PhishPlease
All posts
Getting StartedFebruary 17, 2026

Your First Phishing Campaign: What to Expect (and What's Normal)

25-35% of employees click on the first test. That's normal. Here's what happens after you hit send, how to read the results, and what to do next.

You've signed up, imported your employees, and you're staring at the "Send Campaign" button. Here's what actually happens when you press it, and what the results mean.

Before you send

Pick a template that matches what your team actually receives. If your company uses Microsoft 365, the "password expiry" template works well. If you use DocuSign, try the "document ready for signature" template. The more realistic the template, the more useful the test.

Start with your entire team for the first campaign. You want a baseline that covers everyone, not a partial picture.

What happens when you click send

Emails don't go out all at once. PhishPlease staggers delivery over your chosen time window so it looks natural — just like real phishing campaigns do. You'll see delivery confirmations in your dashboard as emails land.

The first 24 hours

Most clicks happen within the first 4 hours. You'll see your dashboard light up with opens and clicks. This is normal. Resist the urge to warn people or send a follow-up.

Typical first-campaign results for untrained teams:

  • Open rate: 60-80%
  • Click rate: 25-35%
  • Report rate: 2-5% (employees who flag it as phishing)

A 30% click rate does not mean your team is bad at security. It means they haven't been trained yet. That's why you're running the simulation.

What clickers see

When an employee clicks the phishing link, they land on an educational "caught" page. It explains what they missed, shows the red flags in the email, and links to training. This is the teaching moment — it's more effective than any webinar because it happens in context.

Reading your results

Your dashboard will show results by department, by individual, and over time. Look for:

  • Department hotspots. Some departments click more than others. Sales teams, for example, click links all day — they're trained to be responsive, which makes them vulnerable.
  • Repeat clickers. A few employees will click on every simulation. These people need extra training and attention.
  • Report rates. This is the number you actually want to increase. Employees who report suspicious emails are your first line of defense.

What to do next

Run another campaign in 2-3 weeks with a different template. Increase the difficulty slightly. Over 3-6 months, you'll see click rates drop and report rates rise. That's measurable behavior change — and it's what your insurer wants to see.

Related

See the full setup processFrequently asked questionsRead: What is phishing simulation?
PreviousWhat Is a Phishing Simulation? A Plain-English Exp...NextCyber Insurance Now Asks About Phishing Training —...

Ready to test your team?

Send your first phishing simulation in under 2 hours.

Start free trial

14-day free trial · No credit card required