How to Run a Low-Cost Phishing Simulation and Training Programme for Your Staff.

A Sligo healthcare services company ran its first phishing simulation in 2024. They used a free tier of a phishing simulation platform, sent a single realistic phishing email to their 23-person team, and discovered that seven staff members — 30% — clicked the link and three entered their credentials on the fake login page. None of them considered themselves particularly susceptible to phishing.

The result was not disciplinary action. It was a 20-minute team briefing the following week, specific to the exact email that had been sent, explaining what the warning signs were and what each recipient should have noticed. The second simulation, three months later, had a 9% click rate. By the third, it was 4%.

This is phishing simulation done well. A controlled test, honest results, immediate specific training, no blame, measurable improvement.

Why Simulations Work Better Than Training Alone

Phishing simulation is more effective than awareness training without simulation for one specific reason: it creates a learning moment at the exact point of vulnerability. A staff member who clicks a simulated phishing link and is immediately shown what they missed has just received the most contextually relevant security education available. They experienced the attack. They understand viscerally what convinced them. The lesson is immediate and specific.

Generic security awareness training — lectures, videos, e-learning modules — provides conceptual knowledge that does not always translate to behavioural change in the moment. Simulations provide experiential learning that does.

Low-Cost and Free Simulation Options

GoPhish. An open-source phishing simulation framework that can be self-hosted or used through a hosting provider. Free to use, requires some technical setup, and provides full flexibility in campaign design and reporting. Appropriate for businesses with a technically capable IT provider.

Microsoft Attack Simulator. Included in Microsoft 365 Business Premium, Attack Simulator allows basic phishing simulations within your Microsoft 365 tenant. Limited template library compared to dedicated platforms, but zero additional cost and integrated with your existing environment.

KnowBe4 Free Tier. KnowBe4 offers a free baseline phishing security test that sends a single simulation to your users and provides results. Not a full programme, but an effective starting point.

Proofpoint Security Awareness Training. Offers a free baseline assessment for organisations wanting to understand their current susceptibility before committing to a paid programme.

A phishing simulation programme for a ten to twenty person Irish SME can be run at zero ongoing cost using GoPhish or Microsoft Attack Simulator. The investment is time — setup and analysis — not budget. Book a free 20-minute strategy call if you would like guidance on which platform is most appropriate for your environment.

How to Run a Simulation Without Destroying Trust

The risk with phishing simulations — particularly in small, trust-based organisations — is that staff feel surveilled, embarrassed, or punished when they click a simulated phishing email. If this is the outcome, the simulation damages the security culture it is designed to improve.

Communicate the programme before it starts. Tell staff that you will be running phishing simulations as part of the security awareness programme. This does not reduce the simulation's effectiveness — a person who knows simulations are running must still recognise the specific email to avoid clicking it. But it removes the surprise element that makes staff feel ambushed.

Focus debrief on the email, not the person. The debrief after a simulation should focus entirely on the specific email — what made it convincing, what the warning signs were, what the correct action was. Never identify individual clickers publicly or by name. The aggregate click rate is the metric. Individual data is private.

Make reporting easy and praised. Staff who report suspicious emails — whether real or simulated — should receive immediate positive acknowledgment. The goal is to build a culture where reporting is the default response to anything uncertain.

Use the results to improve training, not to discipline. A 30% click rate is information about where your awareness programme needs to focus — not a list of staff who should face consequences.

Building a Programme, Not Just a Test

A single simulation provides a baseline. A programme provides improvement. The practical structure for an Irish SME is: one simulation per quarter, each using a different phishing technique, with a ten to twenty minute specific debrief after each. Track click rates across simulations. The trend line — not the absolute number — is the measure of programme effectiveness.

Vary the techniques across simulations: a spear-phished email using staff names, a courier notification, a Microsoft security alert, an invoice from a supplier. Different techniques expose different vulnerabilities in your staff's awareness and provide different learning moments in the debrief.

What Next

1. Choose your simulation platform this week. If you use Microsoft 365 Business Premium, start with Microsoft Attack Simulator — it is already available. If you have a competent IT provider, ask about GoPhish.

2. Brief staff that simulations will begin. One announcement, at a team meeting or by email. No details about timing or method.

3. Run the first simulation and debrief within 48 hours. Show the email. Explain what made it convincing. Explain what the correct action was. Do not name clickers.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Turning Your Staff From the Weakest Link Into a Security Asset Through Short, Regular Awareness Training
• Balancing Security With Usability So Staff Follow the Rules Instead of Working Around Them
• QR Code Phishing: The Attack Bypassing Your Email Security

[^1]: NCSC Ireland — Phishing Awareness Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.