We first define the objectives and set the scope, deciding which type of phishing emails to use and the frequency of simulations. We'll also determine the target audience, including segmenting specific groups or departments.

After forming a plan, we'll create realistic mock phishing emails that closely resemble real phishing threats, modeled on phishing templates and phishing kits available on the dark web. We pay close attention to details like subject lines, sender addresses and content to make realistic phishing simulations. We'll also include social engineering tactics—even impersonating (or ‘spoofing’) an executive or fellow employee as the sender—to increase the likelihood that employees click the emails.

Once we finalize the content, we will send the simulated phishing emails to the target audience through secure means, with privacy in mind.

After sending the mock malicious emails, we'll closely track and record how employees interact with the simulated emails, monitoring if they click on links, download attachments or provide sensitive information.

Following the phishing test, we will analyze the data from the simulation to determine trends like click rates and security vulnerabilities. Afterward, we will follow up with employees who failed the simulation with immediate feedback, explaining how they could’ve properly identified the phishing attempt and how to avoid real attacks in the future.