When I started building PhishSim, I thought the challenge was technical: reliable delivery, click tracking, convincing landing pages. I was wrong. The real challenge is psychological. After creating and testing 80 phishing templates and 40 landing pages, the biggest lesson was about human nature, not technology.
The most effective templates are not the most technically sophisticated. They are the ones that best exploit urgency, authority, and routine. A fake email from IT saying "your account will be deactivated in 2 hours" has an enormously higher click rate than a perfectly crafted banking phish. Why? Because the user receives emails from IT every day - it is normal, familiar. The brain does not activate suspicion filters.
Lessons from the data
Simulation data reveals clear patterns. Monday morning has the highest click rate - people are tired, the inbox is full, and the rush to process emails reduces attention. Emails that mimic internal processes (approvals, HR updates, password resets) outperform those mimicking external services. And post-click training - showing the user what they should have noticed - is enormously more effective than any classroom course.
PhishSim's technical setup - Postfix for SMTP relay, Mailgun as fallback, Wazuh integration for monitoring - ensures emails actually reach the inbox and not spam. Because a simulation that ends up in spam simulates nothing real.
The most important result: after three months of regular simulations, the average click rate in organizations I work with drops from 25-30% to 5-8%. Not with traditional training. With direct experience. People learn much more from almost-being-fooled than from a PowerPoint slide about security.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →