What Is a Phishing Simulation? A Plain-English Explainer for Business Owners

A phishing simulation is a controlled test where you send fake phishing emails (or texts, or calls) to your own employees to see who clicks. No real harm is done — the "attack" comes from you, not a criminal. Employees who click get a brief educational page explaining what they missed, and optionally get enrolled in training.

Think of it like a fire drill, but for email. You're testing whether your team can spot a fake before a real attacker tests them for you.

How does it work?

The process is straightforward:

1. You pick a template. These are modeled after real phishing emails — fake password resets, invoice requests, delivery notifications, shared documents. The good ones are convincing.
2. You choose who receives it. Your whole team, a specific department, or individual employees.
3. The simulation goes out. It looks like a normal email. There's usually a link or button that tracks whether someone clicks.
4. You see the results. A dashboard shows who opened the email, who clicked the link, and who reported it as suspicious.
5. Clickers get trained. Employees who click are shown an educational page and optionally enrolled in a short training module.

Why do businesses run these?

Because telling employees "don't click suspicious links" doesn't work. People need to practice recognizing phishing in context — in their inbox, during a busy day, when the email looks like it could be real.

The numbers make this clear: 91% of cyberattacks start with a phishing email, and 43% of attacks target small businesses specifically. The average cost of a successful phishing attack on an SMB is over $120,000.

Simulations give you a measurable baseline. Your first campaign might show a 30% click rate. After a few months of regular simulations and training, that typically drops below 10%. You can see the improvement in real data.

Do I need a security team to run this?

No. That's the whole point of platforms like PhishPlease. If you can send an email and read a dashboard, you can run phishing simulations. The templates, scheduling, training, and reporting are all automated.

Most PhishPlease customers set up their first campaign in under two hours and spend about 30 minutes per month managing ongoing campaigns.

Won't employees be angry?

Some will be, the first time. That's normal and actually a good sign — it means the simulation was convincing enough to test real behavior. The key is framing it as training, not punishment. PhishPlease is designed to teach, not embarrass.

After a few rounds, most employees appreciate it. They start catching simulations — and real phishing emails — more reliably. That's the goal.

What does it cost?

Enterprise platforms like KnowBe4 charge $19-33 per employee per month and require annual contracts. PhishPlease costs $89.99/month for up to 30 users, with $1/month per additional user. No contracts, no minimums.

For a 50-person company, that's $109.99/month vs. $950-1,650/month with enterprise tools.