How Do You Run Phishing Simulations Without Destroying Employee Trust?

Key Takeaways

• Employees who feel tricked by simulations become security risks — they stop reporting real threats
• Pre-communication about simulations must happen without spoiling effectiveness
• Click rate is the wrong metric — reporting rate shows real security improvement
• Monthly simulations work better than quarterly ones, but only with proper support
• Post-incident trust repair follows a specific protocol most organisations ignore

You ran a phishing simulation. An employee clicked. They discovered it was a test. Now HR has a complaint on file, the union rep wants a meeting, and two people have stopped reporting suspicious emails altogether — because they’re afraid of looking stupid again. You didn’t mean for this to happen. But here’s the hard truth that most phishing simulation guides won’t tell you: the way most programmes are run virtually guarantees this outcome. Not because simulations are wrong, but because the rules that protect employee trust are the same rules that make simulations actually work.

According to a 2025 industry benchmarking report, 33.1% of employees click on simulated phishing links before any training. After 12 months of consistent simulation-based training, that figure drops by 86% to just 4.1%. The training works. But only if employees remain willing participants in the process.

Why Do Phishing Simulations Trigger Employee Complaints?

The core problem isn’t that employees dislike being tested. Research from multiple universities shows the issue runs deeper. When employees feel deceived rather than educated, they experience what researchers call “adversarial dynamics” with the security team. This creates three specific problems:

Trust erosion happens immediately. A 2025 study found that poorly designed simulations can make employees more susceptible to real phishing attacks due to overconfidence effects. When someone discovers they’ve been “tricked” by their own security team, they often assume they’ve learned enough to spot the “real” threats.

Reporting rates collapse. According to industry data from 2024, only 18.3% of simulated phishing emails were properly reported by users. But in organisations where employees felt the simulation programme was adversarial, reporting rates dropped to single digits. People who fear being judged don’t volunteer information about threats.

The coffee machine effect takes over. When simulations are sent to everyone simultaneously, employees warn each other within minutes. Your click rate data becomes meaningless, and the exercise becomes a shared frustration rather than individual learning.

What Should You Communicate Before Running Simulations?

The key is transparency without spoiling effectiveness. Government cybersecurity guidance specifically warns that users may feel they are being surveilled by the security team. Here’s the communication framework that works:

The Three-Layer Communication Approach

Layer 1: Programme announcement — Tell everyone that phishing simulations will be part of ongoing security training. Explain why they’re necessary and how they protect the organisation. Do this once, organisation-wide.

Layer 2: Frequency transparency — Tell people simulations will happen regularly but not when. Use language like “You can expect to receive test phishing emails throughout the year as part of our security training programme.”

Layer 3: Support emphasis — Make it clear that the goal is learning, not punishment. Provide a specific contact for questions and emphasise that everyone clicks on phishing emails sometimes, including security professionals.

For unionised workforces, involve employee representatives in designing the communication. This prevents formal grievances and builds programme credibility.

Which Simulation Scenarios Cross Ethical Lines?

University research from 2025 identified specific simulation themes that consistently trigger employee backlash and formal complaints. The pattern is clear: scenarios that exploit personal anxieties rather than work-related security awareness cross ethical boundaries.

Off-Limits Scenarios

• Fake redundancy or disciplinary notices
• Medical emergencies or health alerts
• False bonus or pay-related communications
• Fake personal messages from colleagues about sensitive topics
• Scenarios exploiting current news events that cause genuine anxiety

A documented case from 2025 involved a university sending fake medical emergency alerts as phishing tests. Staff panic was so severe it made national news coverage and triggered formal investigations.

Ethical Alternatives That Work

• Fake invoices or purchase confirmations
• IT update notifications
• Generic delivery notifications
• Software licence renewals
• Conference or training invitations

These scenarios test the same security awareness skills without exploiting personal fears or work anxieties.

How Often Should You Run Phishing Simulations?

The research on frequency has shifted significantly. A meta-analysis of 42 phishing simulation studies confirmed that annual programmes are “unlikely to provide sustained protection.” Training effects decay within 30 days without reinforcement.

Data from 2025 shows employees trained within the last 30 days are 4× more likely to report a phishing email than those trained earlier. This supports monthly simulations over quarterly ones.

However, frequency must be balanced with support. Monthly simulations work when they’re part of a broader education programme. Monthly “gotcha” tests without context create fatigue and resentment.

Preventing Simulation Fatigue

• Vary the difficulty level — not every simulation should be challenging
• Use staggered delivery to prevent the coffee machine effect
• Provide immediate, brief feedback rather than lengthy training modules
• Focus on different attack types across the programme

What Metrics Actually Matter for Phishing Simulations?

Click rate is the wrong number to focus on. Here’s why: in well-managed programmes with sustained training, simulation click rates stabilise at approximately 1.5% according to 2025 industry data. Once you reach that level, the click rate stops being a useful measure of programme effectiveness.

Reporting rate is the key metric. This measures how many employees correctly identify a simulation as suspicious and report it through proper channels. Industry averages show only 18.3% of simulated phishing emails get reported, but this varies significantly by sector.

Metrics That Show Real Security Improvement

1. Reporting rate — percentage of simulations reported as suspicious
2. Time to report — how quickly employees flag suspicious emails
3. Repeat reporting — employees who consistently report across multiple simulations
4. Peer education — employees warning colleagues about suspicious emails

Present these metrics to leadership as the primary measures of programme success. Click rate becomes a secondary indicator once reporting behaviours are established.

How Do You Handle Employees Who Keep Clicking?

Research distinguishes between “stable individual heterogeneity” (people who are consistently higher risk) and “state dependence” (habits that can be changed through targeted support). The distinction matters because the intervention approach is different.

For persistent high-risk individuals, punitive approaches backfire. They create defensiveness and reduce voluntary reporting of real threats. Instead, use a structured support protocol:

The High-Risk Employee Support Protocol

1. Individual consultation — one-on-one discussion about their specific challenges
2. Workload assessment — high click rates often correlate with time pressure
3. Role-specific training — tailored to their actual email patterns and responsibilities
4. Technical controls — additional email filtering or approval processes where appropriate

This approach treats persistent clicking as a systems problem rather than a personal failing. It maintains dignity while addressing genuine security risk.

What Are the Legal Requirements for Phishing Simulations?

Under GDPR, individual click data is personal data. Tracking and reporting who clicked what requires a proper legal basis — typically legitimate interest rather than consent (consent is invalid due to the employment power imbalance).

For EU organisations, NIS2 regulation (mandatory since October 2024) elevates phishing simulations from good practice to regulatory obligation. Auditors now require evidence of training effectiveness, not just completion certificates.

Key legal considerations:

• Document a Legitimate Interest Assessment before starting any programme
• Report results at group level, not individual level, where possible
• Allow employees to access their personal simulation data under GDPR Subject Access Rights
• Implement data retention policies — don’t keep individual click data longer than necessary

Always verify legal compliance with qualified counsel rather than relying on vendor guidance alone.

How Do You Repair Trust After a Simulation Backfires?

This is the gap most guidance ignores: what to do when a simulation has already triggered complaints, formal grievances, or widespread employee anger. The post-incident response determines whether your programme recovers or becomes a permanent source of workplace tension.

The Trust Repair Protocol

Step 1: Acknowledge the impact immediately. Don’t defend the simulation or explain why it was necessary. Start by acknowledging that people felt deceived or manipulated. Validation comes before justification.

Step 2: Take responsibility for the design choice. Use language like “We chose a simulation scenario that caused genuine distress, and that was our mistake” rather than “Some people misunderstood the purpose.”

Step 3: Commit to specific changes. Don’t just promise to “do better.” Name the specific changes you’ll make to scenario selection, communication, or programme design.

Step 4: Involve employee representatives. If there’s union representation or employee committees, bring them into programme design going forward. Make them partners, not targets.

Step 5: Demonstrate the change. The next simulation must be obviously different in tone and approach. This proves the commitment to change was genuine.

Platforms like Complorer are built specifically for this kind of programme recovery — combining scenario ethics guidance with communication templates that help rebuild employee trust while maintaining security effectiveness.

Does Phishing Simulation Training Actually Work?

This question reflects genuine scepticism in the security community. University research has found mixed results, with some studies showing embedded post-click training can actually increase susceptibility through overconfidence effects.

However, the research contradiction dissolves when you examine programme design. Studies that found negative effects typically looked at annual, one-off training or immediate pop-up modules that users close within 10 seconds. Studies that found positive effects examined sustained, well-supported programmes with appropriate frequency and meaningful education components.

The evidence supports this conclusion: phishing simulations work when they’re part of a broader security culture programme. They fail when they’re standalone “gotcha” exercises designed to catch people rather than teach them.

A longitudinal study from 2025 involving 1,300+ employees across 20 organisations found sustained phishing simulations with targeted training halved successful compromise rates within six months. But the study also confirmed that employee turnover introduces measurable fluctuations — new staff consistently reset organisational risk, highlighting the need for continuous onboarding integration.

What Should You Do Next?

If you’re running phishing simulations that trigger complaints, the programme design needs immediate attention. The goal is building a security-aware culture where employees see themselves as defenders, not targets. This means transparency in communication, ethics in scenario selection, and support rather than punishment for those who struggle.

Start by auditing your current programme against these principles. Focus on reporting rate rather than click rate as your primary metric. If you’ve had simulation-related grievances or trust issues, use the repair protocol to rebuild employee confidence before running additional tests.

The strongest security programmes are those where employees actively want to participate because they understand the value and trust the process. Build that foundation first, and the security metrics will follow.

Frequently Asked Questions

How do you run phishing simulations without telling employees about them?

Tell employees that simulations will happen regularly as part of security training, but don’t specify timing or content. This maintains effectiveness while providing transparency. Use three-layer communication: announce the programme exists, explain the frequency, and emphasise learning over testing.

What should you do if employees complain about phishing simulations?

Acknowledge their concerns immediately without defending the simulation design. Take responsibility for scenarios that caused distress, commit to specific changes in approach, and involve employee representatives in future programme design. The next simulation should demonstrate the promised improvements.

How often should you send phishing simulation emails?

Monthly simulations are more effective than quarterly ones, according to current research. Training effects decay within 30 days, and employees trained recently are 4× more likely to report real threats. However, increase frequency gradually and ensure proper educational support to prevent fatigue.

Is it legal to track which employees click on phishing simulations?

Under GDPR, individual click data is personal data requiring a proper legal basis — typically legitimate interest documented through a Legitimate Interest Assessment. Report results at group level where possible, implement proper data retention policies, and always verify compliance requirements with qualified legal counsel.

What’s the difference between click rate and reporting rate in phishing simulations?

Click rate measures how many people fall for the simulation. Reporting rate measures how many people correctly identify it as suspicious and report it. Reporting rate is the better security metric because it shows employees are actively participating in threat detection, not just avoiding mistakes.

References

[1] Lain, D., Tavolato, P., & Sartori, L. (2022). Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training. ETH Zurich.

[2] Verizon Business. (2025). Data Breach Investigations Report 2025.

[3] UK National Cyber Security Centre. (2024). Phishing Attacks: Defending Your Organisation.

[4] NIST. (2024). Building an Information Technology Security Awareness and Training Program (SP 800-50 Rev. 1).

[5] Anonymous et al. (2025). Sustaining Cyber Awareness: The Long-Term Impact of Continuous Phishing Training and Emotional Triggers.