How To Run An Effective Phishing Test At Work

How To Run An Effective Phishing Test At Work

Conducting a company-wide phishing test is an effective way to train employees to identify and report potential phishing scams which will help keep your business safer in the long run. But how exactly do you run an effective phishing test at work? That’s where ANAX can help by providing your company with the proper Phishing Security Training, conducting a Phishing test, and offering resources on advanced security measures such as Multi-Factor Authentication. Check out our SMB guide to MFA for more information on reinforcing what employees learned from their training.

Planning A Phishing Test At Work

In the lead-up to the phishing test, you must take the necessary steps to prepare yourself and your employees for success by providing training, creating a process for reporting potential phishing scams, and implementing a phishing test that becomes increasingly more realistic and more challenging to identify. All of these steps combined will ensure that the phishing security test is a successful one.

Train And Notify Employees

As with any proper test, you must prepare your employees for the upcoming phishing test by first informing them that there will be one, and then providing them with training on how to spot and report potential scams. This will ensure that your employees are not blindsided by a “gotcha!” style test that will only yield negative results and may do more to hurt morale around the office.

Spotting Phishing Emails

In real life, scammers that send phishing emails will try to make the emails look as convincing as possible using familiar names, job titles, and companies to trick middle and upper management into sharing sensitive information. It’s important to train employees to look for the subtle signs that an email is phony.

Employees should look for

  • Inconsistencies in email addresses, links, and domain names
  • Suspicious email attachments
  • Requests for credentials, financial information, or personal details

Reporting Phishing Scams

In addition to spotting suspicious emails, you also want employees to report these emails. To do this, simply set up a dedicated email address for employees to use. This email address could be or

Free guidance session


Once your employees have been trained on how to identify and report suspicious emails, you can begin to send increasingly more realistic and challenging phishing test emails once a month or even quarterly. Sending multiple emails out over a long period will keep your employees on their toes.

Conclude the Tests and Provide Additional Training

After the phishing test campaign has ended, you should measure the success of the campaign by using data from link clicks, the number of employees that leaked data, and the number of employees that reported the suspicious phishing emails. Using these metrics, you can go back and provide additional training.