What is a phishing simulation?

A phishing simulation is a cybersecurity exercise that tests an organization’s ability to recognize and respond to a phishing attack.

A phishing attack is a fraudulent email, text or voice message designed to trick people into downloading malware (such as ransomware), revealing sensitive information (such as usernames, passwords or credit card details) or sending money to the wrong people.

During a phishing simulation, employees receive simulated phishing emails (or texts or phone calls) that mimic real-world phishing attempts. The messages employ the same social engineering tactics (e.g., impersonating someone the recipient knows or trusts, creating a sense of urgency) to gain the trust of the recipient and manipulate them into taking ill-advised action. The only difference is that recipients who take the bait (e.g., clicking a malicious link, downloading a malicious attachment, entering information into a fraudulent landing page or processing a fake invoice) simply fail the test, without adverse impact to the organization.

In some cases, employees who click on the mock malicious link are brought to a landing page indicating that they fell prey to a simulated phishing attack, with information on how to better spot phishing scams and other cyberattacks in the future. After the simulation, organizations also receive metrics on employee click rates and often follow up with additional phishing awareness training.

Recent statistics show phishing threats continue to rise. Since 2019, the number of phishing attacks has grown by 150% percent per year—with the Anti-Phishing Working Group (APWG) reporting an all-time high for phishing in 2022, logging more than 4.7 million phishing sites. According to Proofpoint, 84% of organizations in 2022 experienced at least one successful phishing attack.

Because even the best email gateways and security tools can’t protect organizations from every phishing campaign, organizations increasingly turn to phishing simulations. Well-crafted phishing simulations help mitigate the impact of phishing attacks in two important ways. Simulations provide information security teams need to educate employees to better recognize and avoid real-life phishing attacks. They also help security teams pinpoint vulnerabilites, improve overall incident response and reduce the risk of data breaches and financial losses from successful phishing attempts.

Phishing tests are usually part of broader security awareness training led by IT departments or security teams.

The process generally involves five steps:

1. Planning: Organizations begin by defining their objectives and setting the scope, deciding which type of phishing emails to use and the frequency of simulations. They also determine the target audience, including segmenting specific groups or departments and, often, executives. 
2. Drafting: After forming a plan, security teams create realistic mock phishing emails that closely resemble real phishing threats, often modeled on phishing templates and phishing kits available on the dark web. They pay close attention to details like subject lines, sender addresses and content to make realistic phishing simulations. They also include social engineering tactics—even impersonating (or ‘spoofing’) an executive or fellow employee as the sender—to increase the likelihood that employees click the emails.
3. Sending: Once they finalize the content, IT teams or outside vendors send the simulated phishing emails to the target audience through secure means, with privacy in mind.
4. Monitoring: After sending the mock malicious emails, leaders closely track and record how employees interact with the simulated emails, monitoring if they click on links, download attachments or provide sensitive information.
5. Analyzing: Following the phishing test, IT leaders analyze the data from the simulation to determine trends like click rates and security vulnerabilities. Afterward, they follow up with employees who failed the simulation with immediate feedback, explaining how they could’ve properly identified the phishing attempt and how to avoid real attacks in the future.

Once they complete these steps, many organizations compile a comprehensive report summarizing the outcomes of the phishing simulation to share with relevant stakeholders. Some also use the insights to improve upon their security awareness training before repeating the process regularly to enhance cybersecurity awareness and stay ahead of evolving cyber threats.

When running a phishing simulation campaign, organizations should take the following into account.

• Frequency and variety of testing: Many experts suggest conducting phishing simulations regularly throughout the year using different types of phishing techniques. This increased frequency and variety can help reinforce cybersecurity awareness while ensuring all employees remain vigilant against evolving phishing threats.
• Content and methods: When it comes to content, organizations should develop simulated phishing emails that resemble realistic phishing attempts. One way to do this is by using phishing templates modeled after popular types of phishing attacks to target employees. For instance, a template might focus on business email compromise (BEC)—also called CEO fraud—a type of spear phishing in which cybercriminals emulate emails from one of the organization’s C-level executives to trick employees into releasing sensitive information or wiring large sums of money to a purported vendor. Like cybercriminals who launch real-life BEC scams, security teams designing the simulation must carefully research the sender and the recipients to make the email credible.
• Timing: The ideal timing for organizations to perform a phishing simulation remains a continued source of debate. Some prefer deploying a phishing test before employees complete any phishing awareness training to establish a benchmark and measure the efficiency of future phishing simulation solutions. Others prefer to wait until after phishing awareness training to test the module’s effectiveness and see if the employees properly report phishing incidents. The timing when an organization decides to run a phishing simulation depends on its needs and priorities.
• Educational follow-up: No matter when organizations decide to perform a phishing test, it’s typically part of a larger and more comprehensive security awareness training program. Follow-up training helps employees who failed the test feel supported vs. just tricked, and it provides knowledge and incentives for identifying suspicious emails or real attacks in the future.
• Progress and trend tracking: Following simulations, organizations should measure and analyze the results of each phishing simulation test. This can identify areas for improvement, including specific employees who may need additional training. Security teams should also keep apprised of the latest phishing trends and tactics so that the next time they run a phishing simulation, they can test employees with the most relevant real-life threats.

Phishing simulations and security awareness trainings are important preventative measures, but security teams also need state-of-the-art threat detection and response capabilities to mitigate the impact of successful phishing campaigns.