Skip to content

🧪 Running Simulations

You don’t need to turn your office into a spy movie to build awareness — just help people practice spotting the weird stuff before it matters.

Simulations work best when they feel like learning, not punishment.

🎯 What simulations are for

  • To build confidence, not fear
  • To find training gaps, not “gotchas”
  • To give people practice, not points

When you treat phishing tests like trick questions, you lose trust.
When you use them to teach, people start spotting the real thing.

💌 Phishing simulations

If you run fake phishing tests, make sure they: - Are realistic, not ridiculous (“Win a free car!” isn’t helpful)
- Match current scam trends in Australia
- Give instant feedback — a short, friendly explainer page works best

Good example

You send a fake invoice email.
When clicked, it opens a page that says:

“Hey, this was a test — and you’re not alone. Here’s what to watch for next time.”

🎲 Tabletop exercises

These are discussion-based scenarios where your team talks through “what if” situations.

Keep them: - 30–45 minutes max
- Role-based (finance, IT, HR, leadership)
- Realistic but safe to fail

Flagged Tip

The goal isn’t to win the scenario — it’s to find the gaps and fill them together.

🤝 After-action review

Always debrief after a simulation.
Ask: 1. What surprised us?
2. What worked well?
3. What could we do faster next time?

Then actually apply those lessons.

💬 Keep it light

If you can make people laugh while they learn, you’ve won.
“Spot the phish” leaderboards, coffee vouchers, or memes go a long way.

🎥 Watch & Learn

(Video: How to run phishing simulations that help, not humiliate.)

Next up: Reporting Playbook