Phishing Awareness Campaign: 12-Week Playbook

A phishing awareness campaign is not the same thing as a phishing awareness training programme. The distinction matters operationally even though the two terms often get used interchangeably. A programme is the ongoing operation — the cadence of training, the simulation engine, the reporting infrastructure, the measurement discipline that runs continuously. A campaign is a discrete, time-bounded effort within the programme that focuses on a specific objective, audience, theme, or risk vector. The programme is the year. The campaign is the quarter.

The reason this distinction matters is that campaigns are where the programme produces visible, measurable change. A well-designed campaign starts with a behavioural objective, structures the execution to produce that objective, and converts the resulting data into refinements that improve the next campaign. A poorly designed campaign sends a simulation, captures a click rate, generates a slide for the board, and changes nothing about how the workforce will respond to the next real attack.

This article covers a 12-week playbook for running a phishing awareness campaign that produces behavioural change. The timeline is calibrated to a quarterly campaign rhythm; the underlying structure applies to themed campaigns of any duration. Each phase has specific deliverables, real timing, and identifiable stakeholders. The whole sequence is designed to be executable by a security team of any size, including organisations where a single security manager runs the entire awareness function as one of many responsibilities.

What a Phishing Awareness Campaign Is (and Isn't)

A campaign has four characteristics that distinguish it from ad-hoc simulation activity.

A specific behavioural objective. "Reduce the click rate among the finance team on wire fraud pretexts." "Increase the report rate across the executive team on whaling scenarios." "Establish baseline behaviour for the new hires from the last quarter's onboarding cohort." The objective should be expressed as a specific metric change in a specific population, not as a generic "improve awareness."

A defined audience segment. A campaign targets a specific population — finance, executives, IT, new hires, a regional office, the customer-facing function. Campaigns that target the entire workforce uniformly tend to produce diluted results because the scenarios cannot match every role's actual exposure. Smaller, focused audiences produce larger behavioural shifts.

A coherent theme. The scenarios within a campaign share a thematic backbone — wire fraud, credential targeting, executive impersonation, holiday-season delivery scams, payroll changes during open enrolment, vendor invoice manipulation. The theme gives the campaign narrative coherence that one-off simulations lack.

A measurable end state. The campaign produces a specific outcome that can be evaluated against the objective. Metrics improved, training assignments triggered, gaps identified, organisational policies updated. A campaign that ends without producing a documented end state is an activity, not a campaign.

Campaigns within a mature programme typically run quarterly. Some organisations run more frequent, smaller campaigns — monthly focused efforts on specific audience segments. Both patterns work; the quarterly cadence is more common in practice because it matches the operational rhythm of most security teams.

Week 0: Set the Objectives

Before the 12 weeks begin, the security team allocates two or three working days to defining what the campaign will accomplish. This is the cheapest phase to do well and the most expensive phase to skip.

Three documents are the output of week 0.

Campaign brief. A one-page document specifying the objective, audience, theme, success metric, and timeline. The brief is reviewed by the security manager, the team responsible for the target population's workflow (HR if the audience is general workforce, finance leadership if the audience is finance, etc.), and any executive sponsor the programme has. Review at this stage is faster than rework at week 8.

Hypothesis about why the audience is vulnerable. The brief should articulate why the chosen audience is at risk in the chosen way. Finance teams are vulnerable to wire fraud because they have transaction authority and the scenarios attackers send them are increasingly tuned to their specific workflow patterns. Executive assistants are vulnerable to deepfake voice scams because they handle communications on behalf of senior figures and verification of identity is awkward to challenge. The hypothesis is what makes the scenarios feel grounded rather than generic.

Definition of done. What the campaign will produce at completion. A click-rate change in the target audience. A specific number of behaviour-triggered training assignments. An updated policy on out-of-band verification. Whatever the planned end state is, it should be specific enough that the campaign team can recognise it.

Weeks 1-2: Audience Segmentation

The first two weeks of the campaign timeline focus on confirming and refining the audience definition. The campaign brief named the population in general terms; week 1 and 2 turn it into an operational list.

Population definition. The campaign team works with HR or IT to extract the specific list of employees in scope. Finance team campaigns target the actual finance roles, not everyone whose title includes the word "financial." Executive campaigns target the actual leadership population, not adjacent senior roles that look executive on paper but operate differently in practice.

Risk-tier sub-segmentation. Within the campaign audience, identify the highest-risk sub-segments. Inside finance, accounts payable typically faces higher direct fraud exposure than financial planning. Inside executives, the CFO and CEO face different threat profiles than the COO or CTO. The sub-segmentation lets the scenarios match the actual exposure rather than treating the whole audience as homogeneous.

Exclusions. Some populations should be excluded or handled separately. New hires who joined in the past 30 days are still in onboarding-specific training; including them in a regular campaign produces noisy data. Employees on extended leave should be excluded. Any employee currently in a sensitive HR process (performance improvement, termination negotiation) is exempted for the duration of that process.

Consent and notification. Some regions and industries require specific consent for participation in phishing simulation. The campaign team confirms whatever consent infrastructure the programme has is current for the audience. For most North American and European deployments, the consent is provided at the programme level rather than per-campaign, but the verification is worth doing.

Weeks 3-4: Scenario Selection

With the audience defined, the campaign team selects the scenarios. Two scenarios is the common cadence — a primary scenario delivered to the full audience in week 7, and a secondary scenario delivered in week 9 to the population that did not engage productively with the first.

Scenario sourcing. Scenarios come from one of two places: the curated template library the platform provides, or AI-generated scenarios produced for the specific campaign brief. The library option is faster and well-tested; the AI-generated option is fresher and matches current attack quality. Mature programmes use both. The AI-generated phishing simulation tools article covers the static-vs-AI-generated trade-off in detail.

Difficulty calibration. The primary scenario should be at the difficulty level that produces meaningful behavioural data — a few points harder than the audience's last baseline. The secondary scenario can be slightly harder, because it is delivered only to the population the first scenario did not adequately stress.

Pretext realism. The pretext should reflect what the audience actually receives in real attacks. Finance teams should see invoice manipulation and wire fraud. Executive assistants should see calendar-impersonation and travel-rebooking scams. IT teams should see helpdesk impersonation and credential reset requests. Scenarios that feel disconnected from the audience's real exposure produce shallow learning even when employees click.

Legal and brand review. Scenarios that impersonate specific brands (Microsoft, DocuSign, the company's actual vendors) require a quick legal and brand review. The platform's library should have already cleared these reviews for common cases; AI-generated scenarios may require fresh review. Skipping this step occasionally produces awkward conversations with brand partners or internal legal.

Weeks 5-6: Communication Plan

Two weeks before the first wave goes live, the campaign team finalises the communication plan. The plan covers three audiences in three different ways.

Leadership pre-brief. A 15-minute pre-brief to the executive sponsor and to the leadership of the target audience. The brief covers what the campaign is, when it runs, and what the leadership team's role is during and after. The role is typically supportive — backing the campaign publicly if employees ask about it, not interfering with execution, attending the debrief at week 12.

Manager communication. Two weeks before launch, managers of the target audience receive the campaign overview. The communication explicitly asks them not to inform their teams about the specific scenarios but to be supportive if employees come to them with questions about the programme generally. Managers who tip off their teams about specific simulations distort the data; managers who reinforce the programme's positive framing improve it.

No employee notification of the specific campaign. Employees do not receive advance notice of the specific campaign — that would defeat the simulation. They do receive the programme-level communication that should already be running: ongoing simulation is part of the programme, the goal is to build recognition skills, no individual consequences attach to clicking. If the programme-level rollout included good pre-launch communications, no fresh employee communication is needed for each campaign.

Weeks 7-10: Execute the Campaign

Execution happens in two waves, with measurement in between.

Week 7: Wave 1 launch. The primary scenario is delivered to the full campaign audience. Delivery is staggered over a defined window — for most campaigns, three to five business days — to avoid the artificial signal of all messages arriving simultaneously. Real attacks do not arrive at exactly 9 AM Tuesday; the simulation should not either.

Week 8: Wave 1 measurement. The campaign team reviews the wave 1 results five business days after the wave completes. Click rate, report rate, time-to-report, and per-employee outcomes are all captured. The data is segmented by sub-population to identify which parts of the audience need wave 2.

Week 9: Wave 2 launch. The secondary scenario is delivered to the population identified by wave 1 measurement as still needing reinforcement. This is typically the population that clicked on wave 1 and did not report it. The wave 2 scenario is slightly harder and uses a different pretext to test whether the wave 1 experience produced any transferable skill.

Week 10: Wave 2 measurement and just-in-time training. As employees engage with wave 2, just-in-time training assignments are triggered for anyone who fails to recognise the simulation. The training arrives within an hour of the click — that timing is what produces the behavioural reinforcement, not the content itself. Programmes that delay the training even by 24 hours see significantly reduced impact.

Weeks 11-12: Measure and Convert to Training

The final two weeks of the campaign are where the data becomes the next training cycle.

Week 11: Outcome measurement. The campaign team produces the formal outcome assessment. Click rate change from baseline. Report rate change. Per-employee risk score updates. Population segments that improved. Population segments that did not. The measurement compares against the campaign objective from week 0; this is when the team determines whether the campaign succeeded or fell short.

Week 11: Training assignment. Employees who failed scenarios are assigned the follow-up training matched to the specific failure pattern. An employee who clicked a wire fraud scenario gets wire fraud training. An employee who replied to an executive impersonation gets executive-fraud training. The behaviour-triggered assignment is the mechanism by which campaign data becomes ongoing programme value.

Week 12: Campaign debrief. A 30-minute debrief with the executive sponsor and audience leadership covers the outcome, the surprises, the patterns that surfaced, and the implications for the next campaign. The debrief is not a celebration or a postmortem; it is a calibration meeting that informs the next quarter's planning.

The campaign closes with an updated campaign brief for the next quarter that incorporates what was learned. The next campaign begins with week 0 again, building on the data the just-completed campaign produced.

After the Campaign: What Comes Next

A single campaign is the unit of measurable change. Four to eight campaigns per year — quarterly at minimum, monthly for organisations with more programme maturity — produce the trajectory that distinguishes a developing awareness programme from a static one.

The patterns that improve over time include:

Reducing click rates in segments that started high. Finance teams that clicked at 35 percent on baseline scenarios should be clicking at 10 to 15 percent within four campaigns if the playbook is executed well. The trajectory is the result; the campaigns are the mechanism.

Increasing report rates across the audience. Report rate often takes longer to develop than click-rate reduction. Programmes that emphasise phishing reporting culture see report rates climb steadily campaign by campaign as employees internalise that reporting is the goal.

Shortening time-to-report. The time between a real or simulated phishing attempt reaching the workforce and the first reported instance reaching security. Average time-to-report benchmarks provide industry context; mature campaigns drop this from days to minutes.

Refining per-employee risk scoring. Each campaign produces fresh behavioural data that updates the risk scores feeding the next campaign's segmentation. Over four to eight campaigns, the risk scoring matures from approximate to precise.

Identifying systemic policy gaps. Campaigns sometimes reveal that an organisational policy is missing or unclear. Wire fraud campaigns frequently surface gaps in the out-of-band verification policy; deepfake campaigns surface gaps in the high-stakes confirmation requirements covered in our deepfake phishing awareness training article. Closing these policy gaps is one of the campaign output categories that is harder to measure but high in long-term value.

Why Campaigns Matter More Than One-Off Simulations

The case for campaigns over ad-hoc simulation activity rests on a single observation. Behavioural change is the result of structured, repeated exposure to recognition opportunities, not the result of single events. A one-off simulation captures a snapshot. A series of campaigns captures a trajectory. The trajectory is what reduces incident rates; the snapshot is just a number on a slide.

This is also why the importance of phishing awareness is best demonstrated through campaign-level outcomes rather than annual training completion statistics. Completion alone does not reduce phishing-driven incidents. Behavioural improvement across the workforce, measured campaign by campaign, does — and organisations that invest in the campaign discipline see the incident reduction over the first 12 to 18 months that organisations relying on annual training do not.

For the underlying framework, the complete guide to phishing awareness training covers the strategic layer. For the implementation foundation, how to implement phishing awareness training covers the programme-level rollout that makes campaigns possible. For the cadence question, how often to run phishing simulations covers the frequency calibration for different industries.

The 12-week playbook above is the structure that consistently produces campaign-level success. The specific tactics adapt to organisational context — a 30,000-person enterprise and a 500-person mid-market firm execute differently — but the underlying sequence does not change. Campaign discipline is what turns awareness training from a compliance line item into a measurably effective security control.