Here are two sample emails you can send to users after they fail a phishing test. We recommend that you modify them to fit your organization's culture and requirements.

OPTION 1: Friendly

This message is to inform you that you have clicked on a phishing test!

We need to defend our organization against cybercrime, and security is everyone’s job.

Remember these three rules to stay safe online:

Rule Number One: Stop, look, and think before you click! Rule Number Two: Do you spot a red flag or something phishy about the email? Verify the suspicious email with the sender through the phone.Rule Number Three: "When in doubt, throw it out." Delete emails that look suspicious, or notify our IT team.

There are a thousand ways that internet criminals will try to scam you, and only one way to stay safe:Stay alert, as you are the last line of defense between the hacker and intrusion into our organization’s network!

OPTION 2: Serious

You have failed a simulated phishing test.

If this were a real attack, you'd be leaving our organization vulnerable to a hacking or ransomware attempt. Cybercrime is a very serious problem and it's only getting worse, so we need you to understand how to prevent this sort of thing from happening again.

Please reach out to your supervisor or our IT team with any questions or for more information about how you can avoid falling for a phishing attack in the future.