Will employees know in advance that phishing simulations are happening?

Generally, no — and that is intentional. Phishing simulations are most effective when employees cannot predict when they will receive one. We recommend informing employees that simulations will occur periodically as part of the security awareness program, but not telegraphing specific campaigns in advance. This approach is standard practice in the industry and is accepted by regulators as a legitimate training methodology. Some organizations with union workforces or specific HR requirements need to notify employees more explicitly — we can accommodate those constraints while still running effective simulations.

What happens when an employee clicks on a phishing simulation?

Employees who click are redirected to a brief, in-the-moment training page — not a punitive message. The training explains what cues indicated this was a phishing attempt and what to look for next time. This immediate-feedback approach produces significantly better retention than a delayed notification. Employees who click are automatically enrolled in additional targeted training. Repeat clickers are flagged for manager review and may receive one-on-one coaching, depending on your program configuration. The goal is behavior change, not punishment.

How do we handle employees who are sensitive about being tested?

Phishing simulation is now a standard component of corporate security programs, and most employees understand this context when it is communicated properly. We recommend a program launch communication that frames simulations as a benefit — helping employees protect themselves at work and at home — rather than a surveillance program. For organizations with strong employee pushback concerns, we can design the early simulation phases to be more forgiving and graduate difficulty over time as employees become comfortable with the program. The framing matters as much as the mechanics.

How long before we see measurable improvement in click rates?

Most organizations see meaningful improvement within 60-90 days of program launch. Click rates typically drop 30-50% from baseline within the first three months as employees begin to recognize simulation patterns and apply what they have learned. Sustained programs running 12+ months typically achieve click rates under 5%, compared to industry averages of 25-30% at program start. The key is consistency — organizations that run monthly simulations and training see dramatically better results than those that run quarterly campaigns.

Can security awareness training satisfy our cyber insurance requirements?

Yes, and it is increasingly a requirement rather than a nice-to-have. Cyber insurance applications now routinely ask whether the organization runs phishing simulations, how frequently, and what the current click rate is. Some carriers offer premium discounts for organizations with demonstrated low click rates and robust training programs. Our monthly reporting provides the metrics you need to answer underwriting questions accurately, and our annual compliance evidence package documents the program in a format carriers accept. Organizations that cannot document an active training program face higher premiums or coverage limitations in phishing-related incident claims.

Security Awareness Training | Vigil Cyber — Turn Employees Into Your First Line of Defense

91%

of cyberattacks begin with a phishing email targeting an employee

82%

of data breaches involve a human element — error, stolen credentials, or social engineering

70%

reduction in phishing click rates achievable with a structured, ongoing training program

The Problem

Annual Training Videos Don't Work

The traditional compliance approach — annual security awareness video, completion certificate filed, done for the year — produces compliance documentation, not behavioral change. Employees forget 70% of what they learned within a week. The threat landscape they face in December bears no resemblance to the training they completed in January.

Attackers have noticed. AI-generated phishing emails now bypass the "look for typos and bad grammar" advice that was standard training content for the past decade. Spear-phishing campaigns use LinkedIn data to craft pretexts that feel completely legitimate. Voice phishing (vishing) uses synthetic voice cloning to impersonate executives. The threat has evolved — training needs to match.

Read: How AI Is Changing Phishing Attacks →

The Annual Checkbox Failure

Organizations that complete annual training and consider themselves covered are measuring activity (training completion), not outcome (behavioral change). The question isn't "did employees watch the video?" — it's "would they recognize and report the next phishing attempt?" Those require different measurement approaches and different program designs.

Compliance Requires More Than a Certificate

HIPAA, PCI DSS, and SOC 2 require documented workforce training programs — but auditors and regulators increasingly look for evidence that training is effective, not just completed. Phishing simulation metrics, repeat-offender tracking, and departmental click rates are the evidence that demonstrates program effectiveness. A completion certificate is a starting point, not a finish line.

Your Highest-Risk Employees Aren't Who You Think

Phishing simulation data consistently shows that click rates are highest in departments with high email volume and time pressure — finance, HR, and executive assistants. These are also the employees with access to wire transfer authorization, payroll systems, and executive credentials. Targeting training investment where risk is concentrated produces measurable risk reduction.

Program Components

A Complete Security Awareness Program

Effective security awareness is a program, not an event. Ours runs continuously, adapts to your threat environment, and produces metrics that demonstrate risk reduction over time.

Phishing Simulation Campaigns

Realistic, Ongoing Attack Simulations

Measure actual click rates and identify your highest-risk employees before attackers do.

Monthly phishing simulations using realistic pretexts — credential harvesting, invoice fraud, IT helpdesk impersonation, executive wire transfer requests — that reflect the actual campaigns hitting organizations in your industry. Simulations are randomized across your employee population with varying difficulty levels. Employees who click receive immediate, in-the-moment training rather than a delayed notification.

Interactive Training Modules

Engaging, Role-Based Content

Training employees actually complete and retain — not click through to skip.

Short, scenario-based training modules delivered monthly or triggered by simulation failures. Content is specific to role and industry — finance employees receive wire fraud scenarios, healthcare staff receive PHI handling scenarios, executives receive CEO fraud scenarios. Modules average 5-10 minutes and use interactive decision trees rather than passive video content, producing significantly higher retention rates.

Metrics and Reporting

Behavioral Data, Not Just Completion Rates

Prove risk reduction over time with data that satisfies auditors and underwriters.

Monthly reporting on phishing click rates by department, training completion rates, report-a-phish rates, repeat offender trends, and improvement over baseline. Quarterly trend reports show directional movement in your human risk score. Annual compliance reports document workforce training evidence in the format required by HIPAA, PCI DSS, and SOC 2 auditors.

Ongoing Reinforcement

Monthly Security Tips and Threat Briefings

Keep security top of mind without consuming employee time.

Monthly security newsletters and targeted threat alerts keep your team informed about current attack techniques relevant to your industry. When a major phishing campaign is targeting healthcare organizations or finance departments, your employees hear about it from us before they see it in their inbox. Reinforcement content is brief, practical, and actionable — not corporate filler.

Reporting Culture Development

Turn Observers Into Reporters

Build a workforce that reports suspicious activity instead of ignoring it.

The most valuable security control in any organization is an employee who recognizes something suspicious and reports it. We deploy report-a-phish buttons in email clients, track reporting rates alongside click rates, and positively reinforce reporting behavior. Organizations with high reporting rates catch real phishing attempts before they succeed — the email that didn't get clicked because an employee reported it first.

Repeat Offender Intervention

Targeted Remediation for High-Risk Individuals

Reduce risk concentrated in the employees who click on everything.

Employees who fail multiple simulations are automatically enrolled in targeted remediation training — additional modules, one-on-one coaching sessions, or role-specific intervention depending on their access level and risk profile. High-click employees with privileged access get more intensive attention. The goal is behavior change in the individuals who represent the highest actual risk.

Compliance-Specific Training

Training That Satisfies Your Specific Requirements

Different regulatory frameworks have different training requirements. Our program includes compliance-specific modules that document completion, content coverage, and employee attestation in the format auditors expect.

HIPAA

HIPAA Security Rule — Workforce Training

HIPAA requires covered entities to implement a security awareness and training program for all workforce members. The program must cover malicious software protection, procedures for monitoring login attempts and reporting discrepancies, and procedures for creating, changing, and safeguarding passwords. Our healthcare module addresses each requirement specifically, with employee attestation and completion records formatted for OCR audit documentation.

PCI DSS

PCI DSS v4.0 — Requirement 12.6

PCI DSS Requirement 12.6 mandates a formal security awareness program for all personnel involved in cardholder data environments. This includes initial training upon hire, annual training thereafter, and training tailored to address specific threats. Our PCI module covers cardholder data handling, social engineering recognition, and incident reporting procedures — with completion records suitable for QSA review.

SOC 2

SOC 2 — Common Criteria 1.4

SOC 2 Common Criteria 1.4 requires that the entity communicates its expectations for personnel regarding security. Auditors look for evidence of regular security training, awareness campaigns, and documented employee acknowledgment of security responsibilities. Our program produces the completion records, content documentation, and phishing simulation results that support SOC 2 audit evidence packages.

CMMC

CMMC Level 2 — AT.L2-3.2.1 and AT.L2-3.2.2

CMMC Level 2 Awareness and Training practices require that personnel be made aware of security risks associated with their activities and trained to carry out their assigned responsibilities. For contractors handling CUI, this includes specific training on insider threats, social engineering, and proper handling of controlled information. Our CMMC module maps directly to these practice requirements with the documentation needed for C3PAO assessment.

Measurable Outcomes

Metrics That Prove Risk Reduction

Security awareness training is one of the few security investments where behavioral change is directly measurable. Phishing simulation click rates, reporting rates, and repeat-offender trends give you a quantified view of your human risk — before and after training intervention.

Our monthly reporting gives you the data you need for board-level reporting, cyber insurance applications, and compliance evidence packages. When an underwriter asks about your security awareness program, you answer with metrics — not just a policy document.

Healthcare-specific training requirements →

Phishing Click Rate

Target: under 5%

Percentage of employees who click a simulated phishing link. Industry average at program start is 25-30%. Sustained programs achieve under 5%.

Report-a-Phish Rate

Target: over 20%

Percentage of employees who report a simulated phishing email. High reporting rates mean real attacks get flagged before they spread.

Training Completion Rate

Target: 95%+

Percentage of assigned training modules completed within the compliance window. Tracked by department and individual.

Repeat Offender Rate

Target: declining trend

Percentage of employees who fail three or more consecutive simulations. Declining trend indicates targeted intervention is working.

Time to Report

Target: under 30 minutes

How quickly employees report suspicious emails after receiving them. Faster reporting reduces the window for a real attack to succeed.

Departmental Risk Score

Target: risk-stratified

Click and reporting rates segmented by department, enabling targeted training investment in highest-risk groups.

What's Included

Everything in the Program

Unlimited phishing simulations — monthly or at custom cadence

Library of 1,000+ phishing templates including AI-generated pretexts

Automated training assignment triggered by simulation failures

Role-based and industry-specific training modules

HIPAA, PCI DSS, and CMMC compliance-specific modules

Report-a-phish button deployment for Outlook and Gmail

Monthly behavioral metrics reporting by department

Quarterly executive risk summary for leadership reporting

Annual compliance evidence package for auditors

Repeat offender tracking and automated escalation

New employee onboarding training automation

Dark web credential monitoring with employee alert notifications

Related Resources

Article

Frequently Asked Questions

Ready to Secure Your Business?

Get a free security assessment and discover how Vigil Cyber can protect your organization for a fraction of the cost of building an internal team.

24/7

SOC Coverage

<1hr

Response Time

99.9%

Uptime SLA

Schedule a Consultation Call (980) 300-8737

Security Awareness Training That Actually Changes Behavior