Skip to main content
SMB employee receiving a phishing simulation email.

SMBs should always strive to improve their phishing training so their employees are ready to identify phishing emails in their personal and professional life, resulting in a smaller attack surface for malicious actors to take advantage of. Phishing simulations remain one of the best ways to train employees on the best practices for handling actual phishing attacks. Our team here at Robinett Consulting thinks they are so important that we wanted to share even more tips on how small businesses can craft the best phishing simulations for their employees!

Highlighting Education

When beginning a phishing simulation, small businesses should make sure to focus on education before anything else. Phishing simulations will provide statistics for those who opened malicious emails and who fell for the phishing attack, but these statistics should be used to adapt company cybersecurity training to employee needs. It may be tempting to look at these statistics to identify who needs to be punished for poor cybersecurity habits, but this won’t always improve cybersecurity outcomes. Rather, an SMB should first identify why employees click on malicious links and then adapt their training to address employee knowledge and vigilance before considering disciplinary action.

Varied Phishing Simulations

We’ve already mentioned that phishing simulations should be targeted towards the people receiving them, so, for example, marketing employees should be sent phishing training that mimics content they might actually receive. Along with this, your phishing simulations should not send the same exact email to every employee in that department at the same time. Having multiple training emails for each department will keep employees vigilant and encourage them to talk to each other about the different emails they received and how they identified those malicious emails!

Drawing Strong Conclusions

Along with educating employees on phishing tactics, simulations are meant to help small business IT departments strategize better cybersecurity training for company staff. To do this, IT staff should ensure they’ve run an adequate number of simulations on each department in their company. Waiting for all the data from multiple phishing campaigns can give a deeper understanding of why some employees are clicking on phishing emails. IT staff can also provide more training to high-risk employees and use those simulation results to better train specific people or departments based on the results.


Taking the time to plan a strong phishing simulation campaign can go a long way in improving cybersecurity outcomes for a small business, and our security specialists want to give SMBs all the resources they need to craft strong campaigns. If your simulations focus on educating staff and providing a variety of learning opportunities for employees, then this will allow your IT staff to draw strong conclusions for how to improve your phishing training! Our security specialists here at Robinett Consulting are also always ready to help your business create better phishing simulations the moment you feel you need a reliable partner in IT!

Robinett Consulting

Author Robinett Consulting

At Robinett Consulting, we are your consultative partner who strives to grow your business and have technology truly enabling you. We aim to understand you and your business so that you do what you do best unhindered by your IT.

More posts by Robinett Consulting