Overview

Objectives

• Run a consent-based exercise that measures click and report rates

• Test how message themes and layouts affect behavior

• Provide constructive feedback and training resources

• Improve processes without shaming participants

Prerequisites

• Approval, scope, and informed consent

• A safe landing page that records only event telemetry

• An environment for sending controlled simulation messages

Implementation

1. Scope and ethics

• Defined success measures with stakeholders: open, click, and report rates.

• Captured explicit consent and clarified that no real credentials would be stored.

2. Scenario design

• Crafted realistic but benign themes, example security notice or payroll update.

• Aligned branding and layout while keeping clear post-exercise disclosures.

3. Safe landing page

• Deployed a mock login page in a sandbox that logged only page visits and form submit attempts without storing secrets.

• Added an education screen after interaction that explained indicators and next steps.

4. Controlled send

• Sent to a small pilot group first to validate telemetry and messaging.

• Expanded to the full consented group and monitored in near real time.

5. Debrief and training

• Shared anonymized results and highlighted common red flags.

• Provided quick guides and encouraged one-click reporting habits.

Outcomes

• Baseline of user behavior with clear improvement targets

• Positive culture around reporting rather than blame

• Measurable uplift in report rate during follow-ups

Skills demonstrated

• Social engineering simulation design with strong guardrails

• Behavioral metrics analysis and education design

• Stakeholder communication and change management