Do’s and Don’ts for a Successful Internal Phishing Campaign: Strengthening Internal Security Awareness

Internal phishing campaigns play a crucial role in assessing an organisation’s internal security posture and strengthening employee awareness against potential cyber threats. By simulating phishing attacks from within the organisation, companies can identify vulnerabilities, educate employees, and promote a culture of cybersecurity. However, conducting an internal phishing campaign requires careful planning and execution. In this blog post, we will explore the do’s and don’ts for a successful internal phishing campaign to help organisations enhance their internal security practices.

The Do’s:

  1. Do Obtain Proper Authorisation: Seek explicit approval from relevant stakeholders, including management, legal, and HR departments, before initiating any internal phishing campaign. This authorisation ensures transparency and avoids potential legal or ethical complications.
  2. Do Define Clear Objectives: Clearly establish the goals and objectives of your internal phishing campaign. Whether it’s assessing employee susceptibility to phishing attacks, identifying areas for improvement, or reinforcing security training, having well-defined objectives will guide your efforts and enable accurate evaluation.
  3. Do Tailor Phishing Scenarios: Customise your phishing scenarios to reflect real-world threats and recent phishing trends. Craft emails that resemble actual phishing attempts employees may encounter, using similar techniques, subject lines, and sender addresses. This realism helps employees develop a critical eye for potential threats.
  4. Do Provide Educational Content: Accompany phishing campaigns with educational content that explains the purpose, risks, and consequences of falling for phishing attacks. Offer guidance on how to identify suspicious emails, report incidents, and follow best practices to enhance internal security awareness.
  5. Do Offer Immediate Feedback and Training: Provide immediate feedback to employees who interact with the phishing campaign, whether they click on a link or report a suspicious email. Use this opportunity to deliver targeted training on recognising phishing red flags, emphasising the importance of remaining vigilant.
  6. Do Track and Analyse Results: Monitor and analyse the results of your internal phishing campaign to gain valuable insights. Measure metrics such as click-through rates, reporting rates, and improvement over time. This data will help identify areas that require further attention and guide future security awareness initiatives.
  7. Do Maintain a Positive Learning Environment: Promote a supportive and non-punitive atmosphere throughout the internal phishing campaign. Encourage employees to report incidents without fear of retribution, emphasising that the goal is to enhance security practices rather than blame individuals.

The Don’ts:

  1. Don’t Create Highly Sophisticated Scenarios: While realistic phishing scenarios are essential, avoid crafting highly sophisticated or malicious campaigns that may cause unnecessary panic or confusion among employees. Maintain a balance between realism and educating without causing undue distress.
  2. Don’t Use Genuine Personal or Sensitive Information: Never include genuine personal or sensitive information in phishing campaigns. Instead, simulate scenarios without compromising employee privacy. Focus on educating employees about the tactics and techniques used by real attackers.
  3. Don’t Shame or Single Out Employees: The purpose of an internal phishing campaign is not to shame or single out individuals but to raise awareness and improve security practices across the organisation. Maintain a positive and constructive approach throughout the campaign.
  4. Don’t Neglect Post-Campaign Support: Provide post-campaign support to employees who interacted with the phishing scenarios. Offer resources, guidance, and additional training materials to help them understand the red flags and reinforce best practices. Encourage open communication and address any concerns or questions.
  5. Don’t Rely Solely on Phishing Campaigns: Internal phishing campaigns are just one aspect of a comprehensive security awareness program. Supplement them with regular training sessions, ongoing communication, and other educational initiatives to ensure continuous learning and reinforcement.
  6. Don’t Forget to Iterate and Improve: Use the insights gained from the internal phishing campaign to iterate and improve your security practices. Regularly assess your organisation’s progress, identify areas for enhancement, and adapt your strategies accordingly. Continuous improvement is key to maintaining a strong security posture.


Internal phishing campaigns are valuable tools for assessing internal security awareness, identifying vulnerabilities, and reinforcing a culture of cybersecurity within organisations. By adhering to the do’s and don’ts outlined in this blog post, companies can conduct successful internal phishing campaigns that educate employees, improve security practices, and strengthen their overall defence against cyber threats. Remember, the focus is on fostering a supportive learning environment and empowering employees to become the first line of defence against phishing attacks.

Like what you read?