Corporate Phishing Simulation and Social Engineering Test Guide

How to build a corporate phishing simulation? Social engineering psychology, test metrics, SPF/DKIM/DMARC defense and the awareness loop, explained.

Quick Answer

A corporate phishing simulation is a test program that sends controlled, harmless fake phishing emails to employees under written authorization to measure clicking, credential entry and reporting behavior. With a baseline campaign, target-specific scenarios, KVKK/GDPR-compliant measurement and a repeated awareness loop, it continuously reduces human-driven risk.

Why Is Phishing Still the Biggest Threat?

The vast majority of cyberattacks start at the weakest link: the human. No matter how strong your firewall or how advanced your email gateway is, a single click from a persuaded employee can be enough for an attacker to get in. The Verizon Data Breach Investigations Report (DBIR) has for years shown that the human element plays a role in a large share of breaches and that phishing remains one of the most common techniques for initial access.

Organizations usually invest in technical defense but never measure how their employees would actually behave against real phishing. This is exactly the gap a corporate phishing simulation closes: with a controlled drill that imitates a real attack but causes no real harm, it makes the human attack surface measurable.

This article is not an individual fraud guide. If you are personally a phishing victim, read our I got scammed online, what to do guide. Here our focus is entirely on how to build a corporate simulation and test program.

The Psychology of Social Engineering: Hacking the Human

Though phishing looks like a technical attack, at its core it is a psychology game. The attacker manipulates human behavior, not code. Robert Cialdini's principles of persuasion explain the mechanism behind every successful phishing campaign.

Cialdini's Principles of Persuasion in Phishing

Authority: People tend to obey authority figures. An email from the CEO, IT manager or a bank is accepted without question. This is the attacker's favorite mask.
Urgency and Scarcity: Phrases like "Your account will be closed within 24 hours" or "Valid today only" stop the victim from thinking. Panic disables logic.
Social Proof: Statements like "The whole department filled out this form" push the victim to follow the herd.
Liking: A familiar name, a shared hobby or a friendly tone increases trust. Spear phishing exploits exactly this.
Reciprocity: A gift, discount or offer of help creates a sense of obligation in the victim.
Commitment: Attacks that start with a small commitment and gradually grow exploit the victim's desire to stay consistent with prior behavior.

A good simulation scenario deliberately uses these principles. For example a payroll update (authority + urgency) or a parcel delivery notice (curiosity + urgency) imitate the emotional triggers real attackers use.

Types of Phishing: Which Attack Are You Simulating?

Phishing is not one-size-fits-all. An effective program must test different channels and targeting levels. The table below compares the main types.

Type	Channel	Targeting	Typical Target	Danger Level
Phishing (Bulk)	Email	Broad, not personalized	All employees	Medium
Spear Phishing	Email	Specific person/team, researched	Finance, HR, managers	High
Whaling	Email	Senior executives (CEO/CFO)	C-level, board	Very High
Smishing	SMS	Bulk or targeted	Mobile users	Medium-High
Vishing	Phone (voice)	Targeted, scripted	Help desk, finance	High
Quishing	QR code	Physical/digital	Office staff	Rising

Brief Description of Types

Phishing: Classic bulk, non-personalized phishing. Low cost, wide net.
Spear Phishing: Personalized attack built with OSINT about the target, including name, role and project details.
Whaling: Targets the very top of the company. Large transfers are pursued via fake investor, law firm or partner identities (CEO fraud / BEC).
Smishing: Short links and urgency via SMS. Cargo, bank and e-government themes are common.
Vishing: Voice-based social engineering over the phone. The attacker impersonates IT support or bank staff.
Quishing: Phishing with QR codes. Links opening in the mobile browser can bypass email filters, fueling rapid growth.

The MITRE ATT&CK framework classifies this technique under Phishing (T1566), separating phishing via attachment, link and service as sub-techniques. A mature simulation program aims to test each of these ATT&CK sub-techniques in at least one campaign.

How to Build a Corporate Phishing Simulation Program

A successful program is not just sending random emails. It requires a measurable, ethical and repeatable loop. The steps below form the skeleton of a world-class program.

1. Scope and Authorization (Written Permission)

Everything starts with written authorization. Approval from senior management, the departments to be tested, the scenario types to be used, the campaign schedule and data processing limits should be clarified in a contract. All DSET testing, including the KAOS AI security engine, is conducted only within written authorization and contract; no real harm is done and no credentials are stored.

2. KVKK/GDPR and Ethical Framework

Simulation measures employee behavior and therefore involves personal data. For privacy compliance:

Data minimization: only the minimum data needed to measure campaign success is collected.
Anonymization: department/group-level reporting is preferred over individual blame.
Transparency: employees are informed in general that "periodic security drills will be conducted" (the existence of the program, not the date of each campaign).
Education, not punishment: the goal is to correct behavior, not to shame the employee. A punishment culture kills reporting.

3. Baseline Campaign

The first campaign photographs the current state. Without any training, the organization's click and report rates are measured as they are. This is the reference point against which progress will be benchmarked. Without a baseline you cannot prove improvement.

4. Target-Specific Scenario Generation

Generic templates are not realistic. Effective scenarios are organization-specific: the HR software used, cargo company, bank, cloud services and even current internal projects are themed. KAOS supports target-specific scenario generation here, preparing persuasive (but harmless) templates suited to the sector, role and current events. Scenarios are graded by difficulty: easy (obvious signs), medium (plausible) and hard (near-flawless spear phishing).

5. Campaign Execution and Tracking

Emails are sent gradually from a controlled infrastructure. Every interaction is tracked: was the email opened, was the link clicked, were credentials entered on the fake login page, was the attachment downloaded, and critically, did the employee report the email as suspicious. KAOS supports campaign tracking and measurement of this event chain.

6. Measurement and Reporting

At the end of the campaign, metrics are broken down by department, seniority and scenario type. The report provides a risk map to managers and instant teachable feedback to employees.

7. Training and Repetition (The Loop)

The moment an employee clicks, they are met with a short, non-judgmental training page (just-in-time training). Regular awareness training follows, and the campaign is repeated 4-8 weeks later with new scenarios. This continuous loop creates the lasting behavioral change a one-off test can never deliver.

Which Metrics Should You Measure?

A program's value is defined by the metrics it measures. "How many clicked" alone is insufficient. Here are the key indicators to track.

Metric	What It Measures	Good Direction
Click Rate	Percentage of employees who click the link	Should fall
Credential Submit Rate	Percentage who enter data on the fake page	Should fall (most critical)
Report Rate	Percentage who report the suspicious email	Should rise
Attachment Open / Macro Run	Percentage opening dangerous attachments	Should fall
Reporting Speed	Time to first report	Should shorten
Repeat Clickers	Those clicking across multiple campaigns	Should decrease

The most important and most overlooked metric is the report rate. You cannot drive the click rate to zero; people make mistakes. But a strong reporting culture alerts the security team in the first minutes of an attack, preventing the incident from spreading. In a mature organization, the goal is to raise the report rate as much as to lower the click rate.

Technical Defense: Completing the Simulation with Engineering

Awareness alone is not enough. The human layer must be supported with technical controls. Alongside the simulation, KAOS also supports technical email security auditing.

Email Authentication: SPF, DKIM, DMARC

These three records make it harder to send fake email on behalf of your domain:

SPF (Sender Policy Framework): Declares in DNS which servers may send email on behalf of your domain. Misconfiguration opens the door to spoofing.
DKIM (DomainKeys Identified Mail): Seals outgoing emails with a cryptographic signature, proving the content was not altered.
DMARC (Domain-based Message Authentication): Binds SPF and DKIM to a policy. p=none only monitors; real protection requires p=quarantine or p=reject. DMARC reports show who is trying to impersonate your domain.

KAOS audits an organization's SPF/DKIM/DMARC configuration and reports weaknesses open to spoofing. In many organizations, DMARC is either absent or rendered ineffective with p=none.

Other Technical Layers

Secure Email Gateway: Filters known malicious links and attachments, and suspicious content via sandbox analysis.
MFA (Multi-Factor Authentication): Prevents the attacker from accessing the account even if credentials are stolen. Phishing-resistant MFA (FIDO2/hardware keys) is the strongest layer.
External email tagging: Adding a warning banner to emails from outside the organization makes impersonation attacks visible.
DNS and link rewriting: Solutions that analyze clicked links in real time.

To see how technical defense behaves against a real attack, a comprehensive penetration testing process and pricing assessment complements the phishing simulation.

Beyond Email: Vishing and Physical Social Engineering

Phishing is not limited to email. A mature program also tests other channels.

Vishing (Phone-Based Social Engineering)

The attacker calls and impersonates IT support, a bank or a supplier. Scenarios like "There is a system issue, I need to verify your password" or "An urgent payment approval" are common. In a vishing simulation, an authorized test team measures whether employees share sensitive information on the phone. Help desk and finance teams are critical targets because these units are inherently programmed to be helpful.

Physical Social Engineering

Tailgating: An unauthorized person following an authorized person through a door.
USB drop: Malicious USB sticks left in the parking lot or lobby, plugged in out of curiosity.
Impersonation: Physical access disguised as a technician, courier or cleaner.
Shoulder surfing: Watching passwords or screens in open areas.

These tests are always conducted under written authorization and strict rules; the goal is to prove the gap, not to cause harm.

Real Scenario Examples

A few anonymized examples to make the program concrete:

Scenario A (Payroll): An email from HR saying "Your new payslip is ready, log in to view." Authority + curiosity. The click rate is high at baseline and it is one of the most instructive scenarios.
Scenario B (Cloud File Share): A fake cloud notification themed "A colleague shared a document with you." Social proof + liking. Tests credential harvesting.
Scenario C (CEO Urgent Request / Whaling): A message to finance from the CEO saying "Urgent, transfer to this account, I will explain later." Mirrors BEC attacks exactly, measuring the finance team's verification reflex.
Scenario D (QR Parking Fine): A quishing example; a fake parking-fine QR code opens on the mobile device, demonstrating the risk of bypassing email filters.

After each scenario, employees receive feedback that teaches them to recognize the same signs real attackers would use. To understand how insider threat and unauthorized access spread, our preventing internal attacks guide also illuminates the post-phishing lateral movement risk.

Key Statistics

The Verizon DBIR reports year after year that the human element (error, social engineering, misuse) plays a role in a large share of breaches and that phishing is one of the most common paths to initial access.
CISA emphasizes that social engineering and phishing are among the most frequently encountered attack vectors and that employee awareness is a critical defense layer.
ENISA threat reports list phishing among the top threats year after year and note that targeted campaigns are increasing.
NIST establishes that an effective security program must address human behavior alongside technical controls, with awareness training as a foundational control.

For current figures, consult the primary reports in the sources section; rates are updated each year.

Frequently Asked Questions

Is phishing simulation done to punish employees?

No. The goal is measurement and education, not punishment. A punishment culture leads employees to hide when they make mistakes and lowers the report rate. The right approach is to give clickers instant teachable feedback and position the program as a learning loop.

Does simulation violate data protection law?

Not when designed correctly. With data minimization, anonymous department-level reporting, senior management authorization and general notification of the program's existence to employees, it can be run in compliance with KVKK/GDPR. Not storing individual data and limiting via contract is essential.

How often should simulations be run?

The general consensus is quarterly (a campaign every 4-8 weeks). A one-off test does not create lasting behavioral change. Continuity keeps awareness fresh, and the loop reinforced with training lowers the click rate and raises the report rate over time.

Can we reduce the click rate to zero?

In practice no; people make mistakes and a perfect zero rate is unrealistic. A more realistic and valuable goal is to continuously lower the click rate while raising the report rate. Fast reporting allows an attack to be stopped in its first minutes.

What exactly does KAOS do in a phishing simulation?

KAOS is DSET's AI-powered offensive security agent. In phishing simulation it supports target-specific (sector and role appropriate) scenario generation, campaign tracking and technical email security (SPF/DKIM/DMARC) auditing. All activity is conducted within written authorization and contract; no real harm is done and no credentials are stored.

Is simulation or awareness training more important?

The two complement each other. Training provides knowledge, while simulation measures whether that knowledge is applied under real pressure. Training alone stays theoretical; simulation alone gives no direction. An effective program combines both in a measure-train-repeat loop.

Sources

Ready to measure and reduce your organization's human-driven attack surface? DSET offers end-to-end corporate phishing simulation, from baseline campaign to a repeated awareness loop.

DSET Information and Cyber Security (established 2003). For corporate phishing simulation, awareness and KAOS support: +90 536 662 38 09.