Is simulated phishing legal?

Yes, when run on your own organization with appropriate authorization. The program should be sponsored by an executive, scoped in writing and disclosed in your acceptable-use or security awareness policy. Cross-border programs may need to consider GDPR Article 32 and local employment law; in regulated industries, simulated phishing is often a stated control under HIPAA, PCI DSS, SOC 2 and ISO 27001.

What is a good phishing click rate?

First-time programs typically see click rates in the 25-35% range; mature programs after 12-18 months of monthly campaigns commonly settle in the low single digits. The trend matters more than the absolute number - a downward curve over a year is the metric auditors, insurers and boards actually care about. Industry benchmarks vary by sector; financial services and healthcare typically run lower than retail and hospitality.

What is the ROI of simulated phishing?

ROI comes from three places: avoided incident cost (the IBM Cost of a Data Breach Report regularly cites the global average breach cost in the multi-million-dollar range), reduced cyber insurance premiums (brokers commonly report 5-15% reductions for organizations with documented continuous training) and lower help-desk and incident-response load. A program covering 500 users typically pays for itself if it prevents a single ransomware ingress.

How often should we run simulated phishing campaigns?

Monthly is the modern baseline, with quarterly as the floor most cyber insurers will accept. Monthly campaigns provide enough behavioral reinforcement that learning sticks, while remaining small enough that no single campaign turns into an event. Larger annual campaigns are no longer considered a meaningful program by most underwriters or auditors.

What Is Simulated Phishing? Definition, Examples, ROI

A working definition first, before the marketing language gets in the way. Simulated phishing is the controlled practice of sending fake phishing messages to your own employees and measuring how they react. The messages look like the kind of thing real attackers send, but they originate from a sanctioned platform, every interaction is logged and any user who clicks is automatically routed to a short piece of remediation training. That's the entire idea, and most of the rest of this post is unpacking what those three sentences mean in practice.

Simulated phishing has been a recognized control in security awareness programs since the late 2000s, and over the last fifteen years it has graduated from a niche tool used by penetration testers to a baseline expectation under SOC 2, HIPAA, PCI DSS 4.0, ISO 27001 and most cyber insurance renewals. If you operate without one in 2026, the absence shows up on auditor findings, insurer questionnaires and post-incident forensic reports.

How a simulated phishing campaign actually works

Strip away the dashboards and the run looks like this. An administrator selects a template - say, a fake password-expiry notice or a shipping-status update - picks a target group, schedules a send window and launches. The platform delivers the message from its own infrastructure, with tracking pixels and tagged links that don't transmit anything beyond the click event. If a user clicks the link, the platform records the timestamp, browser and user identity, then either presents an educational landing page or redirects to an assigned training module. If the user submits credentials on a cloned login page, that's a separate, more serious data point that gets flagged in reporting.

Some users will report the message to IT instead of clicking. That's the reverse signal - the one that actually matters most over time. A mature program tracks reporting rate alongside click rate; a tool like the Outlook one-click phish-report add-in turns reporting into a single button that takes seconds, which materially raises the rate. The goal of a program isn't a 0% click rate - it's a high reporting rate combined with a low click rate, sustained over months.

Three real examples across email, SMS and voice

Phishing is no longer an email-only problem, and a credible 2026 program covers all three channels. Three representative examples:

Email: a templated "Your Microsoft 365 password expires in 24 hours - click to reset" message, sent from a lookalike domain, linking to a cloned login page. This is the highest-volume real-world attack and the easiest training entry point.
SMS (smishing): a short text "FedEx package #4892 held - verify address" with a shortened URL. SMS phishing has surged in the last three years and has a higher conversion rate than email because of the implicit trust people give their phones.
Voice (vishing): an automated or live caller posing as a help-desk agent asking the employee to read out a one-time code "to verify their identity for a ticket they didn't open." Vishing has exploded since 2023 thanks to inexpensive AI voice cloning.

A modern simulation platform should be able to run all three. Bait & Phish runs email, SMS and voice campaigns from the same dashboard, with consistent reporting across channels so a CISO doesn't have to triangulate between three tools.

Template categories and difficulty levels

Realism matters. Sending the same "Nigerian prince" template every month produces low click rates and zero learning. Effective programs draw from several intent categories at multiple difficulty levels. Bait & Phish ships templates across five categories: Banking and Finance (account alerts, fraud notices), Consumer and Shipping (FedEx, Amazon, USPS lookalikes), Social Media and Cloud (LinkedIn invites, password expiries, shared documents), IT and Business (help-desk tickets, ticketing-system notices, internal IT alerts) and Events and Government (tax notifications, conference invitations, jury duty).

Within each category, templates are tagged at three difficulty levels: easy (obvious typos, generic salutations), regular (clean formatting, plausible context) and hard (target-specific personalization, internal jargon, near-pixel-perfect cloning). A real program rotates difficulty so the click rate doesn't artificially flatten - and so executive-targeted whaling templates get tested against the executives, not just front-line staff.

What happens after a click - the part most programs get wrong

The single largest predictor of program effectiveness isn't the simulation itself; it's what happens in the next sixty seconds. Manual remediation ("we'll talk to them at the next 1:1") is functionally the same as no remediation. Auto-assigned training that fires the moment a user clicks - a 3 to 7 minute interactive module on the specific tactic that fooled them - is what produces the behavior change you can measure on next month's campaign.

The NIST SP 800-50 update (Building a Cybersecurity and Privacy Learning Program) reinforces this principle: training is most effective when it is contextual and delivered close to the moment of failure, not aggregated into an annual lecture-style course. A 2026 program should be able to show median time-to-training-completion in hours, not weeks.

The ROI math, the way a CFO will hear it

Three lines:

Avoided incident cost. The IBM Cost of a Data Breach Report consistently puts the global average breach in the multi-million-dollar range, with phishing as one of the most common initial-access vectors per the Verizon DBIR. A program that reduces successful credential phishing by even 30% has a defensible expected-value argument.
Cyber insurance premium reduction. Brokers report typical reductions of 5-15% for organizations that can show continuous monthly campaigns with auto-assigned training, versus organizations that can't. On a $50,000 annual premium, that's $2,500 to $7,500 of recovered budget - often more than the platform itself costs. The nine questions cyber insurers ask are now answered with platform exports.
Reduced help-desk and IR load. Every reported phish that gets stopped at triage is a ticket that didn't become an incident. Mature programs reduce credential-reset and account-lockout volume measurably.

For most organizations between 50 and 5,000 employees, the program pays for itself in the first prevented credential-theft incident.

Where simulated phishing fits with broader security awareness training

A phishing simulation by itself is a measurement, not a curriculum. The simulation tells you which users would have failed; the curriculum is what teaches them why and what to do differently. The two have to operate as a single program, with the simulation triggering the training and the training feeding back into the next simulation. Programs that run simulations without an integrated training library tend to plateau - users learn to spot one template, and the click rate flattens without behavior actually improving.

The integrated model - phishing simulation, behavior-triggered training, multi-channel coverage and reporting - is what NIST SP 800-50 describes in its updated guidance and what most cyber insurers, SOC 2 auditors and ISO 27001 lead auditors expect to see when they ask about awareness controls. Bait & Phish was built around that integration from the start; we ship the simulation engine and the training library as a single platform with one user list, one reporting export and one dashboard.

Operational lessons from running programs since 2010

A few things we've learned across more than fifteen years of running these programs that don't appear in the marketing brochures:

Communicate, don't surprise. A pre-launch email from the CEO explaining that the program is starting, why and that no one will be punished for clicking dramatically improves engagement. Programs that launch without communication generate complaints; programs that launch with executive sponsorship generate participation.
Mix difficulties on every cycle. Pure-easy campaigns produce low click rates that look good on a slide but teach nothing. Pure-hard campaigns produce demoralizing click rates and a culture of resentment. Mix three or four templates of different difficulty in the same cycle so the curve is smooth.
Watch the reporting rate, not just the click rate. An organization that reports 30% and clicks 10% is healthier than one that reports 5% and clicks 5%. Reporting is the active defensive behavior; clicking is the failure mode. Optimize for the former.
Expect a six-month lag for the data to mean something. The first three months are noisy. By month six the trend line is real. Don't change strategy on the basis of one month's number - change it on a quarter's.
Accept that you'll never reach zero. A 1% click rate on a hard-difficulty template is not a failure. The goal is reduced expected loss across the program, not a flawless single campaign.

Common objections and what to say back

Three you'll hear:

"This will damage trust." Properly framed and disclosed in the security policy, it doesn't. Employees who understand the program is for their protection (and that there's no individual punishment for clicking) generally engage well. Programs that hide behind theatre or punish individuals do harm trust - that's a program design problem, not a phishing simulation problem.
"We do annual training already." Annual training has near-zero retention at 90 days. Continuous, behaviorally-triggered micro-training is the modern standard and it's what every major control framework now expects.
"Our spam filter catches phishing." Filters catch known patterns; phishing succeeds by being novel. The DBIR tracks year over year that a meaningful fraction of phishing reaches inboxes regardless of filter quality.

Building the program - the short version

If you're starting from zero, the practical sequence is: get executive sign-off and a one-page policy, import your user list, run a baseline campaign at the easy or regular difficulty level, look at the click rate without judgment, schedule monthly campaigns at rotating difficulties and categories and turn on auto-assigned training. After three months you'll have a trend line; after twelve you'll have a story for your board, your auditor and your insurer.

Bait & Phish has been running phishing simulation programs for organizations of every size since 2010 - fifteen-plus years of templates, tactics and reporting refined against real attacker behavior. You can start a free trial with up to 25 users, no credit card and run your first campaign this week. If you want to talk through scoping for a larger rollout, see pricing or reach out directly.

Related definitions

21may