Why Quarterly Phishing Simulations Are Essential in 2025

A third of your employees will click on a phishing email right now -- today -- if one lands in their inbox. That is not speculation. That is the finding from KnowBe4's 2025 Phishing by Industry Benchmarking Report, which analyzed 67.7 million phishing simulations across 14.5 million users at over 62,000 organizations worldwide. The global average baseline "phish-prone percentage" sits at 33.1%, meaning one in three untrained employees will interact with a simulated phishing message.

For business leaders, this is not an abstract risk metric. It is the gap between a normal Tuesday and a multimillion-dollar incident.

Phishing Is Still the Number One Way Attackers Get In

Despite billions spent annually on firewalls, endpoint detection, and zero-trust architectures, phishing remains one of the most effective ways criminals breach organizations. According to the 2025 Verizon Data Breach Investigations Report (DBIR), the human element -- errors, social engineering, and credential misuse -- played a role in 60% of all confirmed breaches. Phishing was identified as a top initial attack vector, responsible for roughly 16% of breaches and ranking as one of the costliest entry points.

The financial toll is staggering. IBM's 2024 Cost of a Data Breach Report found that breaches originating from phishing attacks cost organizations an average of $4.76 million per incident, while the global average cost of a data breach reached an all-time high of $4.88 million. For small and mid-sized businesses, these numbers can be existential -- studies show that SMBs lose an average of $200,000 per successful phishing attack.

The threat is also evolving rapidly. The Anti-Phishing Working Group recorded over 1.13 million phishing attacks in Q2 2025 alone, the highest quarterly total in years. CrowdStrike documented a 442% increase in voice phishing (vishing) between early and late 2024. And AI-generated phishing emails are achieving click-through rates of 54%, compared to just 12% for traditionally crafted messages, making attacks harder to spot and more likely to succeed.

Why Phishing Simulations Matter

If phishing is the front door attackers keep using, phishing simulations are the fire drills that teach your people to stop opening it.

A phishing simulation campaign sends realistic but harmless phishing emails to employees, then measures who clicks, who reports, and who ignores the message. When combined with targeted training for those who fall for the simulation, these programs transform your workforce from your weakest link into an active line of defense.

The evidence is compelling. KnowBe4's benchmarking data shows that organizations implementing regular phishing simulations and security awareness training reduced their phish-prone percentage by 40% within just 90 days and by 86% after 12 months of consistent training. In high-risk industries like healthcare and hospitality, improvement rates reached as high as 91% in mid-sized organizations.

Beyond click-rate reduction, the 2025 Verizon DBIR found that employees trained on phishing awareness within the past 30 days were four times more likely to report suspicious emails than untrained staff -- a 21% reporting rate compared to just 5%. Reporting is critical: the faster a phishing attempt is flagged, the faster your security team can contain it before damage spreads.

Phishing simulations also serve a compliance function. Major cybersecurity frameworks increasingly expect organizations to conduct security awareness training that includes practical exercises:

ISO 27001:2022 (Clause 7.2.2) requires documented competency assessments and ongoing awareness activities, with phishing simulations recommended as a best practice.
CMMC 2.0 includes an Awareness and Training domain that mandates regular security training and testing of employee knowledge.
NIST Cybersecurity Framework recommends simulated phishing campaigns as part of a comprehensive security awareness program.
PCI DSS 4.0, HIPAA, and SOC 2 all include security awareness training requirements that phishing simulations help satisfy.

Why Quarterly Testing Is the Minimum -- Not the Goal

Many organizations still treat phishing awareness as an annual checkbox exercise: one training video in January, one simulated email in March, and nothing until the following year. The data shows this approach fails.

Research compiled in KnowBe4's security awareness training whitepaper demonstrates that training efficacy wanes within three to six months if not reinforced. Employees who received annual-only training showed phish-prone percentages above 10%, while those tested quarterly dropped to 8.92%. Organizations running monthly simulations saw further improvement to 5.48%, and those conducting weekly testing achieved rates as low as 1.79%.

The pattern is clear: more frequent testing produces better results. But frequency alone is not enough -- the cadence must be sustainable and strategic.

For most small and mid-sized businesses, quarterly phishing simulations represent the practical minimum to maintain meaningful security posture improvement. According to industry best practices compiled by Advantage Technology, quarterly campaigns strike the right balance between building lasting habits and avoiding resource strain. Organizations with higher risk profiles -- those in finance, healthcare, government, or handling sensitive data -- should aim for monthly or even bi-weekly simulations for high-exposure roles.

The most effective programs combine frequency with adaptiveness. Organizations that tailor simulation difficulty and frequency based on individual employee performance and role-specific risk achieve 40% better outcomes than one-size-fits-all approaches.

Best Practices for Running Effective Phishing Simulations

Running a phishing simulation is straightforward. Running one that actually changes behavior requires deliberate planning. Here are six practices that separate effective programs from performative ones:

1. Establish a Baseline Before You Train

Before launching any training program, send a baseline phishing simulation to measure your organization's current phish-prone percentage. This gives you an honest starting point and makes future improvement measurable. Do not warn employees in advance -- you need an unbiased snapshot.

2. Use Realistic, Varied Scenarios

Simulations should mirror the tactics attackers actually use: credential harvesting pages, fake invoice notifications, urgent CEO requests, package delivery alerts, and multi-factor authentication reset prompts. Rotate templates regularly so employees learn to recognize patterns, not just memorize specific emails.

3. Deliver Immediate, Constructive Feedback

When an employee clicks a simulated phishing link, redirect them immediately to a brief training module explaining what they missed and how to spot it next time. This "teachable moment" approach is far more effective than delayed, generic training sessions. Frame it as education, never punishment.

4. Track and Act on Metrics Beyond Click Rates

Click rates matter, but they are not the whole picture. Track reporting rates (are employees flagging suspicious emails?), time-to-report, repeat offender rates, and department-level trends. Identify your highest-risk groups and provide them with additional, targeted training.

5. Escalate Difficulty Over Time

Start with moderately obvious phishing attempts and gradually increase sophistication as your organization's resilience improves. Include spear-phishing simulations tailored to specific departments, and eventually test with scenarios that mimic advanced persistent threats.

6. Engage Leadership and Communicate Results

Share simulation results with department heads and executive leadership regularly. When leaders take phishing seriously -- and when they participate in simulations themselves -- it sets the cultural tone that cybersecurity is everyone's responsibility, not just IT's problem.

How Sarsa Technology Can Help

Building a phishing simulation program from scratch -- selecting the right platform, designing realistic scenarios, analyzing results, and integrating findings into a broader security strategy -- is a significant undertaking, especially for organizations without a dedicated security team. This is where working with an experienced cybersecurity partner makes a meaningful difference.

Sarsa Technology helps small and mid-sized businesses design, implement, and manage phishing simulation programs that go beyond checkbox compliance. As a cybersecurity consulting firm with deep expertise in IT transformation and managed security services, Sarsa Technology works with organizations to assess their current security posture, establish baseline measurements, and build a phishing awareness program tailored to their industry, risk profile, and organizational culture. Their approach integrates phishing simulations into a comprehensive cybersecurity hygiene strategy that includes employee training, policy development, and incident response planning.

Rather than selling a software license and walking away, Sarsa Technology provides ongoing guidance -- helping you interpret simulation results, adjust campaign difficulty, address repeat offenders constructively, and demonstrate compliance with frameworks like ISO 27001, CMMC, and SOC 2. For organizations navigating the complexity of modern cybersecurity threats without a large in-house team, having a trusted partner who understands both the technical and human dimensions of phishing defense is invaluable.

Take the First Step

Every week you wait is another week that one-third of your workforce is vulnerable to a phishing attack that could cost your organization millions. The good news is that phishing resilience is a trainable skill -- and with the right program, you can reduce that risk by over 86% within a year.

If you are ready to find out where your organization stands and build a phishing simulation program that delivers measurable results, contact Sarsa Technology for a consultation. A quick conversation today could prevent a costly breach tomorrow.

Your Employees Are One Click Away from a Breach: Why Quarterly Phishing Simulations Are No Longer Optional