Phishing Simulation Campaigns: A Complete Overview

Most organizations know they should be testing their employees against phishing. Far fewer do it in a way that actually drives improvement. A single annual email blast with a generic password-reset lure tells you almost nothing useful, and it certainly does not prepare a workforce for the varied, targeted attacks they will face in practice. empowsec phishing simulation campaigns are designed to close that gap: they deliver realistic lures, capture precise per-recipient behavior, and turn every interaction into actionable data that feeds training, risk scoring, and reporting.
This article walks through how campaigns work inside empowsec, from setup and targeting through to results and the remedial steps that follow.
Building a Campaign: Templates, Language, and Recipients
Every phishing simulation campaign starts with choosing a template from the empowsec phishing template library. The library contains reusable email templates covering a wide range of real-world lure scenarios, and importantly, each template can carry translations for multiple languages. That means a single campaign configuration can deliver the lure to each recipient in their own language rather than forcing everyone to read an email in a language they may not work in every day.
When you configure a campaign you choose whether to fix a single language for all recipients or to inherit each user's own language preference. The latter is the better choice for any organization with a multilingual workforce, because realism matters: a German-speaking employee who only ever receives phishing lures in English is being tested on a condition that does not match how real attacks reach them.
Targeting is equally flexible. You can select recipients by department, by user group, or by demographic criteria, giving you the ability to focus a campaign on a specific team or roll it out organization-wide. There is also an option to automatically include new users who join while the campaign is running, which is important for longer or recurring programs where onboarding should not create gaps in coverage.
What Gets Tracked and Why It Matters
empowsec tracks five distinct recipient behaviors for every simulated email: whether the email was opened, whether the recipient clicked the link in the message, whether they submitted data on the simulated landing page, whether they replied to the email, and whether they reported it as suspicious. Each of these events carries a different signal about risk and awareness.
Opening an email is the weakest signal - it may simply mean the preview pane rendered. A click is far more meaningful, indicating the recipient was convinced enough by the lure to act on it. A form submission is the highest-risk behavior, meaning the employee went all the way to entering credentials on a fake login page. Reporting, on the other hand, is the positive outcome you want to see increase over time: it means the employee recognized something was wrong and acted correctly.
This per-recipient granularity is what separates a useful simulation from a vanity metric. A campaign click rate tells you how a group performed. The per-recipient record tells you exactly who needs help, what kind of lure caught them, and in what context.
Automated Remedial Training After a Failure
One of the most important features of the empowsec campaign engine is what happens immediately after a failure. When a recipient clicks the simulated link or submits data on the landing page, the platform can automatically assign a remedial training module to that person without any manual intervention from an administrator. The training assignment happens at the moment of failure, capturing the teachable moment while the experience is still fresh.
This automatic remediation is not limited to clicks and submissions. empowsec can also assign training when a recipient replies to a simulated phishing email, another high-risk behavior that suggests they were taken in by the scenario. The combination of realistic simulation and immediate, targeted follow-up is far more effective than delivering generic training weeks after the fact.
The debrief is a separate but complementary mechanism: after the campaign ends, empowsec can send each participant an educational message explaining the red flags they should have spotted, regardless of how they performed. This closes the loop for everyone, not just those who failed.
How Campaign Results Feed Risk Scoring and Reporting
Every behavior captured during a campaign does not stay siloed in the campaign view. The events flow directly into empowsec's risk scoring engine, which builds and maintains a risk score for every individual employee. Negative events like clicking or submitting raise the score; positive events like reporting lower it. This means that over time, your phishing simulation program is continuously feeding a picture of human risk across your organization.
That picture surfaces in the reporting dashboards, where you can view results filtered by individual, by department, or across the whole company. You can see which departments have the highest click rates, track how those rates change over successive campaigns, and identify whether your training investment is translating into measurable behavioral improvement. For IT managers and CISOs, this is the evidence layer that turns security awareness from a cost center into a demonstrable risk-reduction program.
The data is also available through the empowsec API, so organizations that want to pull phishing results into a SIEM, a BI tool, or a compliance reporting workflow can do so without manual exports.
What This Means for Your Team
- Realistic, multilingual lures match the actual threat landscape your workforce faces, not a lowest-common-denominator template.
- Flexible targeting by department, group, or demographic means campaigns can be broad or surgical depending on your goals.
- Five tracked behaviors per recipient give you granular data that supports both individual follow-up and organization-level analysis.
- Automatic remedial training on failure captures the teachable moment without requiring manual admin steps.
- Results feed risk scoring so phishing simulation data compounds over time into an accurate picture of organizational risk.
- API access lets campaign data flow into existing BI, SIEM, or compliance reporting tooling.


