Back to blog

How to Run Your First Phishing Drill With a 10-Person Team

Daniel Chang, Founder of Kompflow

You've written your WISP. It says your firm will train employees on phishing awareness. The question now is: how do you actually do it in a way that works for a small team without spending thousands of dollars on enterprise security platforms?

The answer is simpler than you think. A phishing drill for a 10-person team doesn't require fancy tooling or a dedicated security staff. It requires a plan, a free tool, about two hours of your time, and a debrief conversation that sets the right tone. This guide walks through all of it.

Why Bother With a Drill?

The statistics tell the story quickly. 34.3% of employees are considered "phish-prone" before receiving any security training, meaning roughly one in three people on your team would interact with a phishing email if one arrived in their inbox today. For small businesses with fewer than 100 employees, the exposure is even higher: small firms are 350% more likely to experience phishing attacks than larger organizations, because attackers know that smaller teams typically have less security training.

The good news is that training works. KnowBe4's benchmarking data shows that phish-prone percentages drop by 40% within just three months of starting a simulation program, and by 86% after 12 months. That's one of the most dramatic return-on-investment numbers in all of cybersecurity. A few hours of effort per quarter can take your team from one-in-three vulnerability to near-zero.

The FTC Safeguards Rule expects employee training on security awareness, and IRS Publication 4557 specifically calls out phishing awareness as a component of your security program. Running documented phishing simulations satisfies both requirements while actually improving your team's ability to spot threats.

Step 1: Choose Your Tool

You don't need to buy anything. Several platforms offer free phishing simulation capabilities that work well for small teams.

KnowBe4 Free Phishing Security Test. This is the easiest starting point. KnowBe4 offers a free test that lets you send a simulated phishing email to up to 100 users. You don't need to talk to a sales rep. You sign up, choose a template, enter your team's email addresses, and launch the test. The platform tracks who clicked, who reported, and who ignored the email. It generates a report showing your firm's "phish-prone percentage."

Google Phishing Quiz. If you want to start even simpler, Google's Phishing Quiz is a free online exercise that presents real phishing examples and asks users to identify which emails are legitimate and which are attacks. It's not a simulation in the traditional sense, but it's a good warm-up exercise you can assign before running your first real drill.

Microsoft Attack Simulator. If your firm uses Microsoft 365 with an E5 license or Defender for Office 365 Plan 2, you already have access to Attack Simulation Training built into your admin console. Your IT provider can help you set this up.

GoPhish. For the technically inclined, GoPhish is a free, open-source phishing simulation framework. It requires some setup and a server to host it, so it's better suited for firms whose IT provider is willing to manage it. The advantage is complete control over the simulation with no user limits.

For your first drill, KnowBe4's free test is the path of least resistance. It takes about 15 minutes to set up and requires no technical expertise.

Step 2: Pick the Right Scenario

The phishing email you send should be realistic enough to be a fair test but not so targeted that it feels like entrapment. For a CPA firm, good first-drill scenarios include:

A fake "document shared with you" notification that mimics Google Drive, SharePoint, or Dropbox. These are common in professional services environments, and your team sees legitimate versions of these emails every day.

A spoofed IRS communication about a "required update to your PTIN information." During and after tax season, tax professionals receive a high volume of IRS-related emails, making this a realistic and relevant test.

A password reset notification from a service your firm actually uses. This is a classic phishing vector and tests whether employees verify the sender before clicking.

Avoid scenarios that are unreasonably sophisticated for a first drill. AI-generated spear-phishing emails have a 54% click-through rate compared to 12% for traditional phishing, but your first drill should establish a baseline, not simulate the most advanced attack possible. Save the harder scenarios for later rounds.

Step 3: Set the Ground Rules Internally

Before you send the test, decide how you're going to handle the results. This decision is more important than the drill itself.

Do not punish anyone who clicks. This is the single most important rule. If people fear consequences, they'll fear the drill, and they'll fear reporting real phishing emails when they encounter them. A punitive approach makes your firm less safe, not more. Research consistently shows that a no-blame culture around phishing simulations produces better long-term outcomes because it encourages quick reporting.

Decide whether to pre-announce the drill. For your first simulation, there's a case for telling your team in advance that a phishing drill will happen sometime this month, without telling them exactly when or what it will look like. This normalizes the exercise and reduces the feeling of being tricked. For subsequent drills, you can run unannounced simulations to get a more accurate picture of real-world readiness.

Identify who needs to know. Your IT provider should know the drill is happening so they don't waste time investigating the simulated phishing email as a real incident. If you use an email filtering service, make sure the simulation email won't be caught by your spam filter before it reaches inboxes.

Step 4: Run the Drill

Launch the simulation at a normal business hour, ideally mid-morning on a Tuesday, Wednesday, or Thursday. Avoid Mondays (people are catching up) and Fridays (people are distracted). Phishing attacks in real life tend to spike during mid-week work hours, so mid-week timing makes your simulation more realistic.

Let the simulation run for 24 to 48 hours. Some people will click immediately. Others will encounter the email later. Give enough time for everyone to see it.

Track three things: who clicked the link, who reported the email as suspicious, and who ignored it. All three data points matter. Clicks tell you who's vulnerable. Reports tell you who's vigilant. Ignoring the email is neutral but doesn't build the reporting muscle you want.

Step 5: Debrief the Team

This is where the real value of the exercise lives. Schedule a 30-minute team meeting within a week of the drill.

Start with the aggregate numbers, not individual names. "Our team had a 30% click rate, which is actually right at the industry average for firms that haven't done this before." This frames the result as normal, not shameful.

Show the phishing email and walk through the red flags. Point out the sender address, the urgency language, the suspicious link, and any other indicators. Teach your team what to look for. Immediate feedback following a simulation is the most effective training method because the experience is still fresh.

Recognize the people who reported it correctly. Public recognition for good behavior is one of the most overlooked best practices in phishing training. If three people on your team flagged the email as suspicious, call that out. You want reporting to become the norm, and positive reinforcement drives behavior change.

Teach one actionable skill. Don't try to cover everything. Pick one thing your team can do differently starting today. For a first drill, the best takeaway is: "Before you click any link in an email, hover over it and look at the URL. If it doesn't match the sender or the service, don't click." One skill, practiced consistently, makes a real difference.

Don't single anyone out. If someone clicks and feels embarrassed, they're less likely to report a real phishing email in the future. The debrief should feel like a team learning experience, not a disciplinary meeting.

Step 6: Document Everything

The drill itself is valuable, but the documentation is what satisfies your compliance requirements. Record the following:

Date and time of the simulation. Tool used and scenario description. Number of team members tested. Click rate (number and percentage). Report rate (number and percentage). Summary of the debrief meeting, including attendees and key takeaways. Any changes made to your security procedures as a result.

Store this documentation with your WISP records. Over time, your phishing drill documentation will show a trend line: click rates decreasing and report rates increasing. That trend line is powerful evidence of an active, improving security program, exactly what the FTC and your cyber insurance carrier want to see.

Planning Your Next Drills

Your first drill establishes a baseline. The value compounds with repetition.

Plan to run simulations quarterly at minimum. Each quarter, increase the difficulty slightly: use a different scenario, try a different social engineering technique, or send the email at an unusual time. Track the results against your baseline and previous quarters.

After 12 months of quarterly drills, expect your team's phish-prone percentage to drop dramatically. The data consistently shows improvement in the range of 75 to 86% reduction over a year of regular simulations and training. That improvement protects your firm, satisfies your regulators, and strengthens your insurance posture.

What You Can Do This Week

  1. Sign up for KnowBe4's free phishing test. It takes 10 minutes. Start here.

  2. Tell your IT provider the drill is coming. A quick email: "We're going to run a phishing simulation sometime this month. Wanted you to know so you don't investigate it as a real incident."

  3. Pick a scenario and a date. Choose one of the scenarios listed above. Put the launch date on your calendar.

  4. Plan the debrief. Block 30 minutes with your team for the week after the drill. Having the meeting already scheduled makes it real.

  5. Create a documentation template. Open a simple document with headers for the items listed in Step 6. Fill it in after each drill.

The Bottom Line

A phishing drill isn't a gotcha. It's a gift. It gives your team the chance to practice spotting threats in a safe environment, before the real thing arrives. And it gives you documented evidence that your firm isn't just talking about security. You're doing the work.

You don't need a big budget. You don't need enterprise software. You need a free tool, a plan, a debrief that treats your team with respect, and 15 minutes to document what happened. That's the whole recipe.

If you want to track your drill results over time, schedule recurring simulations, and generate compliance-ready reports automatically, Kompflow includes phishing drill tracking as part of its governance platform. But the free tools listed above are enough to get started, and starting is the most important step.

Run the drill. Teach the lesson. Document the results. Repeat.

Ready when you are

Pick where to start.

Buy the WISP yourself if you need the document.
Talk to us if you want the platform.

Get your WISP for $499Learn how Starter and Professional work
30-day money-back on Kompflow WISPCancel anytimeNo setup fees on any tier

We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy