Boutique CY-clicDiscover our custom policies for your organization 

logo-cy-clic

Phishing Simulation: From Knowledge to Know-How

Did you know that nearly one person in three clicks on a fake phishing email sent as part of a simulation, even before any cybersecurity training? This figure, taken from KnowBe4's 2025 global report, is not proof of carelessness. It is simply human.

Because between knowing how to recognize a threat and recognizing it for real, in the heat of the moment, there is a whole world of difference. This is exactly what a phishing simulation helps to bridge: learning in a safe environment, without trapping anyone, without blaming anyone, and with a click rate reduction of up to 86 % over twelve months.

Rodrigo Sergio
By Rodrigo Sergio ·
la-simulation-d-hameconnage-passer-du-savoir-au-savoir-faire

1. Understanding what a phishing simulation really is

A phishing simulation is a fake phishing email sent intentionally to the members of a team, in a controlled and safe setting. The email reuses the codes of a real phishing email: tone, layout, sense of urgency, link to click. The only difference is that it comes from your organization, not from a fraudster.

The goal is never to trap people or to shame them. The goal is to learn. Because you can take all the training you want, it is by living through a realistic situation that you develop the right reflex.

In practice, a simulation unfolds in three simple steps. First, the fake email is sent to the whole team or to a targeted group. Then, we observe: who clicks on the link, who enters their information, who reports the email as suspicious, who ignores it. And finally, we learn: the people who clicked are automatically redirected to a short educational module that explains the clues they could have spotted. No judgment, just learning, at the moment when it is most relevant.

2. Identifying the real value of this exercise for an organization

Why invest in a simulation when you already have awareness training? Because the two tools answer different questions.

Training conveys knowledge: here are the signals to recognize, here are the reflexes to adopt. The simulation, on the other hand, measures what actually happens when that knowledge is put to the test in the work context. And the numbers speak for themselves. According to KnowBe4's Phishing By Industry Benchmarking Report 2025, based on 14.5 million users across 62,400 organizations, the global baseline rate is 33.1 %. In other words, before any training, about one person in three clicks on a fake email sent in a simulation. But after twelve months of regular training and simulations, this rate drops to 4.1 %, a reduction of 86 %.

These concrete data allow an organization to measure the real level of vigilance of its team, to identify where to focus awareness efforts, and to durably reinforce the right reflexes through successive simulations. The progress is visible, measurable, and above all, it benefits the whole team.

3. Setting up a simulation without making anyone feel guilty

The human factor is at the heart of cybersecurity, but it can also become a source of tension if the simulation is poorly presented. A few simple principles make it possible to get all the value out of the exercise while preserving trust within the team.

First, transparency upfront. The team must know that simulations will be deployed during the year. Not the exact date, nor the content of the email, but the general principle. This prevents the people who get caught from feeling targeted or betrayed.

Second, a caring tone. The educational module that follows a click must be informative, not guilt-inducing. The mistake is a learning opportunity, not a professional fault. Individual results remain confidential and are never used for evaluation purposes.

Third, regularity. A single simulation gives a snapshot at a single moment. Several simulations spread over time make it possible to see how behaviours evolve and to measure the real impact of awareness efforts. It is over time that a cybersecurity culture takes hold.

So here are our 3 key ideas for approaching phishing simulation with peace of mind:

  • First, understand that this tool is not a trap, but a learning experience designed to move learning from theory to practice;
  • Then, measure your team without judging it, using the results to adjust awareness efforts rather than to point fingers;
  • Finally, embed the simulation over time, because it is regularity that turns good reflexes into automatic habits.

At CY-clic, we offer a phishing simulation solution for organizations that want to concretely test the level of vigilance of their teams and reinforce their training with hands-on experience.

We support every step of the process: the creation of simulated phishing emails tailored to your context, sending them to targeted groups, tracking the results, as well as the automatic delivery of educational modules to the people who clicked.

The goal is not to point fingers, but to turn a realistic situation into a learning opportunity. If you would like to set up this type of simulation in your organization, come talk to us. We will look together at what would make the most sense for your team.

Because in cybersecurity, knowing how to recognize a threat is good… but having already experienced it once in a safe setting is even better.

WHO ARE WE?

Our mission is to train companies to adopt better online practices, to push back fraudsters and hackers, and to prevent so many years of effort from evaporating in a single click!

When we think of cybersecurity, we think of technologies and infrastructure. Why do we forget that the user plays a role in 90 % of attacks and scams? We specialize in corporate cybersecurity training and fraud prevention.

For more information, visit our Training section.

Subscribe to our newsletter

Receive one email per month to improve your cybersecurity practices

subscribe

Rest assured that the data you share with us remains confidential.