--- name: phishing-sim-campaign-planner description: Design a quarter-long phishing-simulation campaign with escalating difficulty, role-tailored lures, debrief pack, metrics plan, and a red/amber/green reporting rubric that drives behaviour change instead of shaming users. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: IT Managers, Security Awareness Leads, CISOs, HR partners, MSP security consultants output_format: Formatted Markdown plan with 12-week schedule, template lure copy, targeting rules, debrief scripts, reporting rubric, and ethical guardrails. license: MIT last-reviewed: 2026-04 --- # Phishing Simulation Campaign Planner A Claude Code skill for designing a phishing simulation programme that actually improves behaviour over a quarter — rather than a single annual tick-box exercise that creates resentment and teaches nothing. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/phishing-sim-campaign-planner`. Describe your organisation and goals. Answer the clarifying questions. Receive a campaign plan. ## When to use this - You've run ad-hoc phishing tests and want to move to a structured programme. - Your insurer or client has asked for evidence of a phishing-awareness programme with metrics. - You want to drive down click-through rates from an embarrassing number to a defensible one. - You're launching Cyber Essentials Plus or ISO 27001 and need demonstrable awareness training. - You're an MSP building a service offering for your SMB clients. ## What you'll get A single Markdown document containing: - **12-week schedule** (increasing difficulty, themed, role-targeted) - **Lure templates** (6-8 variants — invoice, HR, IT password, CEO, delivery, MFA push fatigue, SaaS login) - **Role targeting matrix** (partners, finance, general, new joiners, privileged) - **Ethical guardrails** (what you don't do, how you handle failures) - **Debrief pack** (instant debrief for click-throughs, weekly team debrief, monthly leadership report) - **Metrics plan** (click rate, report rate, time-to-report, repeat-clicker tracking) - **Reporting rubric** (RAG status per department, trend analysis) - **Comms pack** (announcement, quarterly report, end-of-programme report) - **Year-2 planning hooks** ## Clarifying questions I will ask you 1. **Organisation size and sector?** 2. **Existing phishing-sim tool?** (KnowBe4, Proofpoint, Microsoft Attack Simulator, Vade, other, none) 3. **Previous campaign metrics?** (baseline click / report rates) 4. **Regulatory / insurance driver?** 5. **Which roles are highest-risk targets for real attackers?** (finance, executive assistants, partners, HR) 6. **Any groups to exclude?** (executives, recently bereaved, protected categories) 7. **Tone preference?** (strict — firm house rules; coaching — education-focused; mixed) 8. **Who runs the programme day-to-day?** 9. **How do you currently handle a repeat-clicker?** (no process, coaching, escalation) 10. **Known recent real phishing attempts?** (replicate those lures for targeted training) 11. **Timing constraints?** (avoid month-end for finance, exam periods, industry events) 12. **Budget / licence model?** ## Output template ```markdown # Phishing Simulation Campaign — **Owner:** · **Tool:** · **Period:** to **Users in scope:** across departments **Exclusions:** ## 1. Campaign Objectives 1. **Reduce overall click rate** from baseline % to %. 2. **Increase report rate** (users reporting suspicious emails) from % to %. 3. **Reduce time-to-report** from hours to . 4. **Eliminate repeat-clickers** (users clicking in 3+ consecutive campaigns). 5. **Calibrate training** to roles and specific threat patterns seen in real traffic. ## 2. Ethical Guardrails (non-negotiable) - No lures that exploit bereavement, illness, personal finances, pregnancy announcements, or similar. - No lures that could cause lasting distress (fake job offers, fake redundancies). - No public shaming. Debriefs are private. - Failures don't carry HR consequences on first click. Programme goal is behavioural change, not punishment. - Tests are never performed during genuine high-stress periods (active incident, audit week, significant bereavement at firm). - Executives are included (no opt-outs — they're the highest-value real targets). ## 3. Twelve-Week Schedule | Week | Lure type | Difficulty | Target population | Debrief focus | |---|---|---|---|---| | 1 | Announcement (no test — comms only) | — | All | Set expectations, describe programme | | 2 | Generic IT password reset | Easy | All | "Check sender, hover link" basics | | 3 | Delivery notification (DHL / Royal Mail) | Easy | General | Urgency as a tell | | 4 | Microsoft 365 MFA-request spoof | Medium | All | MFA push fatigue awareness | | 5 | Shared document notification (fake SharePoint) | Medium | General + Finance | Verifying document-share source | | 6 | HR payroll enquiry | Medium | Finance + HR | Sender impersonation | | 7 | CEO-to-CFO wire request | Hard | Finance + EAs | Business Email Compromise patterns | | 8 | Vendor invoice with payment-redirect | Hard | Finance | Change-of-bank verification | | 9 | Legal / contract-review document | Hard | Partners / Legal | Role-specific pretexting | | 10 | Mid-campaign results briefing | — | All | Share results, praise reporters | | 11 | LinkedIn notification with credential harvest | Hard | All | Social-network lures | | 12 | End-of-campaign leadership report + all-staff summary | — | All | Celebrate improvements | ## 4. Lure Templates Each template specifies: sender, subject, body, link/attachment, expected give-aways, what the user should have spotted. ### Template L1: Password Reset (Easy) - **Sender name:** IT Support - **Sender address:** it-support@-.com - **Subject:** Password expiring today — action required - **Body:** "Your password will expire in 24 hours. Click here to renew. If you don't renew, your account will be locked at midnight. Regards, IT Support." - **Give-aways:** typo in sender domain, non-specific greeting, urgency, unexpected out-of-hours timing. (Continues — 8 templates total.) ## 5. Role Targeting Matrix | Role | Primary threat patterns in real world | Lure types tested | Additional training | |---|---|---|---| | Partners / Directors | Legal / contract pretexting, CEO impersonation outbound | L7, L9 | Quarterly briefing | | Finance & Payroll | Invoice redirect, BEC | L6, L7, L8 | Annual BEC deep-dive | | EAs / Admin | Calendar phishing, delegated-inbox abuse | L4, L7 | Sender-verification masterclass | | General staff | SaaS login, shared document | L2, L4, L5 | Induction + annual refresher | | New joiners | Onboarding / welcome pack lures | — (first 30 days: real training, no tests) | Induction module | | IT / Privileged | All the above + technical lures (SSH key, API token) | L11 + custom | Biannual deep-dive | ## 6. Debrief Pack ### Instant debrief (shown when someone clicks / enters credentials) > "This was a simulated phishing test. You clicked through / entered credentials. No harm done. Here are the three things that should have tipped you off: > 1. > 2. > 3. > > Thanks for helping us improve. There's no record of this in any HR file. Want 2 minutes on what to look for next time? " ### Weekly team debrief (optional, by manager) Short 5-min slot in team meeting. Shared results anonymised at team level. Not individual level. ### Monthly leadership report - Overall click rate - Report rate (who reported it promptly?) - Top teams for improvement (leaderboard by reports, not by fails) - Themes of successful lures (what still gets people) - Roadmap for next month ## 7. Metrics Plan | Metric | Baseline | Target | Measurement | |---|---|---|---| | Click rate | | ≤ 5% | Per campaign | | Report rate | | ≥ 40% | Per campaign | | Time-to-report (median) | | ≤ 5 min | Per campaign | | Repeat-clicker count | | 0 | Cumulative over programme | | "Fail-then-report" rate (clicked then reported) | | ≥ 30% | Per campaign | | Real-phish reports / quarter | | ≥ | Quarterly | ## 8. RAG Reporting Rubric | Status | Click rate | Report rate | Action | |---|---|---|---| | 🟢 Green | ≤ 5% | ≥ 40% | Maintain, increase difficulty | | 🟡 Amber | 5-15% | 20-40% | Targeted refresher training for affected teams | | 🔴 Red | > 15% | < 20% | Programme review; compulsory training; consider escalation patterns | ## 9. Repeat-Clicker Handling - **1st click in 12 months:** Instant debrief + optional 10-min training module. No record to HR. - **2nd click in 12 months:** 1:1 coaching session with . Manager informed but not HR. - **3rd+ click in 12 months:** Written record; role-specific training required; follow-up test in 30 days. HR informed only if role accesses highly sensitive data. - No termination consequence for phishing-sim failures alone. Documented in policy. ## 10. Comms Pack ### Programme announcement (Week 1) > "Over the next quarter, you'll receive simulated phishing emails from us. If you spot one, report it. If you click, no harm done — you'll get a short debrief and we'll all get smarter together. This is a learning programme, not a gotcha. Questions: ." ### Mid-quarter update (Week 6) > "Six weeks into our phishing programme. Overall click rate is % (down from %). Report rate is % (up). Well done to for the highest report rate. We'll continue the programme through ." ### End-of-quarter report (Week 12) > "Our quarterly phishing programme is complete. Key outcomes: click rate % (vs target %), report rate %, repeat-clickers (down from ), time-to-report median minutes. Three lessons for the next quarter: <>, <>, <>. Thanks to everyone who reported promptly." ## 11. Year-2 Planning Hooks - Increase baseline difficulty across the board - Add role-specific custom lures based on real threats seen in the year - Add vishing (phone) and smishing (SMS) where tool supports - Introduce a "champion" network for peer support - Link to real incident reporting channel for muscle memory ``` ## Example invocation **User:** "55-person London accountancy firm. Used KnowBe4 last year, ran 2 campaigns, ~28% click rate was embarrassing. Insurer is asking for a structured programme. Want to improve without upsetting partners." **What the skill will do:** 1. Ask 12 questions, pressing on: what partner pushback looks like (typically "why am I getting tested?"), whether the 28% was uniform or concentrated in specific teams. 2. Produce a 12-week plan with graduated difficulty, including a targeted "CEO-to-CFO wire request" lure in week 7 tied to BEC patterns common in accountancy. 3. Include an ethical guardrail section explicitly stating executives participate (no opt-outs), framed so partners understand they're high-value targets for real attackers. 4. Set a realistic target: reduce click rate from 28% → 10% by end of quarter with a stretch goal of 5%. 5. Recommend tying the weekly debrief to the firm's regular Monday morning team stand-ups for low-friction integration. 6. Insurance-audit artefact: a monthly leadership report with RAG status + trend chart, ready to share with the carrier. ## Notes for the requester - **Don't test during month-end close for finance teams.** They're under pressure and you'll generate resentment, not learning. - **Report rate matters more than click rate.** The goal is a culture where anything suspicious gets reported in 5 minutes. Click rate alone misses the "silent deleters" who neither click nor report. - **Avoid humiliation.** No leaderboards by name. No shaming. Aggregate data at team level or better. - **Executives must participate.** Real BEC attackers target them disproportionately. Real-world click rates among executives are often higher than general staff because of time pressure. - **Use real lures from the past 90 days.** If your inbox saw a surge of DocuSign-lookalikes, that's week 5's lure. - **Good looks like:** year 1 ends at ≤ 5% click rate, ≥ 40% report rate, programme is boring (no drama, everyone understands the rules), and the insurance questionnaire answers itself. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*