When it comes to running phishing simulation campaigns. What is the best practice on how often they should be run and at what cadence should phishing simulation emails be sent out? Some organizations only run a campaign once per quarter sending out a simulated phishing email about once per week while other organizations run continuous campaigns sending out phishing simulations about once every 2 weeks. What are other organizations doing and what is the best practice?

223 viewscircle icon2 Comments
Sort by:
Chief Information Officer in IT Services16 hours ago

Phishing simulation campaign is not sent and not to be sent very frequently. Users will get used to it. Campaigns should be sent specifically around a time of interest, for example, free tickets during world cup, during Income tax returns, during festive seasons with offers etc...which will truly test the users. Best practice is to time the campaign during such events and not as a routine activity.

Chief Information Security Officer in Manufacturing2 days ago

Best practices is to conducting phishing simulations monthly or quarterly, balancing frequency to maintain awareness without causing fatigue.
Many organizations do it for bi-weekly or monthly campaigns, adjusting based on employee engagement and threat landscape. Continuous simulations can be effective but should be paired with comprehensive training to ensure long-term security awareness.

Content you might like

Yes 29%

Currently implementing API abuse detection 29%

Planning to implement — still evaluating solutions 25%

No 17%

Other

View Results
Read More Comments