What does difficulty mean in a phishing simulation?

Difficulty refers to how realistic and convincing a simulated phishing email is. Easy templates contain obvious red flags such as typos, generic greetings and mismatched sender domains. Regular templates remove the obvious red flags and present plausible business context. Hard templates are clean, well-branded and use specific context - names, projects or events - that mimics targeted spear phishing.

Should I start with easy or hard phishing tests?

Start with easy templates. A first campaign at hard difficulty produces a click rate that scares everyone, scorches goodwill and teaches the wrong lesson. Easy templates establish a baseline, build confidence in spotting obvious cues and earn the right to escalate. Most programs move to regular within 60-90 days and introduce hard once a baseline trend exists.

What is a typical click rate at each difficulty level?

Click rates rise sharply with difficulty. First-time programs running easy templates often see 8-15% click rates. Regular templates typically produce 15-25%. Hard, executive-targeted templates can produce 30%+ click rates even in mature programs because they remove the visual cues users have been trained to spot.

How does the Bait & Phish difficulty system work?

Bait & Phish uses three difficulty levels - easy, regular and hard - applied to every phishing template across all five intent categories (credential, authority, finance, IT, delivery). The difficulty is selected at campaign-creation time and is also stored on each template for filtering and reporting. Difficulty trend over time is one of the metrics surfaced in executive reporting.

Should everyone in the company get the same difficulty?

No. A mature program uses difficulty mix - for example, easy and regular for general staff, with hard templates reserved for executives, finance and IT, who are most likely to be targeted with spear-phishing attempts in a real attack. The platform supports per-group campaigns so different cohorts can receive different difficulty levels in the same reporting period.

Are hard phishing tests unfair to employees?

No, when paired with proper remediation. Hard tests reflect what attackers actually send and are essential for measuring real-world resilience. The fairness comes from the response - automatic, non-punitive remediation training rather than blame. The point is to teach, not to embarrass.

Easy, Regular, Hard: Phishing Test Difficulty Levels Explained

Every phishing simulation platform asks you the same question when you build a campaign: what difficulty? At Bait & Phish that's a three-way choice - easy, regular, or hard - and it's the single biggest variable in your click rate. Choose wrong and you either bore your users (and learn nothing) or sandbag them (and torch goodwill on a campaign that should have been a teaching moment).

This post explains exactly what those three levels mean, what design choices go into each, who they're for and how to build a difficulty progression that gets your click rate trending down month over month without anyone feeling ambushed.

The DIFFICULTY constant: why three tiers and not five

Bait & Phish uses a three-value difficulty system - easy, regular, hard - applied to every template across all five intent categories (credential harvesting, authority impersonation, financial pretext, IT helpdesk and delivery/logistics). Three tiers is a deliberate design choice. Five-tier and ten-tier systems read well on a comparison sheet but fail in practice because the gradations are too small for a non-specialist administrator to choose between, and the reporting becomes noisy.

Three tiers map cleanly to three real human reactions: "I should have caught that" (easy), "that could have been real" (regular), and "I genuinely didn't see it" (hard). If you can describe a template's difficulty in one of those three sentences, the system is doing its job.

Easy: the obvious-tells tier

An easy template contains at least three of the classic red flags an alert employee should catch in under five seconds. They're not amateur emails - they're calibrated to be catchable by someone who has been through any baseline awareness course.

Design rules for an easy template:

Mismatched sender domain. A "Microsoft" notification from microsft-secure[.]com or a hyphen-laden lookalike.
Generic salutation. "Dear Customer," "Dear User," "Dear Account Holder."
Visible spelling or grammar errors. One or two clear typos, awkward sentence construction.
Mid-tier urgency. "Your account will be suspended in 24 hours" - pressuring but cliché.
Branding inconsistency. Wrong logo, off-brand color, outdated footer.

Use easy templates as your baseline campaign, in the first 30-60 days of a new program, with new hires during onboarding and as a periodic confidence check after a heavier hard-difficulty round. They keep the program psychologically safe while you build momentum.

Regular: the plausible-but-flawed tier

Regular templates remove the visual tells. The grammar is clean, the branding is correct and the pretext makes sense for the recipient's job. What gives them away is one or two mid-level cues - a sender domain that looks right but isn't, a destination URL that doesn't match the action, an unusual call to action from an otherwise familiar context.

Design rules for a regular template:

Plausible business context. A shared file from a colleague, a routine HR update, an expected vendor invoice.
Clean copy and accurate branding. Real logo, correct fonts, no obvious errors.
One subtle technical mismatch. A reply-to that doesn't match the from address, a link domain one character off from the legitimate one, an attachment file extension that looks normal but isn't.
Plausible-but-not-personalized pretext. The email could apply to anyone in the recipient's role; it's not yet weaponized with their specific projects.

Regular is the workhorse difficulty for most programs. Once your first three campaigns establish a baseline, regular is where you spend most of the year. It's the difficulty that mirrors the bulk of real-world commodity phishing.

Hard: the spear-phishing tier

Hard templates are designed to be missed. They're indistinguishable from real spear-phishing without careful inspection: perfect grammar, accurate branding, a sender that maps to a real internal person or vendor and contextual hooks pulled from public information about the organization. They reflect what attackers actually send when they're targeting a high-value mark - a CFO, a payroll lead, an IT admin, a board member.

Design rules for a hard template:

Executive impersonation done well. The "from" name and writing style match a real executive; the request is plausible from that person.
Project- or event-specific context. References to a real current initiative, conference, customer or vendor - sourced from public LinkedIn, a press release or a company blog.
Polished landing page. The cloned login or document page is pixel-correct, with valid TLS, no certificate warning and a believable URL structure.
Time pressure that makes business sense. Not "your account will be suspended" but "I need this wired before the close - flying in three minutes."
Single, specific recipient framing. The email feels written to this person, not blasted to 4,000 inboxes.

Hard difficulty is where you learn what your real-world resilience looks like. Reserve it for executives, finance teams, IT administrators and anyone with privileged access. Apply it sparingly - typically one to two hard campaigns per year, after your easy/regular pipeline has earned the trust to run them.

Building a difficulty progression that works

The mistake most first-year programs make is picking a difficulty and sticking with it. The goal isn't to land at one number; it's to build a curve. A workable 12-month progression for a brand-new program looks like this:

Months 1-2: Easy templates across the entire org. Establish baseline. Click rate will likely be in the 8-15% range.
Months 3-6: Regular templates org-wide, easy templates for new hires only. Click rate should creep up before it comes down.
Months 7-9: Mostly regular with one hard campaign for executives and finance. Difficulty mix appears in reporting.
Months 10-12: Regular as the floor; hard campaigns reserved for high-risk cohorts; one easy campaign as a confidence check.

The Verizon Data Breach Investigations Report and the FBI Internet Crime Complaint Center (IC3) both consistently show that real attacks span this entire range - commodity phishing blasts at scale, plus highly targeted BEC and spear-phishing against executives. A program that only tests at one difficulty is only measuring resilience to one type of attack.

Where the easy/regular/hard line moves over time

One subtlety that catches programs off-guard: the calibration is not static. A template that landed as "hard" three years ago - clean grammar, decent branding, plausible context - would be classified as "regular" today, because attackers' tooling caught up. AI-assisted lure generation, in particular, has compressed the difference between mid-tier and top-tier social engineering. See our AI-generated phishing post for the full picture.

Bait & Phish recalibrates the template library yearly to keep the three difficulty tiers anchored to the current threat surface. Programs that build their own templates internally need to do the same; difficulty drift is the silent reason a stable click rate isn't actually evidence of stable resilience.

Common mistakes when picking difficulty

Always running easy. Comfortable, but produces a falsely flat trend. Real attackers do not exclusively send easy lures.
Jumping to hard for the first campaign. Produces a high click rate that scares the org and undermines the program's social license to keep running.
Running the same difficulty on every cohort. Executives need hard. New hires need easy. A single difficulty across all is overdosing one and underdosing the other.
Not telling executives that hard-tier campaigns are coming. Plant the policy expectation up front. The right answer to "this seems unfair" is the policy doc that the executive signed off on.
Treating click rate as the sole metric. Time-to-report and remediation completion matter as much. A user who clicked and immediately reported is closer to the right behavior than a user who didn't click but never reports anything either.

Difficulty mix and reporting

Once you're running mixed-difficulty campaigns, your reporting needs to reflect it. A 5% click rate on easy templates is meaningless without a difficulty breakdown. Bait & Phish reports surface the difficulty alongside every campaign result, so an executive briefing can show:

Click rate by difficulty (easy / regular / hard) over time
Cohort breakdown - for example, executives' performance on hard templates versus general staff on regular
Trend lines per difficulty so a flat-looking overall number doesn't hide a worsening hard-difficulty signal

Cyber insurance underwriters increasingly want this difficulty-mix breakdown too - see our guide to cyber insurer phishing questions for the renewal application context.

Where Bait & Phish fits

Every Bait & Phish template ships with a difficulty rating, and every campaign builder lets you select the mix at the moment of launch. You can run org-wide easy campaigns, executive-only hard campaigns or department-specific regular campaigns from the same dashboard. Auto-assigned remediation training fires the moment a user clicks, regardless of difficulty, so a hard-tier failure becomes a teaching moment instead of an HR problem.

If you're starting from scratch, run a single easy campaign across a 25-user free trial this week, look at the result and use the next post in this series to build a 90-day plan from there. If you'd rather walk through a difficulty progression with a human, contact us or browse pricing - and if you want to see how the platform runs the campaigns end-to-end, the simulated phishing attacks page walks through the full flow.

External authoritative references on phishing-attack realism and trends include the Verizon DBIR, the FBI Internet Crime Complaint Center (IC3) annual Internet Crime Report, the Anti-Phishing Working Group (APWG), CISA, and NIST SP 800-50 on security awareness program design.

Related program operations and how-to guides

10sep