Kymatio Isotype
Why Kymatio
Partners
Book a demo
Book a demo
EN
Kymatio Isotype
Why Kymatio
Partners
Book a demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

I acceptSettings
Cookie settings
Kymatio uses cookies to make your experience better. Check our Privacy Policy to learn more.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings
Close
articles
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
Cyberattacks
Cybersecurity Prevention

Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing

by
Kymatio
|
July 29, 2025

Build a year-round defense against social engineering. Plan monthly phishing, smishing, vishing, and QRishing simulations aligned with NIS2 and measurable KPIs.

IN THIS article
Text Link
Book a demo

We are in July 2025 and the deadline for the transposition of the NIS2 Directive is already history. With the responsibility of senior management formally on the table, digital human risk management is no longer an option but a strategic imperative. Isolated  and reactive phishing campaigns are a tactic of the past, insufficient to combat an ecosystem of social engineering attacks that evolves daily.

The question is no longer whether you need an awareness program, but how to make it effective, measurable, and continuous. The solution lies in abandoning improvisation to adopt a planned defense architecture.

This is where a phishing calendar  becomes your best ally. This document transforms your monthly campaigns into a dynamic and predictable training program against social engineering attacks. This calendar is a roadmap designed not only to help you understand the cycle of your monthly simulation campaigns, but also to anticipate and neutralize such advanced threats as AI-phishing and QRishing. Taking this proactive approach is the first step in building a resilient and demonstrable cybersecurity culture.

Beyond the Click: Benefits of an annual Phishing campaign calendar 

Adopting a schedule for your monthly phishing campaigns goes far beyond scheduling simulations. Planning these monthly campaigns is a strategic decision that brings measurable benefits and aligns cybersecurity with the direction of the company.

Overcome "training fatigue"

Employees disconnect when they always receive the same type of talks or general quizzes. A calendar allows you to plan the variety: today a  classic phishing, next month a simulation of smishing (SMS) on parcels, and the next an attempt  at vishing (voice) impersonating technical support. This planned diversity in your monthly campaigns is the antidote to apathy, keeping you on the lookout for social engineering attacks.

Measure maturity, not just failure

The success of a program does not lie in a low click-through rate, but in a high reporting rate. The goal is not to catch mistakes, but to cultivate and measure the maturity of your organization. An annual calendar allows you to observe trends, identify which departments are improving the fastest, and demonstrate tangible progress, aligned with the cyber hygiene practice guides and security training that support NIS2.

Align cybersecurity with business goals

Sound security planning integrates with operations and business objectives. Simulate CEO fraud threats just before holiday periods or fake invoice campaigns during the fiscal close of the quarter. By connecting these social engineering attack exercises to the actual context of the department, training becomes relevant, practical, and much more effective.

Structure of your monthly campaign calendar: Agenda and seasonality

An  effective phishing calendar for your monthly campaigns isn't a random list of ideas, but a plan that leverages seasonality to make social engineering attack simulations credible and relevant. The relevance of the workforce is directly proportional to its educational impact.

Below, we offer you a quarterly model to structure your Monthly campaigns. Remember that these are starting points; The key to success is to adapt them to your sector and culture with A well-segmented simulation masterplan that defines clear objectives for each department.

Q1 (Jan-Mar): Taxes, Annual Reviews and Digital "Cleaning"

The beginning of the year is marked by administrative and financial processes, an ideal time to launch monthly campaigns that test your teams' caution against social engineering attacks.

  • Suggested phishing syllabus and templates  :
    • Finance: Fake email from the Tax Agency about an upcoming inspection or tax refund.
    • HR: Notification to access the new performance appraisal platform or to review annual targets.
    • IT: Security alert urging an immediate password change due to an alleged breach.

Q2 (Apr-Jun): Compliance, Travel & New Tools

Spring often brings with it summer travel planning and the implementation of new projects, creating new opportunities for attackers.

  • Suggested phishing syllabus and templates  :
    • Legal/Everyone: Statement on a critical update to the privacy policy (GDPR hook and other regulations) that requires validation.
    • General: False confirmation of a hotel or flight reservation for an upcoming business trip.
    • Specific departments: Invitation from the IT team to be among the first to try a new  corporate software.

Q3 (Jul-Sep): Summer Period and Off-Call

With much of the workforce on vacation, attackers exploit less oversight and increased urgency in communications. 

  • Suggested phishing syllabus and templates  :
    • CEO Fraud: An urgent email from the director (supposedly from his mobile phone on vacation) asking for an immediate transfer.
    • Smishing: An SMS about a problem with the delivery of a package of personal purchases made in summer.
    • Vishing: A call from "tech support" offering proactive help to an employee who works intensive hours.

Q4 (Oct-Dec): Fiscal Close, Consumption and Reporting

The end of the year merges consumption spikes with the pressure of financial shutdowns, creating an ideal scenario for the social engineering attacks that your phishing calendar  should anticipate.

  • Suggested phishing syllabus and templates  :
    • QRishing: A sign in the rest area of the office with a QR code that promises an exclusive discount for Black Friday.
    • HR/Finance: Email with information about the year-end bonus, linking to a fake portal to "check the details".
    • Address: Request for shared access to a cloud folder with the "preliminary results of the year-end."

All of these tactics are examples of social engineering attacks. Including them in your monthly campaigns and framing them in techniques such as Phishing (T1566) from the MITRE ATT&CK framework allows technical teams to classify and report simulations with a recognized standard.

How to Integrate Smishing, Vishing,  and QRishing into Your Monthly Campaigns

A modern phishing calendar  should reflect the reality of the threat landscape: attackers no longer operate only in the inbox. Integrating monthly campaigns with different vectors is essential to train a robust response to all types of social engineering attacks.

Smishing (SMS): Urgency in the Pocket

SMS conveys a sense of immediacy and trust that attackers exploit very effectively. Its high open rate makes it the perfect channel to simulate urgent alerts about parcel deliveries, two-factor codes or bank notices, a threat recognized by authorities such as INCIBE. The security perimeter is now in every employee's pocket.

Vishing (Voice): The Power of Human Impersonation

A phone call can bypass any technical email filter. Vishing, a sophisticated type of social engineering attack often powered with AI to clone voices, tests an employee's ability to verify identity before sharing information. It is ideal for simulating calls from IT support, HR to confirm data or even from a key supplier asking for a change in the payment account.  Vishing does not test visual acuity, but skepticism and adherence to protocols.

QRishing (QR): The New Silent Vector

 QRishing (QR code fraud) connects the physical and digital worlds, leveraging the trust placed in the office environment or events. Simulate guest Wi-Fi network access  , fraudulent cafeteria menus, or corporate event registration codes. Understanding the defenses against these advanced social engineering attacks is crucial to protecting yourself, and your timeline should include them.

The Next Step: From Planning to Execution and Measurement

A phishing calendar  is your strategic blueprint, but success depends directly on execution. For your monthly campaigns to generate a real impact, you need a  powerful simulation tool and, more importantly, a  technology partner to accompany you in the process.

The key to your calendar is moving from simple activity to measuring actual behavior in the face of social engineering attacks. This means going beyond click-through rate and starting to define the right KPIs and measure the ROI of your program, such as reporting rate and detection time. The choice of the phishing The right decision is critical, so it's vital to know how to validate the simulation vendors of phishing based on technical and service criteria.

Train your team against the most advanced social engineering attacks. 

Discover how Kymatio® Trickster can protect your organization.

related articles

Explore more articles

Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
Cyberattacks
Cybersecurity Prevention
Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
by
Kymatio
|
August 19, 2025
NIS2 vs. DORA comparison — what applies to your organization
Cyberattacks
Cybersecurity Glossary
NIS2 vs. DORA comparison — what applies to your organization
by
Kymatio
|
August 1, 2025
Human Cyber-Risk Management: the ROI your company needs
Cyberattacks
Cybersecurity Glossary
Human Cyber-Risk Management: the ROI your company needs
by
Kymatio
|
July 25, 2025
ACTIVATE YOUR HUMAN FIREWALLS

Ready to uncover the real risk within your organization

Book a demo
Know the real risk
4.8 in Capterra

Join the Kymatio® newsletter and get the latest insights, research, and practical tips on cybersecurity awareness prevention straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Services
HRMAssessment  & AwarenessAttack SimulationsBreach ScanDigital Wellbeing
Use cases
Public SectorFinancial SectorHealthcare SectorLarge enterprises
About us
Why KymatioKnow KymatioOur valuesSuccess Stories
Resources
BlogWebinarsWhitepapersNews
Get in touch
ContactLinkedInXFacebookYoutube
© 2025 Kymatio. All Rights reserved.
Privacy policy
·
Compliance
·
Cookies Policy
·
Legal Notice
·
AI Policy