Catch & Learn: Designing Simulations That Teach

Estimated reading time: Approximately 15 min.
 

Phishing simulations are a powerful tool for fostering cybersecurity awareness, when done right. This guide will give you the knowledge you need to design simulations that encourage learning and build skills. You will learn:

  • The importance of using simulations as motivational tools ("the carrot, not the stick").
  • Techniques for designing simulations that genuinely teach participants.
  • How to think like a hacker to create realistic and impactful scenarios.
  • How to select compelling topics for simulations.
     

Not familiar with the Simulation Editor? Read more about it in this article.

Just want the how-to? Read this practical article on how to create custom simulations in the editor.

 

 

Contents

  1. Part 1: How to Design Phishing Simulations That Work
    1. Introduction
  2. Part 2: Best Practices: Design Phishing Simulations That Teach
    1. Apply The Hacker Mindset
    2. How to Design Effective and Convincing Simulations
    3. Choosing Topics for Your Simulations

 

 

Introduction: Building the Psychological Base 
For Success 

Psychological safety—a shared belief that it’s safe to take interpersonal risks1—is a critical factor in creating effective phishing simulation training. When employees feel psychologically safe, they’re more likely to engage with training honestly, admit mistakes, and ask questions—all of which are essential for learning.

Psychological safety is also a top predictor of high-performing teams2. Without it, phishing simulations can provoke fear, embarrassment, or shame, which may discourage participation and reduce long-term effectiveness.

By designing simulations that treat mistakes as learning opportunities, organizations can build a culture of trust and continuous improvement—fostering stronger security behaviors across the board.

 

Make Simulations the Carrot, Not the Stick

Phishing simulation training is a valuable tool for building awareness and resilience against email phishing attacks. However, to be truly effective, it must be framed as an opportunity to learn - not a way to catch people out.

When creating phishing simulation content, it’s essential to adopt a mindset of encouragement over punishment. The goal is not to catch employees off guard, but to help them grow their awareness and confidence in identifying threats—safely and supportively.

Design simulation messages that are realistic but not deceptive to the point of causing embarrassment or stress. Scenarios should educate, not trick. They should gently challenge users' instincts while reinforcing key learning points.

We encourage our admins to position phishing simulations as part of a broader learning journey, not a test with penalties. Celebrate successful detection and create a culture where curiosity and vigilance are rewarded!

 

Best Practices: Design Phishing Simulations that Help Employees Learn

To apply psychological safety in phishing simulation design, start by clearly communicating that simulations are learning tools—not tests meant to punish.

Avoid themes that might feel too personal, alarming, or invasive. Use neutral, professional language and steer clear of emotionally charged topics.

Build simulations around everyday situations to help normalize awareness without creating fear. For example, simulate delivery updates, meeting reminders, or internal announcements—common enough to be relevant, but generic enough to avoid personal sensitivities. Avoid targeting specific individuals or roles with too sensitive topics.

 

Screenshot 2025-07-17 at 16.36.29.png


Apply the Hacker Mindset

When creating security awareness training emails, adopting the "hacker mindset" means viewing scenarios from the attacker’s perspective—they ask, “How does this work?” and “Where can I find a gap or a flaw?” It’s like being a detective but focused on discovering vulnerabilities that others might miss. Adopting the ‘hacker mindset’ will help you design phishing simulations that cater to your organization’s weakest points–and bring the best results in improving your security posture!

 

To apply the ‘hacker mindset’ in simulation design, ask yourself:

  • What do I want to achieve?
  • How can I profit from this scenario?
  • What's my objective or motive?

 

What are the most common motives of malicious actors? 

  • Economic gain (most common motive)
  • Espionage
  • Curiosity, fun, or pleasure
  • Publicity or ego-boosting
  • Manipulation, revenge, or destruction

  • Hacktivism, nationalism, radicalism, religious, or political motives

     

Call to Action Emotional Triggers
  • Include links to malicious resources and ask the recipient to click or visit the link.
  • Include attachments and ask the recipient to open the attachment.
  • Always include emotional triggers to influence the recipient to act on the email. You must always use one or more emotional triggers
  • Always give the user a reason to act on your email. 

 

How to Design Effective and Convincing Simulations

When developing simulations one of the most important parts is the social engineering side of it. Social engineering is a tactic where attackers manipulate individuals into revealing confidential information or granting access by exploiting trust and human psychology. It targets people rather than technical vulnerabilities to breach security.

There must be something in your phishing simulation message to encourage the user to act – and not just disregard the message as spam. Include something to catch the user’s interest in the subject line and consider adding a prompt to action in the message body‚ such as “update your bank information within 3 business days”. When designing simulations, your goal is to make the user act–either by reporting the message or failing the simulation. In the next section, we’ll dive in deeper to what ‘failure’ actually means.


Decide the fail method of your message

When planning the simulation, you should also think about what qualifies as a ‘failed’ simulation. Will the simulation have a fail link, an attachment or maybe a landing page? The fail method used is completely depending on what the message is about and what the so-called attacker is trying to achieve with the attack. The way to fail the simulation should be logical to the content of the message itself, ensuring it mimics real-world tactics realistically.

For example, if the email claims to be from HR sharing updated policies, it would be natural for the fail action to be opening a malicious PDF attachment—rather than clicking a link—since that's what you'd expect in a legitimate scenario.

When you have decided the topic, fail method, and know the subject, sender address and name, you can start the development process.

Include the fail link early in your simulation message. The simulation will likely have a higher miss rate, if the fail link is placed after a long text paragraph. Instead, include the link early and add any additional text after to prompt action soon after your recipient opens the message.

Example: It’s more efficient to add the fail link as a masked URL to look like a legitimate website, rather than adding a “click here” link. Try writing your phishing simulation as if it was legitimate – most people tend to simply copy and paste an URL to the message body, rather than taking the time to format it to say “Click here”

Make Your Message Convincing

Familiar elements such as your company logo, colors, names, people and services, make simulations convincing. These elements help the user lower their guard and maybe do something they are not supposed to do without thinking about it too much.

Your goal is to prompt action, and familiarity is a key step in this process. The simulation must be something that will catch the eye of the user, even if they have multiple unopened messages in their inbox! We strongly suggest considering this already when thinking about the subject of your simulation.

What about things you should avoid when designing simulations? Here are some common factors of unsuccessful messages:

  • The body text is long.
  • The fail link is “hidden” in the text of email body and doesn’t stand out.
  • User doesn’t understand what the message is about because of complex terminology, for example. This is most common with simulations that have a more technical theme.
  • The message requires the user do something time consuming, like reading through some new policies or answer long surveys, for example.

Make Your Message Interesting

Keep in mind that your phishing simulation has to keep the user’s interest throughout the message. The best way to achieve this is not to keep the message short and to the point. The content should be relevant to the receiver if the simulation is a targeted message, whether it is to a specific job function, country, or market.

Typical phishing messages rely on invoking some emotions in the user, e.g. curiosity, fear, anger, the more extreme emotion the more effective phish. When doing simulations it is still good to remember that our simulations are for educational purposes. These simulations should never be too triggering or cause too strong feelings of fear/anxiety etc. Also remember, we don’t want the end-user to act on such a way that may cause them harm if they don’t realize that the message is a simulation. For example, be careful with credit card related topics, so the user won’t go and cancel their card if they act before realizing it’s part of the training.

Choosing Topics for Your Simulations

When selecting topics for your initial phishing simulations, it’s important to focus on scenarios that are relevant and realistic for your organization. Consider your industry-specific risks as well as recent threats reported in the news or by your security team. Choosing topics that reflect real-world risks helps employees recognize and respond to actual phishing attempts, making the training more effective and impactful from the start. To help you get started, our experts have put together lists of topics to try and some topics to avoid.

Screenshot 2025-07-17 at 16.29.35.png


Set the Right Difficulty 

Last but not least, you should consider the difficulty of your simulation design. The Hoxhunt platform ranks simulations on a four-tier scale from easy to expert, and uses an algorithm to send users simulations that match their skill levels and performance on their learning path. Matching the difficulty to your recipients skill and knowledge level is crucial for an effective learning experience, so here are some guidelines on what we consider easy – or expert-level – simulations: 

Easy simulations contain clear and commonly known signs of phishing, such as unrelated domains or generic greetings. 

Intermediate simulations add some challenge, such as using an email alias or user email and generic domains. 

Hard and expert simulations ramp up the challenge. They are more relevant to the recipient, and can include coworker impersonations and more relevant domains, for example. 

You can refer to these guidelines when designing your own simulations to make sure they offer just the right amount of challenge to your target audience. 

References

1. Edmondson, A. C. (1999). Psychological safety and learning behavior in work teams. Administrative Science Quarterly, 44(2), 350–383. https://doi.org/10.2307/2666999

2. Duhigg, C. (2016, February 25). What Google learned from its quest to build the perfect team. The New York Times Magazine. https://www.nytimes.com/2016/02/28/magazine/what-google-learned-from-its-quest-to-build-the-perfect-team.html

 

Was this article helpful?

17 out of 19 found this helpful

Have more questions? Submit a request