scenarios like:** * *"Your paycheck has been delayed"* — creates real financial anxiety * *"HR has flagged your conduct"* — triggers fear of job loss * *"A family member has tried to reach you"* — crosses personal boundaries {% endhint %} #### 3. Always Follow Up with Education, Not Blame When an employee falls for a simulation, the next step should be learning — not a public call-out. {% hint style="info" %} **In Herd:** Link a training module to your simulation so that when an employee fails, they are automatically enrolled in a follow-up course. Every miss becomes a structured learning opportunity. {% endhint %} #### 4. Maintain a Consistent, Rolling Cadence Sporadic, one-off simulations feel like "gotcha" moments. Running simulations on a regular cadence — for example, monthly per employee — helps people see them as an ongoing part of your security program rather than rare surprises. At the same time, keep individual messages unpredictable. Stagger send times and vary templates so employees might encounter a simulation while busy or distracted — just like a real attack. {% hint style="success" %} Communicate clearly that simulations are a standing, learning-focused control — not a punishment tool. This framing reduces stress while still teaching employees that suspicious messages can appear at any time. {% endhint %} *** ### Phishing Simulations Phishing remains the most common attack vector. Effective simulations train employees to pause and review emails before acting — even when they appear legitimate. #### What Makes a Phishing Simulation Effective {% stepper %} {% step %} **Choose Realistic but Recognizable Scenarios** Use scenarios employees are likely to encounter: shared document notifications, IT password resets, benefits enrollment reminders. Red flags should be present but not obvious. * Use sender names that look almost correct (e.g., `support@company-helpdesk.com` vs. `support@company.com`) * Include a plausible call-to-action — review a document, sign in to verify, confirm details * Avoid obvious typos or broken formatting at beginner levels — real attacks increasingly look polished {% endstep %} {% step %} **Build in Detectable Red Flags** Each simulation should include at least one clear signal that something is off. The goal is to train employees to look for signals — not to trick them indefinitely. * Mismatched reply-to and sender addresses * URLs that don't match the claimed domain * Unusual urgency or pressure to act within minutes * Requests for credentials or sensitive information via email {% endstep %} {% step %} **Vary Your Templates Over Time** Reusing the same template only trains people to spot *that* simulation. Rotate scenarios across IT alerts, HR communications, and vendor invoices to keep coverage broad and realistic. Track results in your Herd dashboard or within the specific campaign. You can also ask Herd AI for statistics on individual campaigns. {% endstep %} {% endstepper %} {% hint style="info" %} **In Herd:** Browse the simulation template library and rotate between categories each quarter. You can automate this by creating a phishing campaign that contains multiple templates. {% endhint %} #### What to Track | Metric | What It Tells You | | -------------------- | --------------------------------------------------------------------- | | **Click rate** | Percentage of recipients who clicked the simulated link | | **Report rate** | Percentage who flagged the message as suspicious | | **Dwell time** | Time between delivery and click — longer often indicates more caution | | **Repeat offenders** | Employees who fail multiple simulations and may need targeted support | *** ### SMS Phishing (Smishing) Simulations Smishing is growing quickly, and employees are often less guarded on their phones than on email — which makes smishing simulations a valuable but frequently underused control. #### What Makes a Smishing Simulation Effective * **Mirror common SMS scams** — package delivery failures, bank alerts, two-factor prompts, or IT helpdesk texts * **Keep messages concise** — real smishing attacks are short and direct * **Include a link** the employee is asked to tap or visit, and use a plausible sender name or short code * **Account for the mobile context** — on mobile, employees can't hover over links to preview URLs; design simulations that teach mobile-specific detection skills like recognizing shortened links, unfamiliar numbers, and unexpected requests {% hint style="warning" %} **Fairness consideration:** Because smishing is newer to many employees than email phishing, start with clear red flags (unfamiliar sender numbers, misspelled brand names) before progressing to more subtle scenarios. {% endhint %} {% hint style="info" %} **In Herd:** Create a smishing simulation by choosing SMS as the delivery channel, then customize the message and link destination. {% endhint %} #### What to Track | Metric | What It Measures | | ----------------------------- | ------------------------------------------------------- | | **Link click rate** | The SMS equivalent of email click rate | | **Report rate** | Percentage of employees who flagged the suspicious text | | **Follow-up completion rate** | Training completion after a failure | *** ### Voice Phishing (Vishing) Simulations Vishing simulates phone-based social engineering — where attackers pose as IT support, executives, vendors, or auditors to obtain sensitive information or access. #### What Makes a Vishing Simulation Effective {% tabs %} {% tab title="Realistic Scripts" %} Because vishing is interactive, you need a realistic script that reflects common attack patterns — IT asking for credentials to "fix an issue," an executive assistant requesting urgent wire transfer approval, or a vendor seeking account access. * Keep the script natural and conversational * Use realistic pressure tactics: urgency, authority, a "helpful" tone * Define clear limits for what the simulated caller will and won't ask for {% endtab %} {% tab title="Convincing but Catchable" %} The most effective vishing simulations are believable yet still offer cues for a vigilant employee to catch. * Caller asks for full credentials instead of simple identity confirmation * Scenario attempts to bypass normal processes (*"we need to do this before the ticket system comes back online"*) * Caller discourages verification through another channel {% endtab %} {% tab title="Debrief Always" %} Because vishing involves real-time interaction, it carries more emotional weight than a link click. Whether an employee passes or fails, follow up with a clear explanation of what happened and what to watch for next time. * Brief managers before running vishing simulations so they can support their teams * After the campaign, send a company-wide reminder that it is always acceptable to hang up and verify via a known number * Avoid blame or shame — vishing exploits trust and helpfulness, not incompetence {% endtab %} {% endtabs %} {% hint style="warning" %} **Fairness considerations:** Vishing is typically harder than email or SMS simulations because it uses live conversation and social pressure. * Expect higher failure rates — frame success around improved awareness and reporting, not perfection * Start with clearly suspicious scenarios before moving to subtle pretexts * Avoid scenarios involving job loss, discipline, or personal crises * Make your rules of engagement explicit: what callers will never ask for, whether calls are recorded, and how results are used {% endhint %} #### What to Track | Metric | What It Measures | | ---------------------------- | ---------------------------------------------------------------- | | **Compliance rate** | Percentage of employees who provided the requested information | | **Hang-up and verify rate** | Employees who ended the call and confirmed via a trusted channel | | **Escalation / report rate** | Employees who reported the call to IT or security | *** ### Putting It All Together {% hint style="success" %} The strongest programs treat simulations as **structured practice**, not pop quizzes. When you pick realistic scenarios, avoid cheap emotional hooks, and clearly explain what you were testing — people understand that the goal is to help them handle real threats, not to call them out. {% endhint %} In Herd, you can run coordinated phishing, smishing, and vishing simulations, automatically trigger follow-up training, and use your results over time — clicks, reports, escalations — to tune difficulty rather than to shame individuals. That steady calibration is what builds long-term trust in your security team and real confidence in spotting attacks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://herd-security.gitbook.io/herd-security-docs/how-to-documentation/make-simulations-challenging-but-fair.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.