Make Simulations Challenging but Fair
Simple practices for designing phishing, smishing, and vishing simulations that genuinely build resilience while keeping your program credible and fair.
Simulations are most effective when they mirror real-world threats without blindsiding employees. Too easy, and your team learns very little. Too tricky, and you erode trust, spike anxiety, and teach people to fear your security program instead of embracing it.
Simulations in Herd should help employees feel prepared, not punished.
Foundations for Fair and Effective Simulations
These principles apply across every simulation type in Herd.
1. Start at the Right Difficulty Level
Match difficulty to your organization's current security maturity.
Beginner
Generic sender names, clear urgency cues, mismatched URLs
Intermediate
Branded templates, plausible scenarios, subtle red flags
Advanced
Highly targeted content, internal impersonation, multi-step attacks
In Herd, you can gradually increase simulation sophistication as your users improve over time.
2. Never Use Emotionally Manipulative Content
Simulations should test alertness — not exploit personal fears.
Avoid scenarios like:
"Your paycheck has been delayed" — creates real financial anxiety
"HR has flagged your conduct" — triggers fear of job loss
"A family member has tried to reach you" — crosses personal boundaries
3. Always Follow Up with Education, Not Blame
When an employee falls for a simulation, the next step should be learning — not a public call-out.
In Herd: Link a training module to your simulation so that when an employee fails, they are automatically enrolled in a follow-up course. Every miss becomes a structured learning opportunity.
4. Maintain a Consistent, Rolling Cadence
Sporadic, one-off simulations feel like "gotcha" moments. Running simulations on a regular cadence — for example, monthly per employee — helps people see them as an ongoing part of your security program rather than rare surprises.
At the same time, keep individual messages unpredictable. Stagger send times and vary templates so employees might encounter a simulation while busy or distracted — just like a real attack.
Communicate clearly that simulations are a standing, learning-focused control — not a punishment tool. This framing reduces stress while still teaching employees that suspicious messages can appear at any time.
Phishing Simulations
Phishing remains the most common attack vector. Effective simulations train employees to pause and review emails before acting — even when they appear legitimate.
What Makes a Phishing Simulation Effective
Choose Realistic but Recognizable Scenarios
Use scenarios employees are likely to encounter: shared document notifications, IT password resets, benefits enrollment reminders. Red flags should be present but not obvious.
Use sender names that look almost correct (e.g.,
support@company-helpdesk.comvs.support@company.com)Include a plausible call-to-action — review a document, sign in to verify, confirm details
Avoid obvious typos or broken formatting at beginner levels — real attacks increasingly look polished
Build in Detectable Red Flags
Each simulation should include at least one clear signal that something is off. The goal is to train employees to look for signals — not to trick them indefinitely.
Mismatched reply-to and sender addresses
URLs that don't match the claimed domain
Unusual urgency or pressure to act within minutes
Requests for credentials or sensitive information via email
Vary Your Templates Over Time
Reusing the same template only trains people to spot that simulation. Rotate scenarios across IT alerts, HR communications, and vendor invoices to keep coverage broad and realistic.
Track results in your Herd dashboard or within the specific campaign. You can also ask Herd AI for statistics on individual campaigns.
In Herd: Browse the simulation template library and rotate between categories each quarter. You can automate this by creating a phishing campaign that contains multiple templates.
What to Track
Click rate
Percentage of recipients who clicked the simulated link
Report rate
Percentage who flagged the message as suspicious
Dwell time
Time between delivery and click — longer often indicates more caution
Repeat offenders
Employees who fail multiple simulations and may need targeted support
SMS Phishing (Smishing) Simulations
Smishing is growing quickly, and employees are often less guarded on their phones than on email — which makes smishing simulations a valuable but frequently underused control.
What Makes a Smishing Simulation Effective
Mirror common SMS scams — package delivery failures, bank alerts, two-factor prompts, or IT helpdesk texts
Keep messages concise — real smishing attacks are short and direct
Include a link the employee is asked to tap or visit, and use a plausible sender name or short code
Account for the mobile context — on mobile, employees can't hover over links to preview URLs; design simulations that teach mobile-specific detection skills like recognizing shortened links, unfamiliar numbers, and unexpected requests
Fairness consideration: Because smishing is newer to many employees than email phishing, start with clear red flags (unfamiliar sender numbers, misspelled brand names) before progressing to more subtle scenarios.
In Herd: Create a smishing simulation by choosing SMS as the delivery channel, then customize the message and link destination.
What to Track
Link click rate
The SMS equivalent of email click rate
Report rate
Percentage of employees who flagged the suspicious text
Follow-up completion rate
Training completion after a failure
Voice Phishing (Vishing) Simulations
Vishing simulates phone-based social engineering — where attackers pose as IT support, executives, vendors, or auditors to obtain sensitive information or access.
What Makes a Vishing Simulation Effective
Because vishing is interactive, you need a realistic script that reflects common attack patterns — IT asking for credentials to "fix an issue," an executive assistant requesting urgent wire transfer approval, or a vendor seeking account access.
Keep the script natural and conversational
Use realistic pressure tactics: urgency, authority, a "helpful" tone
Define clear limits for what the simulated caller will and won't ask for
The most effective vishing simulations are believable yet still offer cues for a vigilant employee to catch.
Caller asks for full credentials instead of simple identity confirmation
Scenario attempts to bypass normal processes ("we need to do this before the ticket system comes back online")
Caller discourages verification through another channel
Because vishing involves real-time interaction, it carries more emotional weight than a link click. Whether an employee passes or fails, follow up with a clear explanation of what happened and what to watch for next time.
Brief managers before running vishing simulations so they can support their teams
After the campaign, send a company-wide reminder that it is always acceptable to hang up and verify via a known number
Avoid blame or shame — vishing exploits trust and helpfulness, not incompetence
Fairness considerations: Vishing is typically harder than email or SMS simulations because it uses live conversation and social pressure.
Expect higher failure rates — frame success around improved awareness and reporting, not perfection
Start with clearly suspicious scenarios before moving to subtle pretexts
Avoid scenarios involving job loss, discipline, or personal crises
Make your rules of engagement explicit: what callers will never ask for, whether calls are recorded, and how results are used
What to Track
Compliance rate
Percentage of employees who provided the requested information
Hang-up and verify rate
Employees who ended the call and confirmed via a trusted channel
Escalation / report rate
Employees who reported the call to IT or security
Putting It All Together
The strongest programs treat simulations as structured practice, not pop quizzes. When you pick realistic scenarios, avoid cheap emotional hooks, and clearly explain what you were testing — people understand that the goal is to help them handle real threats, not to call them out.
In Herd, you can run coordinated phishing, smishing, and vishing simulations, automatically trigger follow-up training, and use your results over time — clicks, reports, escalations — to tune difficulty rather than to shame individuals. That steady calibration is what builds long-term trust in your security team and real confidence in spotting attacks.
Last updated