If you only run one phishing simulation a year, you’re almost certainly under-testing your people.
Modern organisations face a constant stream of phishing emails. Technical controls like secure email gateways and spam filters help, but plenty still get through. That’s why security teams and regulators increasingly treat phishing simulations as an ongoing practice, not a once-a-year exercise.
At the same time, there is a limit. Test too often with poor-quality scenarios and you create fatigue and annoyance. The right frequency depends on your size, risk profile, and how mature your security culture is.
Below are practical benchmarks you can use, plus guidance on when to dial things up or down.
What does “good” look like for frequency?
Most mature programmes land somewhere between quarterly and monthly phishing simulations for the whole organisation, with extra targeted tests for higher-risk groups like finance, HR, and IT.
A simple way to think about it:
Quarterly is the bare minimum. Monthly is ideal. Anything more frequent should be targeted.
If you’re just getting started or worried about pushback, it’s fine to begin with quarterly campaigns and gradually increase as people get used to the rhythm.
Benchmarks by company size
Micro & small businesses (1–49 employees)
-
Recommended: 4-6 simulations per year
-
Better: Quarterly for everyone, plus an extra one or two for high-risk roles
Smaller teams often don’t have a full-time security function, so you want simulations that are simple to run and clearly tied to learning outcomes. A platform like RapidPhish’s phishing simulation features lets you run one-off, realistic campaigns without committing to complex annual contracts.
Small to mid-sized (50–249 employees)
-
Recommended: 6–8 simulations per year
-
Better: Every 1–2 months, with varied scenarios
At this size you’re big enough to be an attractive target, but still nimble enough to react quickly. Mixing generic campaigns (parcel scams, MFA prompts) with more tailored scenarios (finance approvals, HR logins) keeps staff engaged and improves real-world readiness.
Mid-market (250–1,000 employees)
-
Recommended: 8–12 simulations per year (roughly monthly)
-
Better: Monthly baseline plus a few “special” campaigns around high-risk periods
For example, you might add extra simulations during tax season, year-end finance cycles, or major internal system changes. Tracking trends over time becomes important here: are click rates and report rates improving quarter by quarter?
When should you increase frequency?
Regardless of size, consider running more frequent simulations when:
-
You’ve recently had a real phishing incident
-
You’re onboarding lots of new staff or contractors
-
You’re working towards a certification like ISO 27001 or Cyber Essentials
-
You operate in a high-risk sector like finance, healthcare, or government
If budget is a concern, look for pay-as-you-go models rather than big per-user contracts. With RapidPhish’s simple pricing, for example, you can run campaigns as often as you need and only pay per simulation instead of committing to a large annual licence.
The bottom line: you don’t need to run phishing simulations every week, but you do need to run them often enough that people stay sharp and behaviour measurably improves. Start with a realistic cadence, review your results, and adjust until you find the sweet spot for your organisation.