Best Practice Guide: Pre-campaign communication to employees

Pre-Campaign Communications

We recommend that you send out a communication to your employees alerting them that a phishing test is in the near future, preferably in the week before the test.

If the phishing test references someone within the company (ex. A JIRA task or Dropbox share by a real employee), we recommend that the person be notified that they will be part of a phishing campaign.

Sample Communications

Email to employees 

Team -

As you're well aware, security at [Company Name] is a top priority for our company and commitment to our customers. With that comes a lot of responsibility for each of us to do our part in upholding that trust.

Starting this month, we will be kicking off phishing assessments. A phishing assessment is nothing more than our team sending out an email pretending to be a hacker. These emails won’t harm you in any way and are only meant to track our progress as a company in how good we are at spotting and reporting them.

A few key points:

  • If you fall victim, your name is not reported to management and it will not impact you in any way. This training is designed to help you learn.
  • We will notify you if you’ve fallen victim to a phishing email either immediately upon falling for it or within a few days, depending on the goal of the exercise.
  • If you receive a suspicious email, do not click on any of the links or attachments and notify the security team immediately at [].

Here are some indications that you may have received a real or test phishing email:

  • General Greetings - uses ‘Dear customer,’ ‘user’ or any other generalization instead of your name.
  • Spelling Errors - many phishing emails have bad grammar and spelling in a bid to bypass spam filters.
  • Data Requests - being asked to enter personal data such as identification numbers, passwords, or financial credentials.
  • Unusual Links - often disguised until you hover over them and point to unknown web sites.
  • Odd Context - you weren’t expecting a package, HR document, attachment, credit card statement, etc.

Real malicious emails can come with a wide and terrifying variety of malware.

These attacks can lead to data loss and breaches, which result in a damaged reputation, loss of customer trust, loss of revenue, and even fines. It’s up to everyone to keep [Company Name] safe!

If you have any questions about this program or suggestions on how to improve it, please contact [Your Contact Information Here].

Thank you for your continued vigilance!


Email to Incident Response team 


As part of our employee security education program, we are kicking off monthly phishing assessments. We are working with Elevate Security to send assessments on a quarterly basis to our employees.

The goal of these assessments is to collect click-through numbers, reporting rates, and to educate employees to identify these scams. They are not intended to be used for punishment and phishing victim names will not be reported to management.

As part of our phishing education program, we encourage employees to report suspicious emails to []. We will notify you and your team at least 48 hours in advance of any phishing test we plan to run with details of the email sender and content information.

While a test is ongoing, we ask that you don’t let employees know it is a simulation until it is completed. Instead, thank them for their report and let them know it is being investigated.

Upon the completion of a phishing test, we will notify participants of the details of the assessment and how they could have detected the attack if they did not.

If you have any questions about this program or suggestions on how to improve it, please contact [Your Contact Information Here].

Thanks for your partnership in making this program happen.


Was this article helpful?
2 out of 3 found this helpful