Phishing simulations have become standard practice in UK organisations. HR sends a fake phishing email, tracks who clicks, and makes everyone who failed complete an online training module. Click rates drop for a few weeks. Then they creep back up. The cycle repeats quarterly with diminishing returns.
The problem is not that phishing simulations are useless. They serve a valid awareness function. The problem is that organisations treat them as a comprehensive measure of human security risk when they test only one narrow scenario: whether an employee clicks a link in a suspicious email.
What Simulations Miss
Real social engineering attacks go far beyond email links. Attackers call reception desks impersonating IT support. They tailgate through secure doors carrying a box of printer paper. They send text messages posing as delivery drivers. They use LinkedIn to build rapport with employees over weeks before making a request for sensitive information.
Phishing simulations also test individual responses in isolation. Real attacks target the organisation as a system. An attacker who obtains one employee’s credentials through phishing then uses that access to send more convincing internal phishing to other staff. The simulation tests a single link. The real attack tests the entire response chain.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Phishing simulations measure click rates. Real social engineering assessments measure organisational resilience. We test whether staff verify unusual requests through alternative channels, whether reception challenges unknown visitors, whether IT helpdesks follow identity verification procedures before resetting passwords. These are the controls that stop real attacks, and they require realistic testing to evaluate.”
Realistic Testing
Engage a best penetration testing company to conduct social engineering assessments that reflect genuine attack techniques. Test physical security, telephone pretexting, and multi-stage attacks that combine technical exploitation with human manipulation. Measure whether your organisation detects and responds to the attack, not just whether one person clicks a link.
Integrate social engineering into your broader penetration testing programme. An attacker who gains credentials through a phone call and then uses them to access your VPN represents a realistic scenario that tests both human and technical defences simultaneously.
Building Genuine Resilience
Continue running phishing simulations as one component of a broader programme. Add verification procedures that staff can follow when they receive unusual requests. Create a culture where questioning suspicious communications is encouraged rather than seen as obstructive.
Reporting culture matters more than click rates. An organisation where staff routinely report suspicious emails to the security team catches threats faster than one where staff silently delete them or, worse, feel embarrassed about falling for a simulation and say nothing. Encourage reporting, celebrate it publicly, and never punish people for asking whether an email is genuine.
Measure the right metrics. Time to report a suspicious email matters more than whether someone clicked a link. The percentage of phishing attempts reported by staff gives a more accurate picture of organisational resilience than the percentage who were tricked by a specific simulation scenario.
Request a penetration test quote that includes social engineering testing alongside technical assessments. Understanding how your organisation responds to realistic attacks, rather than simplified simulations, provides the insight needed to build defences that actually work.