How Often and How Fast Should I Phish My Colleagues in 2026?
Published Date:
- January 5, 2026
"We've just completed our annual phishing campaign" is about as inappropriate as "We send a simulated phishing email every two weeks."
How many phishing simulations should be conducted and how frequently users should be confronted with cybersecurity eLearning is a recurring topic in consulting for awareness programs and campaigns. This topic is far from academic – it’s highly relevant for practical application.
A sensitization effect, once achieved, begins to crumble after about three months, and after six months, maximum erosion has essentially been reached. There are solid studies on this, and our latest scientific research shows a very similar result.
However, the statements made about the quantity and timing of awareness measures must be considered with nuance. It would be dangerous to derive simple, universally applicable rules from them.
Why?
Because in addition to the question of how frequently and how quickly cybersecurity awareness measures should follow one another, many other factors have a significant influence:
Are only phishing simulations conducted, or are eLearning modules also offered?
How are these combined?
Are there additional communication and awareness activities such as awareness leaderboards, competitions, games, or internal campaigns?
Is a phishing button in use that gives users feedback on whether the reported message was actually malicious or not?
What is the basic attitude of the workforce toward cybersecurity?
And these are far from all the influencing factors.
But Is This Even Relevant?
What’s wrong with simply running a campaign once or twice a year? Or regularly sending a phishing exercise every 14 days?
That doesn’t really break anything – or does it?
We know today: Yes, it does matter. And for several reasons.
Fundamentally, we must not forget that employee awareness of cyber risks has developed into an emotionally charged topic in recent years. In many companies, there is much controversy and a noticeably negative basic attitude about it.
How much and how awareness is conducted has a direct influence on how employees view these measures.
- If only one or two phishing simulations or a single training session are conducted per year, no sustainable awareness is created. Individual measures are generally ineffective – and thus simply wasted money.
- If, on the other hand, phishing exercises are sent every week or every two weeks, that’s too much in most cases – though this depends heavily on the quality of the phishing emails. That much is simply not necessary, and the risk of alienating employees increases significantly.
- However, this does not mean that it’s bad to send employees five phishing emails in the same week. That can certainly make sense – but not permanently.
A Year of Growth, A Community of Trust
As we reflect on 2025, we find ourselves deeply grateful for the new partnerships we’be built. This year, we welcomed collaborations that expanded our reach to more than 70,000 licenses – representing thousands of employees across organizations who are now equipped to build stronger security cultures. Each new partnership represents companies and teams that chose to invest not just in technology, but in their people’s ability to recognize and respond to cyber threats.
To every organization that joined us this year: thank you for trusting us to be part of your security awareness journey. Your commitment to cybersecurity awareness inspires everything we do, and together, we’re proving that human-centered security awareness can change the landscape of digital defense for the better. Cheers to 2026!
How Much and How Fast Then?
Quantity
From our experience, phishing exercises at intervals of about two months achieve the best awareness. Campaigns per quarter are also effective, although higher variability in click and data entry rates can often be observed here.
A best-practice attack simulation typically consists of four to five phishing emails. This nominally adds up to 15–20 phishing messages per year, but these differ in:
- Difficult level
- Context
- Temporal compression
In a varied program, phishing messages are sometimes deliberately bundled and sent in short intervals.
Speed and Regularity
As mentioned at the beginning: A phishing email every week or every two weeks is not necessary in most cases. A solid security culture must be lived and felt – not just measured by the number of simulation emails sent.
Our experience shows that phishing campaigns with five emails sent within five to ten days, followed by a communicated evaluation of the results by management, are very well received by the workforce.
In short: Irregularity and compressed sending can be very sensible.
Perhaps you’re currently planning your cyber security awareness for 2026 – or having your annual review for a managed awareness service. This is a good time to give some conscious thought to the quantity and speed of awareness phishing exercises, because good cybersecurity awareness is not an ‘out-of-the-box’ product.
We’re excited to share more cybersecurity insights, news, and updates with you in the upcoming editions of this newsletter. However, if you don’t find this helpful, we’re sorry to see you go. Please click the unsubscribe button below.
