Game of Storytelling

Imagine this.

An employee receives an email: “Your appraisal letter is ready. Click here to view.” Or perhaps, “You’ve been selected for the upcoming company trip. Confirm your details.”

They click.

The simulation reports success, and the organization concludes that employees are highly vulnerable.

But here’s the uncomfortable question. Was this really a fair test of awareness, or was it a test engineered to fail?

Internal teams running phishing simulations often have something incredibly powerful at their disposal: context, timing, and insider knowledge. They know exactly when appraisals are happening, when bonuses are being discussed, when internal announcements are expected, and what employees are emotionally invested in. This allows them to craft emails that feel highly believable, perfectly timed, and emotionally triggering. Naturally, this leads to higher click rates. But higher clicks do not always mean lower awareness.

Phishing simulations are meant to answer a simple question: would employees fall for a real-world attack? However, when simulations rely heavily on insider knowledge, the question quietly shifts to something else entirely. It becomes about whether employees can be tricked using information they already trust internally. That is a fundamentally different test.

In the real world, attackers do not have perfect internal visibility. They rely on guesswork, inference, and research. Their timing is rarely this precise, and their understanding of internal context is often incomplete. When internal teams simulate attacks using privileged information, they may unintentionally overestimate risk, inflate failure metrics, and misrepresent the true level of employee awareness.

A spike in click rates can look alarming and actionable at first glance. However, when those clicks are driven by perfectly timed internal events, familiar communication patterns, and trusted workflows, the data becomes skewed. It stops measuring vigilance, suspicion, and behavioral awareness. Instead, it starts measuring trust in internal communication. And trust is not a weakness. It is essential for any organization to function effectively.

Employees are conditioned, both formally and informally, to trust internal communication. When they see familiar formats, known processes, and relevant announcements, their guard naturally lowers. This does not mean they lack awareness. It means they are behaving exactly as expected in a trusted environment. If this trust is exploited too aggressively, it can create confusion, lead to frustration, and even reduce confidence in legitimate communication.

This is where an external perspective becomes valuable. An external partner operates with constraints. They do not have access to internal event calendars, real-time organizational insights, or emotionally charged internal triggers. As a result, their simulations are more aligned with real-world attacks, less biased, and more reliable as a benchmark of actual awareness. They simulate what attackers can realistically do, not what insiders already know.

Using internal knowledge is not inherently wrong. The issue lies in how it is used. It can either support learning or unintentionally create a performance trap. A simple way to think about it is this: if a simulation succeeds because of privileged knowledge rather than realistic deception, it is testing insider advantage, not awareness.

Ultimately, phishing simulations are not about catching employees off guard, maximizing failure rates, or proving vulnerability. They are about building awareness, encouraging cautious behavior, and preparing people for real-world threats. For that to happen, the assessment needs to be fair. Only a fair test can produce trustworthy data, meaningful insights, and outcomes that truly help the organization improve.

At Game of Storytelling, we built PhishMeNot^™ to help organizations assess employee awareness through realistic, unbiased phishing simulations that reflect how real attackers operate. The goal is not to make employees fail. The goal is to understand how they behave when it matters most. And often, the most accurate test is not the most clever one. It is the most realistic one.