How long does it take to roll out a phishing simulation program?

Thirty days from kickoff to first scheduled drill is typical for a sub-100-person company. Week one: pick a vendor, get leadership sign-off, draft an employee announcement. Week two: import the employee directory, configure the first three templates, run a no-employee dry run to confirm delivery. Week three: send a baseline drill to leadership only (so they experience it first), then a soft launch to a willing pilot team. Week four: full company launch and the start of a monthly cadence. Companies that try to launch on day one without a pilot tend to get blocked by the first internal complaint.

Should I tell employees we're running a phishing test?

Yes — once, broadly, and only that drills happen, not when. The announcement is a paragraph in your security policy or a one-time email: 'as part of our security program, we periodically send simulated phishing messages so we can practice spotting them. No one is graded individually; results are aggregated.' This sets consent and removes the gotcha framing. Employees who know drills exist still click them at industry-standard rates initially — knowing it might happen doesn't stop the reflex; only practice does. What it does prevent is the trust-damaging surprise.

What click rate is normal on a phishing simulation?

Industry baseline is 30-45% on the first untrained drill across most office-based businesses. Higher for sales teams (lots of unknown-sender email is normal for them) and operational roles; lower for engineering and finance. By the third monthly drill the rate typically drops to 12-20%. By month six, well-run programs settle in the 3-6% range. Teams stuck above 15% after six months usually have a debrief problem — the drill happens but the explanation doesn't — or are running drills only quarterly, which is too infrequent to build the spotting reflex.

How do I handle the employee who fails the test repeatedly?

Coach, don't shame. The repeat-clicker is usually either rushing through email between meetings or genuinely doesn't see the patterns yet. Manager-led 15-minute coaching after the second consecutive click solves most of it: walk them through the actual red flags in the message they clicked. Public shaming or punishment is the most reliable way to break a phishing program — employees stop reporting real suspicious emails because they're afraid of being judged. Your 'champion' metric should be the report rate of real phishing, not the click rate alone. The two together are what you optimize.

For Small Business

Phishing Simulation for Small Business: A 30-Day Rollout Plan (Template Included)

Published April 18, 2026 · 14 min read · By the ScamDrill Team

Editorial cover illustration with the headline ‘Catch your team before they do’ alongside a sketched envelope dangling on a string labeled ‘SIMULATED’ — representing a 30-day phishing simulation rollout plan for small businesses

You’ve read the case for why SMBs need phishing simulation. You agree. Now the question: how do you actually launch one without destroying trust, triggering HR complaints, or accidentally making your team hate you?

This is the 30-day rollout plan we recommend to every small business setting up a phishing simulation program for the first time. It’s designed for a 5-to-100 person company without a dedicated security team. Office managers, IT leads, COOs, and founder-operators can run it directly.

40% Reduction in phishing risk that well-run simulation programs achieve in the first 90 days, per 2025 industry research. 86% reduction by one year.

Source: KnowBe4 Phishing by Industry Benchmark Report 2025

Before you start: the three pre-conditions

A phishing simulation will succeed or fail based on three things you must establish before sending the first test email.

Pre-condition 1: Executive buy-in, especially the CEO

The CEO must be the first person to click on a simulated phishing email, and the first person to talk about it publicly. Without this, phishing simulations feel like IT’s weird experiment. With it, they become a company culture.

Before you launch, get 15 minutes with the CEO. Show them the click rate data. Explain the program. Get their explicit public commitment to participate, and to talk about their own failures openly.

Pre-condition 2: A no-blame policy in writing

Write a one-paragraph policy that says, in plain language: “We run phishing simulations because everyone — including the CEO — occasionally misses them. If you click on a simulated phishing email, nothing happens except that you get a short learning page. There will be no HR consequences. Individual results are not shared with managers. We track team-level trends only. If someone clicks on a real phishing email and reports it promptly, we thank them publicly.”

This policy is what makes employees trust the program. Without it, every simulated click feels like a trap.

Pre-condition 3: A report-phish button and a place for reports to go

Before you run any simulations, make sure every employee has a one-click way to report a suspicious email. Most email platforms (Microsoft 365, Gmail, Proofpoint) have add-ins for this. Reported emails should go to a shared mailbox or your MSP, not sit in a folder nobody checks.

Days 1–7: The announcement week

Do not start with a surprise simulation. Start with a transparent announcement. Here’s a sample template we’ve seen work well:

Sample launch email from the CEO

Subject: New: phishing simulation program (& I’ll probably fail the first one)

Hi team,

Starting next week, we’re going to start running realistic-but-fake phishing tests across the company. You’ll occasionally receive an email that looks like a real phishing attempt — a fake invoice, a fake DocuSign, a fake Microsoft login alert. If you click on it, nothing bad happens. You’ll see a short page explaining what the red flags were.

We’re doing this because research is really clear: people get better at spotting real scams when they’ve recently seen a fake one. Most Fortune 500 companies run programs like this. Our industry is increasingly being targeted, and I’d rather our team’s first encounter with a convincing phishing email be a drill than the real thing.

Four important things:

Individual results will not be shared with managers. We track team-level trends only.
There are no HR consequences for clicking. Ever.
If you see something suspicious — drill or real — use the new “Report Phish” button in your email. That’s the most useful thing you can do.
I guarantee I will fail at least one of these in the next few months. If I do, I’ll tell you about it.

Questions welcome. Thanks for putting up with me.

[CEO]

This email, sent by the actual CEO, accomplishes more than any amount of HR policy. It sets the tone. It makes clicking OK. It makes reporting the heroic behavior.

What else to do in week 1

Add the “Report Phish” button to everyone’s email client. (Most tools have a one-click admin setup.)
Run a 5-minute all-hands intro to the program. Show the button. Show an example of a real phishing email.
Configure your simulation tool with your employee list and your “safe sender” allowlist for your mail filter.

Days 8–14: The baseline simulation

Send your first simulation to every employee. We recommend starting with a moderately difficult template — not a joke, but not the hardest spear-phish in your library either. Good first-week templates:

A fake DocuSign: “You have a new document to review”
A fake Microsoft 365 login alert: “Unusual activity detected on your account”
A fake invoice email from a plausible-sounding vendor

Key design choices:

Use different templates for different teams. Finance gets the invoice. IT gets the Microsoft login. HR gets the fake resume.
Time delivery so it arrives during normal working hours — not at 11pm.
Don’t spoof trusted internal senders (the CEO’s name, the bookkeeper’s name). It’s cruel and it destroys trust.
The “landing page” for any click must be immediate, kind, and educational. Not a pop-up. Not a shame page. A gentle “This was a drill — here’s what you would have missed.”

When the baseline numbers come in, you’ll likely see click rates in the 20–40% range and credential submission in the 10–20% range. These numbers are normal for an untrained workforce. Do not panic. Do not share individual data. Do share aggregated data, if you want to build transparency.

“Your first-month click rate is not an embarrassment. It’s a baseline. The question that matters is what it looks like three months from now.”

Days 15–21: First debrief and follow-up

This week is where most programs either establish a good culture or blow themselves up.

The all-hands debrief (15 minutes)

Do this live, not in email. Key agenda:

“Thanks for putting up with last week’s test.” Set the tone.
Share the aggregated stats: “X% of people clicked, Y% correctly reported, Z% didn’t engage at all.”
The CEO shares whether they personally clicked. If they did, great — they should say so, lightly and with humor. If they didn’t, they should explicitly say “I got lucky, not smart.”
Walk through the actual simulated email, frame by frame, highlighting the red flags.
Show the “report phish” flow again. Celebrate anyone who reported.
Preview: “We’ll run more of these on a rolling basis. Different teams will get different templates. We’ll debrief trends monthly.”

The individual follow-up (for repeat clickers only)

If any employee clicked in week 1, you don’t need to act on it yet. Wait until you’ve seen them click a second time. At that point, a quick private check-in — from their direct manager or you, not HR — is appropriate. The framing is always: we’re here to help, not punish. Offer a 15-minute coffee to walk through common patterns.

Days 22–30: Second round and the sustain plan

Send your second round of simulations this week. Different templates. Target some of the groups that had the highest click rates with slightly different variants.

By day 30, you should have:

Two rounds of baseline data
Every employee knows the program exists
The Report Phish button in widespread use
At least one public moment where a senior leader “fell for” a drill and laughed about it
A sustaining schedule for the next 90 days: 1–2 simulations per employee per month, rotating templates

What to expect in months 2 and 3

Based on the KnowBe4 2025 benchmarks and our own customer data, here’s the typical SMB trajectory:

Month 1: 25–35% click rate, 10–15% credential submission, 5–15% report rate.
Month 2: 15–20% click rate, 5–8% credential submission, 30–40% report rate. The biggest behavior change happens here.
Month 3: 10–15% click rate, 2–4% credential submission, 50–60% report rate.
Month 12: 3–7% click rate, under 1% credential submission, 60–80% report rate.

The 86% year-one risk reduction figure quoted industry-wide corresponds roughly to the drop in credential submission rate. This is the number that translates most directly to real-breach risk reduction.

Handling the tricky conversations

“I don’t appreciate being tricked.”

Expect this from at least one person, usually in the first month. The answer: “I hear that, and I want to make sure the program feels right. The goal isn’t to trick you — it’s to make sure your first experience with a convincing phishing email is a safe one. But your reaction matters. Let’s talk about what would make this feel better for you.”

Sometimes the answer is: they were having a really bad week and got a drill at the wrong moment. Sometimes it’s legitimate pushback against a template that was too aggressive. Listen.

“The CEO clicked on a real scam and wired $80,000”

This is the reason you run the program. When (if) it happens, follow incident response: notify your bank, notify your insurer if applicable, notify law enforcement (ic3.gov), and — here’s the part most companies do wrong — tell the team, honestly. “We got hit. Here’s what happened. Here’s what we’re fixing.” Transparency after a real incident is the single highest-leverage moment for security-culture building.

“We should fire people who keep clicking.”

No. This is always wrong. Research consistently finds that shame-based security cultures have worse security outcomes because people hide incidents. The right answer for repeat clickers is more training and more support, not termination. The only case where termination might be warranted is a repeat clicker who also circumvents policy (disabling MFA, sharing credentials, etc.), and at that point it’s not a phishing problem, it’s an insubordination problem.

The one simulation template never to use

Never send a simulated phishing email that spoofs a team member’s personal situation — fake pregnancy announcements, fake bonus notifications tied to performance reviews, fake layoff notices. Entire companies have been shredded by a single tone-deaf simulation template. Stick to generic vendor and platform scams. When in doubt, don’t.

Tooling: DIY vs. buy

You can technically run phishing simulations with open-source tools (Gophish is the most popular). For 5-to-50 person companies, this is almost never worth it. You’ll spend 20–40 hours setting it up, maintaining the infrastructure, updating templates as scam patterns evolve, and writing landing pages.

Commercial tools — ScamDrill’s organization plan, KnowBe4, Proofpoint, Hoxhunt, and others — handle all of this for $2–$10 per employee per month. For a 25-person SMB, that’s $750–$3,000/year to have the problem solved versus $15,000+ of opportunity cost running it yourself.

ScamDrill was specifically designed for the SMB price point and complexity level — if you want a no-nonsense tool that one person can run in the course of their normal job, check out our organization plan.

A working phishing program in 30 days. Without the enterprise headache.

ScamDrill’s organization plan is built to scale to your teams, whatever the size. Monthly simulations, current templates, one-click reporting, immediate teaching pages. Setup in under an hour.

See the organization plan →

Month 2+: sustain and evolve

After the first 30 days, the program runs itself. Monthly simulations rotate through different templates. The metrics improve. Every new hire gets added to the program during onboarding. Every quarter, you review the trends and pick one or two focus areas for the next cycle (“Our finance team is consistently the weakest link on invoice-style attacks — let’s concentrate effort there”).

Within a year, phishing simulations will feel like a normal, unglamorous part of operations — like fire drills. The team will make jokes about whose turn it is to fail next. The CEO will tell a story at all-hands about the one that caught them. And the real attackers — who are increasingly automated, increasingly sophisticated, and increasingly targeted at SMBs — will find your company a much harder target than they expected.

That’s the entire goal.

See also: Why SMBs need phishing training (the business case) and the consumer analog, phishing simulation for families.