What is a phishing simulation, and is it ethical to send to my family?

A phishing simulation is a safe, fake scam — a text, email, or robocall that looks real but harms nothing if clicked. The point is teaching: a near-miss in a controlled setting trains the brain to spot a real one. Yes, it's ethical for families when the people enrolled know in general that drills happen (without knowing exactly when). It's the same model used in cybersecurity for 20 years, now adapted for households. Done with consent and without shaming, it builds reflexes that knowing about scams alone never does.

How often should I run a phishing drill on my family?

Every two to four weeks. Less frequent and the lessons fade; more frequent and people start treating every message as a test, which dulls the signal. Vary the channel (text, email, voice), the pretext (delivery, bank, family emergency), and the urgency level. Track the click rate over time — a typical family drops from 30%+ click rate at the start to under 5% within three to six months. The goal isn't zero — it's a built-in pause-and-verify reflex that survives the next real scam.

Can a phishing simulation backfire and damage trust?

Only if it's run badly. Two rules prevent damage. First, get general consent up front — everyone enrolled knows drills happen, even if they don't know when. Second, never use real emergencies as the pretext (don't fake a hospital call, don't impersonate a real grandchild). Use generic delivery, bank, and tax themes. After every drill, send a short debrief — what was the red flag, why did it work — instead of mocking the click. Done this way, simulations build family trust because everyone is now on the same team against scammers.

Are there free phishing simulation tools for families?

A handful of cybersecurity companies offer free-tier phishing tools designed for businesses, which can be adapted for families with some technical effort. Family-focused services like ScamDrill bundle the simulation, debrief, and reporting in a flow designed for non-technical users — so a 70-year-old parent can be enrolled by an adult child without setting up SMTP servers. The key features to look for: realistic templates that match current scam waves, an explanation screen that fires when someone clicks, and a dashboard so the family lead can see who needs more practice.

For Families

Phishing Simulation for Families: Why It Works and How to Start This Weekend

Published April 18, 2026 · 11 min read · By the ScamDrill Team

For fifteen years, every serious corporate IT team has done the same thing: sent fake phishing emails to their own employees. Not to be mean. To build muscle memory. When the real attack comes — and it always does — employees who’ve been “caught” by a simulated version know what to look for.

The results are measurable. Organizations that run regular phishing simulations see a 40% reduction in click-through on phishing emails within 90 days, and up to 86% within a year, according to KnowBe4’s 2025 Phishing by Industry Benchmark Report. SoSafe and Proofpoint report similar numbers.

Here’s the question we started asking in 2024: why doesn’t your family get the same training as the people at a random mid-sized accounting firm in Ohio?

$16.6B Reported losses from U.S. consumer fraud in 2024, up 33% year over year. Most of it started with a phishing email or text.

Source: FTC Consumer Sentinel Network Data Book 2024

What is a “phishing simulation,” exactly?

A phishing simulation is a controlled, harmless fake scam. You (or a service like ScamDrill) send a realistic-looking phishing email or text to the person you’re trying to protect. It looks exactly like a real scam — fake UPS delivery alert, fake bank login, fake “your Apple ID is locked” email. But if they click, they don’t end up on a scammer’s site. They end up on a friendly page that says: “Gotcha — but this was a drill. Here’s what you missed.”

That’s it. No shame. No cost. Just a teachable moment delivered at the exact moment the brain is most able to learn from it.

Why it works: the research on “just in time” learning

The strongest evidence for phishing simulations isn’t that they teach people the red flags — books can do that. It’s that they deliver the lesson at the moment of the click.

A 2025 University of Chicago study of phishing training efficacy found that annual cybersecurity training produced a 9.5% reduction in phishing failures. But contextual, interactive training delivered at the moment of failure — “you just clicked, here’s why this was a scam” — drove reductions closer to 19%. A UC San Diego study of 19,500 healthcare workers, covered in the same literature, showed that the recency of general training had no correlation with whether someone fell for a simulated attack. The only thing that reliably predicted safer behavior was repeated exposure to simulated attacks with immediate feedback.

Put simply: knowing what phishing looks like and not clicking on a real one under time pressure are two different skills. Only one of them transfers. The research calls this “embodied” knowledge — the difference between reading about swimming and having swum.

“Reading about scams and not falling for one under time pressure are two different skills. Only one of them transfers.”

Why families are even better candidates than companies

Here’s something that surprised us once we started running family simulations at scale: families respond better than employees do.

Why? A few reasons:

There’s no career consequence. When a simulated phishing email goes out at work, the subtext is “don’t embarrass yourself in front of HR.” At home, your mom isn’t worried about her performance review. She can laugh about it and actually absorb the lesson.
The stakes feel more real. Your parents’ retirement savings are, in fact, your parents’ retirement savings. The emotional salience of the training matches the emotional salience of the actual threat.
Family members can debrief the lesson together. A study cited in recent corporate-training research noted that employees often “began discussing phishing with their families” after workplace training — which strengthened security culture at home. We’re cutting out the middle step.
Scammers target families, not corporations, for most consumer-dollar fraud. Business email compromise gets the headlines, but the FTC says investment fraud, imposter scams, and romance scams — the overwhelming majority of dollars lost by Americans — hit consumers at home.

Is it ethical to “trick” your family?

We get this question a lot, and it’s worth addressing head-on. The short answer: yes, if you do it right.

Ethical phishing simulations — at the workplace or at home — share three properties:

Consent at the program level, not the email level. You don’t need to tell your mom that a simulated phishing email is coming on Tuesday at 3pm. You do need to tell her, up-front, that you’ve enrolled her in a safety program that will occasionally test her and teach her. Just like a company enrolls new employees in security training at orientation.
No shame, ever. The moment someone “falls for” a drill, the messaging is: “This was designed to be hard to catch. You’re not alone — here’s what the real scam would have done next.” We’ve literally never seen a good outcome from a shame-based simulation.
No data extracted, ever. A legitimate simulation never actually captures a password, a credit card, or a SSN. It logs the click and stops there. ScamDrill does not ever collect credentials from simulated attacks, and no ethical service does.

Corporate ethics review boards and major CISO organizations have generally endorsed this model for 15 years. It’s the same model.

What a bad simulation looks like

“I’m going to text Mom pretending to be her bank and see what she does.” No. This has no teaching component, and it positions you as the bad actor. The simulation is only useful if it ends with a clear, kind educational moment that the victim never feels defensive about. Use a dedicated platform, not a pocket experiment.

What a family phishing simulation program looks like

Here’s the rollout we recommend for a family of four (e.g., two aging parents, two adult children):

Week 0 — The setup conversation

Tell every family member, in plain language:

“I’m enrolling us in a service that sends fake scam texts and emails so we can all get better at spotting real ones.”
“If you fall for one, nothing bad happens — you’ll just see a page that explains what the real scam would have done.”
“It’s going to happen every couple of weeks. We’ll compare notes.”

Do not skip this step. The ethics and the effectiveness both hinge on it.

Week 1 — Baseline simulation

One simulated phishing email per family member, at different times. For parents, we’d typically start with something gentle — a fake Amazon shipping confirmation or a fake Netflix billing issue. For teens, a fake Discord security alert or Instagram login notification. Establish where everyone is starting.

Weeks 2–8 — Rotate scam types

Hit each family member with 2–3 simulations per month, varying the scam type. Cover the greatest hits:

USPS / FedEx package smishing texts — $470M lost to these in 2024 alone
Bank fraud alerts (“suspicious login detected”)
“Your Apple ID has been locked” emails
IRS / Social Security / Medicare imposters
Fake invoice or subscription renewal emails
“Someone tagged you in a photo” Facebook/Instagram phishing
Fake DocuSign or e-signature requests

Week 9+ — Sustain and escalate

This is the step that actually matters. The research is clear: one-time simulations don’t produce durable behavior change. Ongoing, rotating exposure does. Keep simulations going indefinitely, at a frequency that’s often enough to matter (we recommend 1–2 per family member per month) but not so often that people start flagging every email as a test.

Gradually escalate difficulty. Start with obvious red flags, work up to the AI-polished, personalized attacks that are actually showing up in inboxes in 2026.

Don’t DIY this. We literally built the tool.

ScamDrill handles the scheduling, the templates, the teaching pages, and the tracking — so you don’t have to explain to your mom why you just texted her a fake UPS alert. Family plans are designed for 2–6 people, and the whole setup takes less than 10 minutes.

Start a family plan →

What to expect in the first three months

Based on the thousands of family simulations ScamDrill has run, here’s a rough expectation-setting for what the first 90 days look like:

Month 1: Most family members fall for 30–50% of simulations. This is normal. The FBI IC3 data says adult click rates on realistic phishing hover around 30%. You’re not starting worse than the average Fortune 500 employee.
Month 2: Click rates drop to 15–25%. Family members start forwarding suspicious real emails to each other asking “is this a drill or real?” — which is the exact habit you wanted.
Month 3: Click rates typically settle around 5–10%. Perhaps more importantly, family members start spontaneously catching real scams that land in their inbox, because their brain is pattern-matching against the drills.

Common objections (and honest answers)

“Won’t this make my mom paranoid?”

In our experience, the opposite. Without training, aging adults often report feeling vaguely anxious about a world where “everything might be a scam.” With training, they feel calmer because they have a concrete, learnable skill. Paranoia is ambient dread. Pattern recognition is confidence.

“My parents are too old to learn this.”

Not true, and the data disagrees. AARP’s Fraud Watch Network has published results showing that adults 65+ who go through structured scam-awareness training show susceptibility reductions comparable to younger adults. Older adults are not less capable of learning this. They’re being targeted by attacks that are specifically designed around their trust-based social patterns.

“Can’t I just do this myself with free tools?”

Technically yes, if you’re a security engineer. Practically, no. A good simulation program needs: varied templates that stay current with new scam types, proper email authentication so your simulations don’t look too fake (or end up in spam), teaching pages that load instantly, tracking that doesn’t require you to read server logs, and a way to avoid triggering your parents’ spam filters. This is why ScamDrill exists.

Start this weekend

If you do nothing else:

Have the “I’m enrolling us in a safety program” conversation with your family members.
Sign up for any ongoing phishing-simulation service — ours or someone else’s, but something.
Commit to one simulation per family member per month, minimum, for the next six months. Put it in your calendar.

Your family’s click rate will be measurably lower by July. More importantly, the next time a real scammer catches your parent on a bad day, they’ll have a trained instinct to pause. That instinct is the entire game.

For the broader context on why aging parents specifically need this, see our companion piece: How to Protect Elderly Parents from Scams: A 2026 Family Playbook. For teens, see How to Teach Kids About Online Scams Without Scaring Them.