Phishing simulations for SMBs: worthwhile or a waste of time?

More and more small businesses are sending fake phishing emails to their own teams. Does it actually work — and how do you roll it out without damaging morale?

Over the past few years it has become commonplace: a fake email "from management" asking you to quickly buy some gift cards, or an "invoice" tempting your colleagues to click a link. Not from a criminal, but from a tool your own company deployed to see who would fall for it. They're called phishing simulations. Large organisations have been running them for years, and vendors are now firmly targeting the SMB market.

The question we often hear from office managers and business owners: should we be doing this too? The honest answer: sometimes yes, sometimes no — and the way you do it makes all the difference.

Why it's a good idea in principle

Phishing remains by far the most common way small businesses get hacked. Not through some clever zero-day exploit, but through an email that looked just real enough. Someone clicks, enters their login credentials on a fake site, and a week later an invoice arrives with a different bank account number than usual.

A well-run simulation does three things:

• It makes the abstract concrete. "Watch out for phishing" is a warning nobody listens to anymore. An email that almost caught you personally — that sticks.
• It shows you where you stand. Does 5% of your team click, or 40%? That difference tells you whether you need a quick refresher or a more structural approach.
• It trains the reflex to report. Not just "I didn't click," but "I reported it straight away." That second part is what you really want.

Why it can also go wrong

We've seen it go sideways with clients. The classic mistakes:

The trap is too cruel

A simulation that promises "you're getting an €800 bonus — click here to confirm the details," sent out in December — that's not training, it's a social-cohesion bomb. People feel publicly humiliated, trust in the employer drops, and the next real phishing email still gets opened.

There's no follow-up

Someone clicks, gets a red screen saying "GOT YOU," and that's it. No explanation, no short training module, no second chance. People feel caught out without having learned anything.

The "scores" get shared

Lists of names showing who fell for it, forwarded to managers or — worse — pinned up in the kitchen. At most SMBs this is also straightforwardly a GDPR grey area, since it involves personal data about job performance.

The bar is set too low

Sometimes the test emails are so obviously fake — typos, strange sender address, weird domain name — that everyone spots them and you get a report that looks great on paper but says nothing about real attacks, which are far more professional.

How to do it right

A few principles that make the difference:

1. Get the basics right first. A simulation only makes sense once your technical layers are in order. Is your SPF, DKIM and DMARC set up correctly? Is MFA enabled on all accounts, not just in your Microsoft 365 environment? If not — start there. Running a simulation while gaps remain is like mopping the floor with the tap still running.
2. Tell people upfront that it will happen. Not when, not how — but that it will become a normal part of working life. "We'll be sending fake phishing emails from time to time as practice. Here's how to report a suspicious message." This isn't giving the game away — it's exactly the outcome you're aiming for.
3. Make reporting easier than clicking. A "Report suspicious email" button in Outlook or Gmail. A dedicated email address. Something that takes three seconds. If reporting is harder than clicking, you already know what will happen.
4. Give immediate, personal feedback on a click. A short, plain-English explanation of what went wrong, three quick tips, and that's it. No lengthy e-learning package. No shame. No report to the manager.
5. Measure the right things. Click rate is interesting, but the real KPI is report rate. What percentage of your team flags a suspicious email within an hour? That's where the real value lies.
6. Build up the difficulty gradually. Start with easily recognisable templates and make them more realistic as the year goes on — internal sender, context-aware content, a sense of urgency. Otherwise your colleagues are training for a level that bears no resemblance to the real world.

Practicalities: how often and at what scale?

For SMBs, a light cadence works best: one simulation per quarter, targeting the whole team except colleagues who have just joined (they get a short introduction first). No daily barrage — that eats into productivity and patience alike.

Which tool? For teams of 5–50 employees there are perfectly good affordable options from specialist vendors. Microsoft Defender has it built in if you have an M365 Business Premium licence, which often means you're well covered without buying anything extra. One important point: choose a tool that communicates with your staff in their own language, otherwise you may miss the mark entirely.

The other side: should management take part too?

Yes. In fact, especially. CEO fraud and invoice fraud specifically target people with signing authority. If the owner or the person responsible for finances is left out "because they're too busy," you're training the wrong part of the organisation.

In closing

Phishing simulations are not a silver bullet. What they can do is create a safe practice environment in which your team learns to recognise what they're increasingly encountering in real life. But only if you run them without humiliation tactics — and only if the underlying technology is sound.

Not sure whether your own email security is in order before you start talking about training? Begin there. We regularly carry out an SPF/DKIM/DMARC check for SMBs who want to know how phishing-resistant their own domain actually is — often a more useful first step than a simulation.