How to Run a Friendly Phishing Test for Your Employees

Phishing tests have a reputation problem.

People hear the word “phishing” and instantly picture hackers in hoodies, HR getting involved, someone getting embarrassed in a meeting. Basically. Fear.

But it does not have to be like that at all.

A good internal phishing test can feel more like a mini office game. A little nudge. A quick reminder that email is weird and you are allowed to be suspicious. And if you do it right, your team walks away sharper, not stressed.

Also. The secret weapon.

A Coffee Reward for people who report the fake test emails. More on that soon.

What a “friendly” phishing test actually means

A friendly phishing test is not a trap designed to catch someone messing up.

It is a practice drill, like a fire drill, except nobody has to stand outside in the parking lot. The point is to build the habit of pausing for five seconds before clicking.

Friendly means:

• No shaming. No “gotcha” tone.
• No punishments.
• No tricking people with personal stuff (like payroll, medical, or anything that feels invasive).
• Quick feedback when someone reports it.
• Simple follow up training that takes minutes, not hours.

If your employees finish the test thinking, ok that was kind of fun and I get what to look for. You nailed it.

Step 1: Decide what you are trying to teach (pick one thing)

Most phishing tests fail because they try to test everything at once.

Pick one theme per test. One.

Examples:

• Hover over links before clicking
• Check the sender name and domain carefully
• Watch for urgent pressure language
• Spot fake login pages
• Recognize “unexpected attachment” messages

You can run another test next month. Keep this one clean.

Step 2: Tell people up front (yes, really)

This is where some teams get weird and secretive. Don’t.

If your goal is long term security behavior, you actually want employees to know you run friendly tests sometimes. That knowledge itself changes behavior in a good way.

Try a short announcement like:

“Over the next few months we are going to run occasional friendly phishing simulations. No one is in trouble if they click. If you report a test email using the Report Phish button (or forward it to security), you might win a coffee on us.”

That’s it. That is enough.

You are setting the vibe. Practice, not punishment.

Step 3: Set up an easy way to report suspicious emails

If reporting is annoying, people just delete the email and move on. Which is better than clicking, sure. But reporting is the habit you actually want.

Your options:

• A mail client button like “Report Phish” (best)
• A shared mailbox like [email protected]
• A ticket form (fine, but slower)
• Forward to IT with a specific subject line like “PHISHING?”

Whatever you pick, make it dead simple and consistent.

And make sure the people receiving reports respond nicely. This matters more than you think.

A short reply like:

“Nice catch. Thanks for reporting.”

That alone reinforces the behavior.

Step 4: Pick a phishing test tool (or run it manually, carefully)

You have two broad paths.

Option A: Use a phishing simulation platform

This is easiest for tracking, templates, and automation. Common platforms include:

• Microsoft Defender for Office 365 (Attack simulation training) if you are already in Microsoft
• KnowBe4
• Cofense
• Proofpoint security awareness tools
• Mimecast awareness tools

Pros: reporting metrics, landing pages, auto follow ups

Cons: costs money, takes setup, sometimes templates are a little dramatic unless you tune them

Option B: Run a small manual test

If you are a smaller team, you can send a test email from an internal account or a lookalike domain you own and control.

If you do this manually, be careful with:

• Not collecting passwords. Ever.
• Not asking for sensitive info.
• Not spoofing your own executives in a way that feels gross.
• Keeping it obviously safe once the reveal happens.

If you are unsure, use a platform. Or ask your IT partner to do it properly.

Step 5: Write a friendly test email (keep it realistic, not evil)

A friendly phishing email should feel like something that could happen on a normal Tuesday.

Good themes that are not too spicy:

• “New shared document” with a link
• “Package delivery” notification
• “Updated company policy” with an attachment (but do not use HR benefits stuff)
• “Zoom recording available” link
• “Your mailbox is almost full” warning (classic, and still effective)

What to avoid in a friendly culture:

• Fake payroll changes
• Fake disciplinary action
• Fake medical info
• Fake layoffs (please do not)
• Anything involving personal banking, taxes, or family

You are testing awareness, not trust in the company.

A sample email you can use

Subject: Quick review needed: shared doc

Body:

Hi,

I shared a document with you and need your review today.

Open it here: [link]

Thanks,

Project Team

Simple. Not scary. Just enough to trigger that “wait who is this” moment.

Step 6: Decide what happens when someone clicks

This is the moment where you set the tone for the whole program.

If someone clicks, send them to a landing page that says something like:

“All good. This was a friendly phishing simulation.

Here are the 3 clues that gave it away.”

Then list the clues, in plain language:

• The sender address was slightly off
• The link domain did not match what it claimed
• The message created urgency without details

Add one tiny tip at the bottom:

“Next time, report it using the Report Phish button. You might earn a Coffee Reward.”

Friendly. No lectures. No guilt.

Step 7: Build the Coffee Reward (the fun part)

People respond to incentives. Not because they are selfish. Because it makes the behavior feel seen.

Here are a few easy ways to do a Coffee Reward:

• Every valid reported simulation email = one coffee voucher
• Weekly raffle: each report is one entry, winner gets coffee
• Team based: if the whole department reports it (and nobody clicks), coffee run for the group
• Leaderboard, but only for “reports” not “clicks”

Keep the reward small and cheerful. The point is the ritual.

Important detail: reward reporting, not perfection

If someone clicks and then immediately reports, that is still a win. They recovered fast and raised their hand. Reward that.

You are training “notice and respond”, not “never make a mistake”.

Step 8: Keep the results private and focus on patterns

This is where friendly programs either stay friendly or turn into a stress machine.

Do not publish a list of who clicked.

Do not call people out in team meetings.

Do not send managers a “your person failed” email unless you are doing it with a very mature, supportive approach. Even then. Eh.

What you should share:

• Overall reporting rate
• Overall click rate
• Most common clue people missed
• One or two tips for next time

Example message to the company:

“Thanks for playing along with our friendly phishing drill this week.

18 people reported the email (nice), 6 clicked, and 4 of those clicked and then reported right away, which is exactly what we want.

The biggest clue was the link domain, it did not match the service name.

Next drill will be in a few weeks. Coffee Rewards are going out today.”

That is how you keep trust.

Step 9: Run small tests more often, not massive tests once a year

One huge test a year turns into a whole event. People dread it.

Instead:

• Start with quarterly
• Move to monthly if your team is comfortable
• Keep each test short and focused

Your goal is steady habit building. Not shock and awe.

Step 10: Add a 3 minute “what to look for” cheat sheet

After each test, give people something tiny they can remember.

Here is a simple cheat sheet you can paste into Slack or email:

The 5 second phishing check:

1. Do I recognize the sender address, not just the display name?
2. Is this message trying to rush me?
3. Does the link go where it says it goes (hover first)?
4. Was I expecting this attachment or request?
5. If unsure, report it. Do not “figure it out alone”.

That’s enough. You do not need a 45 minute training video for every test.

A few friendly rules that will save you headaches

• Never ask employees to enter their real password on a test page
• Never use fear themes like “you will be fired” or “legal action”
• Make it easy to report from mobile
• Make sure leadership is included in the tests too
• If someone reports a real phishing email, celebrate that even more than the tests

Also. If you mess up the vibe once, people remember. So stay consistent.

Wrap up (the whole point)

A phishing test is supposed to create confidence.

Confidence that it is normal to pause. Normal to question an email. Normal to report something even if you are not 100 percent sure.

If your employees feel like they are being hunted, they will hide mistakes. If they feel like they are part of a team sport, they will report more. They will learn faster.

So run the friendly test. Keep it light. Teach one thing at a time.

And yes. Send the Coffee Reward to the people who report the fake email.

It sounds small. It works weirdly well.

FAQs (Frequently Asked Questions)

What is a friendly phishing test and how does it differ from traditional phishing tests?

A friendly phishing test is a practice drill designed to build awareness and safe habits around email security without shaming or punishing employees. Unlike traditional tests that may feel like traps, friendly tests focus on quick feedback, no punishments, and simple follow-up training, making the experience more like a mini office game than a stressful event.

Why should organizations inform employees about upcoming phishing simulations in advance?

Telling employees upfront about friendly phishing simulations sets a positive tone of practice rather than punishment. It encourages cautious behavior by making people aware that such tests happen occasionally, reducing fear and increasing the likelihood they will engage with the training effectively.

What are some effective themes to focus on in a phishing test?

Effective themes include teaching employees to hover over links before clicking, carefully check sender names and domains, watch out for urgent pressure language, spot fake login pages, and recognize unexpected attachments. Focusing on one theme per test keeps the exercise clear and manageable.

How can organizations make reporting suspicious emails easy and encouraging?

Organizations should set up simple and consistent reporting methods such as a ‘Report Phish’ button in the mail client, a shared security mailbox, or forwarding to IT with specific subject lines. Responding promptly and positively to reports with messages like ‘Nice catch. Thanks for reporting.’ reinforces good habits.

What should be avoided when crafting phishing test emails to maintain a friendly culture?

Avoid using sensitive or personal topics such as payroll changes, disciplinary actions, medical information, layoffs, personal banking, taxes, or family-related content. Instead, use realistic but non-invasive themes like new shared documents, package delivery notifications, updated company policies (non-HR related), Zoom recording links, or mailbox full warnings.

What is the Coffee Reward system in phishing tests and why is it effective?

The Coffee Reward system incentivizes employees to report simulated phishing emails by offering rewards like coffee vouchers for each valid report or holding raffles with coffee prizes. This positive reinforcement makes security awareness feel appreciated rather than punitive, encouraging ongoing vigilance.