Phishing
Three Months of Phishing Simulation Data from SMB Engagements
Here's what we found running phishing simulations across 12 SMB clients over a 90-day period: the first simulation is almost never the interesting part. The interesting part is what happens after it.
Click rates, report rates, who clicked twice, who started reporting after never reporting — that's the data that tells you whether the program is working. The first simulation just gives you a starting point.
What We Measured and Why
The instinct with phishing simulations is to watch click rates. Lower is better, high is bad, done. But click rate alone misses most of what's happening.
The four metrics we tracked across all 12 engagements:
Click rate — Percentage of recipients who clicked the simulated phish. This is the failure metric everyone reports.
Report rate — Percentage of recipients who used the proper reporting channel (a report-phishing button or mailbox) to flag the simulation. This is often more useful than click rate because it shows users who recognized the threat and took the right action.
Time to click and time to report — How quickly users responded. A click within two minutes of delivery is a different risk profile than a click four hours later. Speed also matters for reporting: a simulation that gets reported in 15 minutes by multiple users tells you the organization has functional detection behavior.
Repeat behavior — Who clicked more than once across the three months, and who consistently reported. Repeat clickers need targeted intervention. Consistent reporters are potential peer coaches.
Month One: The Baseline
Across the 12 engagements, first-simulation click rates ranged from about 18% to over 40%, depending on client size and sector. The SMBs with no prior phishing simulation history landed at the high end. That's expected — a first simulation measures the organization before any awareness effect.
Context on benchmarks
Industry benchmarks put average phishing simulation click rates around 4% for mature programs, but that number doesn't apply to an SMB that has never run a simulation. Their 30% click rate isn't a sign the organization is unusually vulnerable. It's just a starting point.
Report rates in month one were low across most clients. The median was around 8–12%. Some organizations had no report mechanism configured, so users who recognized the phish had no formal channel for it — they either did nothing or sent an email to IT directly.
One finding that consistently surprised clients: new employees were disproportionately represented in the clickers. Research backs this up — new hires are roughly 44% more likely to click malicious links in their first three months. Onboarding is a phishing risk window, and most SMBs don't run simulations timed to it.
Baseline Security — $600/mo
Monthly phishing simulations for up to 25 users, with click and report rate tracking — included in Tier 1.
Month Two: The Inflection Point
The second simulation is where you find out if the first one produced a learning moment or just a bad memory.
In most engagements, click rates dropped between month one and month two — but not uniformly. Clients where managers debriefed the first simulation openly, explaining what it was and why, saw larger drops. Clients where the simulation was treated as a gotcha or not discussed saw smaller improvements.
Generic phishing awareness training — a one-time annual module or a passive video — improves click-through rates by roughly 1.7% over a control group in monthly testing. The incremental improvement from training alone is small. What actually moves the number is feedback, coaching, and repetition.
“The clients that saw the biggest drop in click rates by month two weren't the ones with the most sophisticated security stacks. They were the ones where managers had a direct conversation after month one.”
Report rates improved more consistently than click rates. By month two, most clients had a functioning report button configured, and users who'd been told explicitly “use this button” were using it. The median report rate moved from around 10% to around 20–25%.
Month Three: Where the Data Gets Useful
By month three, patterns emerged that single simulations never would have revealed.
Repeat clickers
A small percentage of users — typically 5–10% of the population in each engagement — clicked in both month one and month two. These are not people who are generally careless. They're often users in roles with high email volume and frequent vendor communications — finance, operations, client services. They click because clicking is what they do all day, and a plausible-looking email doesn't trigger enough friction to pause. For this group, generic awareness training has limited impact. Role-specific coaching and configured email warnings for external senders produced better outcomes.
Consistent reporters
Every engagement produced a cohort of users who reported phishing attempts consistently — not just the simulations. These users tend to be in IT-adjacent roles or have some prior security experience, but not always. A few were receptionists or office managers who just happened to pay attention. These users are assets. They're informal detection sensors. Recognizing them and making the reporting pathway frictionless matters.
Population exposure
Across three months of simulations, the share of each organization's population that had encountered at least one phish ranged from 70% to nearly 100%, depending on targeting. This is the argument for quarterly simulation over annual: an annual simulation might reach 20–30% of staff if poorly timed, while quarterly campaigns build broad coverage.
The Benchmark Problem
Phishing simulation benchmarks circulate widely but need context. A 4% industry average click rate tells you almost nothing about where your SMB clients should be, because the benchmark aggregates organizations with mature multi-year programs alongside first-time simulators.
More useful reference points:
- A failure rate under 5% is a reasonable target for an organization with 12+ months of consistent simulation and training
- A report rate of 70% or higher is considered strong — most SMBs aren't near that at month one, and most can realistically reach 30–40% by month three with a functioning report mechanism and post-simulation coaching
- New hires in their first 90 days should be treated as elevated risk and ideally receive targeted simulation within their first month
The SMB Security Checklist includes phishing program benchmarks alongside identity, endpoint, backup, and documentation controls — a practical starting point for assessing your current posture.
Get the SMB Security ChecklistWhat This Means for SMB Phishing Programs
One-off simulations don't produce durable behavior change.
They produce temporary awareness, which decays. Monthly micro-learning combined with quarterly simulations maintains the awareness effect better than annual training does.
Report rate matters as much as click rate.
An organization where 30% of people click but 40% report is in a better position than one where 10% click but 1% report. Reporting is detection behavior. It's the human equivalent of an alert firing, and it's what catches the phishes that aren't simulations.
The conversation after the simulation is the training.
The simulation itself just creates data. What a manager does with that data — whether they address it directly, normalize reporting, and explain what was being tested and why — determines whether month two looks different from month one.
Shame-based framing makes outcomes worse.
Clients who received simulation results as "these people failed" saw less improvement than clients who framed it as "here's where we are and here's what we're working on." The goal is behavior change, not accountability theater.
The Actual Finding
The first phish tells you where your people are. The next three months tell you whether they moved.
That's the honest summary. No simulation program produces dramatic results overnight, and the ones that claim otherwise are usually cherry-picking their best cohort. What consistent simulation does is create a feedback loop: test, coach, test again, and watch whether coaching produced anything.
For SMBs with limited security staff and no dedicated security team, phishing simulation is one of the few detection and training mechanisms that scales without a large budget. A $30/user/year simulation platform catches real phishing attempts alongside the simulations, trains users through repetition rather than passive video, and produces data showing whether the investment is working. The data from 12 engagements over 90 days says it does work — more in some organizations than others, and consistently better when someone takes the results seriously enough to talk about them.
What's in a Battice phishing simulation
GoPhish platform
Realistic simulations delivered to your staff's actual inboxes — not a sandbox
Click & report metrics
Per-user results showing who clicked, who reported, and time-to-response
Monthly results report
Formatted for insurer review — click rate, report rate, and trend over time
Post-simulation guidance
Debriefing notes and recommended follow-up coaching for the current month's results
Included in Tier 1
Monthly Phishing Simulation — Baseline Security
Battice Systems includes monthly phishing simulations (up to 25 users) with full click and report rate tracking as part of the Baseline Security tier at $600/month. Results include a per-simulation report showing who clicked, who reported, and how the numbers are trending.