A phishing simulation is a controlled test in which fake phishing emails are sent to employees to measure how well they recognize suspicious messages. Companies use these simulations as a baseline measurement of their vulnerability, an awareness tool for the team and a demonstrable measure of NIS2 compliance. Research from KnowBe4 (2025) shows that 1 in 3 employees click on a simulated phishing link before training, but that this rate drops by 86% after 12 months of targeted awareness.
Phishing remains the number one method of attack for cybercriminals. In 2025, alert Belgians forwarded nearly 10 million suspicious messages to verdacht@safeonweb.be, and according to the ENISA Threat Landscape report, phishing accounts for some 60% of all reported cybersecurity incidents.
And yet: how many of your employees would click on a suspicious link today? Answering that question is precisely the purpose of a phishing simulation. This guide tells you what a phishing simulation entails, what the process looks like, what to expect from the results, and how it fits into your broader security strategy.
What exactly is a phishing simulation?
A phishing simulation is a realistic but harmless test in which fake phishing emails are sent to employees of your organization. The emails mimic techniques used by real cybercriminals: urgent subject lines, counterfeit senders, and links to fake login pages.
The difference from a real attack? Nothing is stolen. Employees who click on a link or enter their data receive an immediate notification that it was a simulation. Thus, every wrong click moment becomes a teachable moment, with no harm done.
A phishing simulation typically measures three things:
- Click rate: how many employees click on the link in the phishing email?
- Credential submission rate: how many employees effectively fill in their login credentials on the fake page?
- Reporting rate: how many employees report the suspicious mail to IT or via the report button?
That last metric is becoming increasingly important. Security experts agree that reporting a suspicious message is at least as valuable as not clicking. An organization where employees actively report phishing can respond more quickly in the event of a real attack.
Why is a phishing simulation important to your business?
The numbers don’t lie. According to the KnowBe4 Phishing by Industry Benchmarking Report 2025, based on 67.7 million simulated phishing tests, an average of 33.1% of untrained employees click on a phishing link. That’s 1 in 3, and an attacker only needs one successful click to get in.
This is not just a technical problem. The Verizon 2025 Data Breach Investigations Report shows that 68% of all data breaches contain a human factor. Spam filters and firewalls catch a lot, but the most sophisticated phishing emails regularly slip through. Especially now that AI tools make it possible for criminals to write error-free messages in perfect Dutch, without the language errors that used to be a warning sign.
On top of that, phishing simulations are not only wise, they are increasingly becoming mandatory. The NIS2 legislation, in effect in Belgium since October 2024, requires organizations within scope to provide regular cybersecurity awareness training for all employees and management (Articles 20 and 21). A phishing simulation is one of the most concrete ways to meet that obligation.
But companies not directly covered by NIS2 are also noticing the effect. More and more large clients are requiring their suppliers to have their cybersecurity compliance in place, including proof of security awareness among staff.
How does a phishing simulation work in practice?
A professional phishing simulation proceeds in five steps. Here’s what to expect:
Step 1: preparation and scoping
Together with the security partner, you determine the scope. How many employees will participate? Which departments will be tested? Will specific scenarios be used, such as a fake invoice from a vendor or a so-called message from Microsoft 365?
Legal and privacy agreements are also made at this stage. Results are reported at the organizational or departmental level, never at the individual level. The goal is learning, not punishment.
Step 2: phishing campaign design
The simulation is built with scenarios that fit your industry and business context. A manufacturing company gets different emails than a healthcare facility. The more realistic the simulation, the more valuable the results.
Common scenarios include:
- A fake Microsoft 365 login page
- An urgent payment request email from “the CEO”
- A package delivery with tracking link
- An HR communication about paycheck or leave of absence
Step 3: shipping and monitoring
The phishing emails are sent to participants. The security team monitors in real time who opens, clicks and possibly fills in data. This data is aggregated anonymously by department.
Step 4: immediate feedback
Employees who click are immediately notified: this was a simulation. That immediate feedback creates an emotional learning moment that is particularly effective, according to the SANS Institute. SANS research shows that employees who click and receive immediate feedback during a simulation are significantly less likely to click again on future tests.
Step 5: reporting and follow-up process
Afterwards, you will receive a report with the key results: click rate per department, credential submission rate, notification rate and a comparison with benchmarks. Based on those results, a follow-up program is outlined, typically a combination of targeted security awareness training and a repeat simulation after 3 to 6 months.
What results can you expect?
The average click rate on an initial phishing simulation is around 33%, according to KnowBe4. That sounds high, but the good news is that this rate drops quickly with the right approach.
After 90 days of security awareness training, the click rate drops an average of 40%. After 12 months of consistent training and simulation, the drop is as much as 86%. These are not marginal improvements, but a fundamental change in behavior.
According to the Proofpoint State of the Phish report, the average failure rate for organizations that have been running simulations for some time is around 5%. Security expert Lance Spitzner of the SANS Institute says a click rate below 5% is a healthy level for most organizations, but stresses that a 0% click rate should not be the goal. The focus should be on decreasing the trend and increasing the notification rate.
Another thing to watch out for: repeated clickers. Research shows that most of the risk within an organization is concentrated in a small group of employees who click at multiple simulations. Targeted 1-on-1 coaching for this group is more effective than generic training for the entire organization.
Phishing simulation and NIS2: what’s the link?
The Belgian NIS2 law requires organizations to take appropriate measures for cybersecurity, which explicitly includes employee training and awareness. Article 20(2) of the NIS2 Directive requires governing bodies to attend and offer cybersecurity training to their employees.
Specifically, companies that fall under NIS2 must be able to demonstrate that they work structurally on security awareness. A phishing simulation with reporting provides just that proof: measurable results that you can present during an audit or compliance assessment.
With the NIS2 compliance deadline of April 18, 2026 approaching, now is the time to start or formalize your awareness program.
Good to know: through the VLAIO KMO-portefeuille, you as a Flemish SME can get up to 45% subsidy on cybersecurity advice and training. This also applies to phishing simulations and awareness training.
What should you look for when choosing a partner?
Not every phishing simulation delivers the same value. When choosing a partner for phishing simulations, there are some criteria that make the difference:
Realism of scenarios. Off-the-shelf templates that don’t look recognizable to your employees do little good. A good partner will create scenarios tailored to your industry, language and corporate culture.
Privacy and ethics. The results should never be shared with management at the individual level. The goal is to raise awareness, not punish employees. A professional partner maintains clear agreements about this.
Linkage to training. A simulation by itself is a measurement, not a solution. The real value comes when the results are coupled with targeted awareness training. Find a partner who offers both as an integrated course.
Belgian context. Phishing scenarios that respond to Belgian realities (bpost package notifications, CM messages, itsme verifications) are more relevant and therefore more valuable than generic international templates. Not for nothing did Safeonweb show that fake bpost emails and fake CM messages are among the most reported phishing campaigns in Belgium.
Department level reporting. The value is in recognizing patterns: which departments are more vulnerable? Where needs extra attention? A good report provides not only numbers, but also concrete recommendations for next steps.
The latest phishing techniques in 2026
Phishing is evolving at lightning speed. Whereas in the past a spelling error in an e-mail was already a warning signal, in 2026 cybercriminals are using increasingly sophisticated techniques:
- AI-written phishing emails: Thanks to generative AI, attackers write flawless Dutch, French and English. Classic landmarks such as poor grammar disappear.
- QR code phishing (quishing): Increasingly, phishing emails do not contain a link but a QR code, which is harder for spam filters to filter.
- OAuth-phishing: Instead of stealing passwords, attackers ask permission for an “app” that can act on your behalf, bypassing MFA.
- Conversation hijacking: Attackers break into an existing mailbox and reply within a running email thread, automatically giving credibility to the message.
- Multi-channel attacks: A combination of phishing email followed by a phone call from the “IT department” or “bank” to create urgency.
Just recently, the Tycoon 2FA platform was rolled up by Europol and Microsoft. This platform, active since 2023, made it possible to bypass even two-factor authentication. According to Microsoft, more than 500 Belgian organizations fell prey to this platform. A phishing simulation that mimics these modern techniques will prepare your team much better than a standard template.
How often should you run a phishing simulation?
A one-time simulation is a snapshot in time. To achieve true behavior change, repetition is essential.
The recommended frequency is at least quarterly simulation combined with ongoing awareness activities such as e-learnings, short reminders and posters. Research shows that the effect of awareness training begins to wane after 3 to 6 months if there is no follow-up.
An effective annual plan looks as follows:
- Zero measurement: first simulation to establish baseline level
- Training: targeted awareness training based on results
- Repeat simulation (after 3 months): measurement of initial improvement
- Ongoing (quarterly basis): change of scenarios and difficulty level
- Annual review: reporting to management with trends, benchmarks and recommendations
This path not only provides better security, but also the documentation proof you need for NIS2 compliance and any cyber insurance requirements.
Frequently asked questions about phishing simulations
What does a phishing simulation cost for a company?
The cost of a phishing simulation depends on the number of employees, the complexity of the scenarios and whether an awareness training is linked to it. For a Flemish SME with 50 to 250 employees, a professional course of simulation including reporting and basic training usually starts from a few thousand euros. Through the VLAIO KMO-portefeuille you can receive up to 45% subsidy.
Is a phishing simulation mandatory under NIS2?
NIS2 does not literally mandate a phishing simulation, but it does require organizations to take appropriate measures for cybersecurity awareness and employee training (Articles 20 and 21). A phishing simulation is one of the most concrete and measurable ways to comply with this and provide proof in an audit.
Are the results shared by individual?
In a professional phishing simulation, results are reported at the organizational or departmental level, not at the personal level. The goal is to create awareness, not punish individual employees. Login information entered during a simulation is not stored.
How quickly do we see improvement after a phishing simulation?
According to research by KnowBe4 (2025), the click rate drops an average of 40% within 90 days of starting awareness training combined with simulations. After 12 months, the average drop is 86%. The rate of improvement depends on the frequency of simulations and the quality of the accompanying training.
Can a phishing simulation negatively affect the working atmosphere?
That risk exists only when simulation is used punitively. A well-designed program communicates up front to management that it is a learning program, offers immediate constructive feedback when it clicks, and never shares results at the individual level. Thus, simulation becomes a positive moment of awareness rather than a source of distrust.
What is the difference between a phishing simulation and a pen test?
A phishing simulation tests employee behavior and awareness in the face of social engineering attacks. A pen test (penetration test) tests the technical security of your network, systems or applications. Both are complementary: the simulation focuses on the human factor, the pen test on the technical vulnerabilities. In a mature security approach, you combine both.
Conclusion: start with a baseline measurement
Phishing remains the most common method of attack, and your employees are the first line of defense. A professional phishing simulation gives you insight into how vulnerable your organization is today, offers a concrete starting point for improvement, and provides proof that you are structurally working on awareness.
With the NIS2 deadline of April 18, 2026 approaching and the VLAIO SME portfolio offering up to 45% subsidy on cybersecurity training, there is no better time to start.
Wondering how your team scores? Schedule an introductory meeting and find out how Cyberplan sets up a phishing simulation tailored to your organization.
