Phishing in Your Own Pond: The Importance of Simulated Phish Tests

simulated phishing

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

October 13, 2022

Phishing simulations are a key part of any comprehensive security awareness training program. By sending out fake phishing emails  to staff – based on actual phishing attempts your organization is receiving at that time – you train staff how to spot an attack in a safe environment. If you haven’t yet used simulated phishing as part of your cybersecurity awareness program, it’s time to get started!

The purpose of simulated phishing

I read a good analogy recently that compared the benefit of phishing simulations to that of a vaccine: As we know, administering a small, safe dose of a virus, helps a body build up an immunity to it. This immunity helps fight off a dangerous attack of that virus in the future. Likewise, to defend against phishing, you administer a “dose” of phishing simulation. Each dose teaches your employees what to look out for. With the knowledge they build, they learn to neutralize the threat of real phishing when presented with it.

Knowledge as immunity. I like it.

How does it work?

Simulated phishing makes no sense by itself. It is part of a larger program that first provides users with training on what exactly phishing is, how to find the warning signs of a malicious email, what to do with such a message and so on. The simulation is simply the test after the training to see what has been learned. Here’s how it works: The program sends a fake phishing email to staff inboxes, which include some of the warning signs they learned about during training. If the recipient still responds to the message despite the warning signs (by clicking a link, attempting to download an attachment, etc.) they are then taken to a safe landing page and informed of how they should have responded.  IT gets reports of these test results so they can keep track of how well the training is working or if more is needed.

Characteristics of a good simulation program

So you think you’re ready to dive into a phishing simulation program. Here are some things to look for during the selection process:

  1. Find a program whose simulated messages are tailored – or customizable –  to your organization’s industry. It makes no sense to send a message designed to phish someone in the financial sector to someone working in healthcare, for example. The message would likely just be seen by the recipient as spam and discarded on that basis alone.
  2. The simulated attacks should become more sophisticated as employees become better at spotting the signs. They should also be updated regularly to reflect the ever-evolving nature of real-world attacks.
  3. The program should include robust administrative tools. It should have tools that “keep score” for you and reveal who needs further training. It should contain tools that prepare more detailed analysis of test results. And it should have a “Report Phishing” button for users to report the simulated message to IT.

The benefits of phishing simulation and testing

Prevent data breaches

This is the most obvious benefit. By using simulated phishing emails, you teach your employees how to spot a phishing attack so that they won’t fall victim to a real one (which will inevitably come their way at some point).

Identify the most vulnerable

Phishing simulations allow you to identify those individuals or departments who aren’t as tech-savvy or security-aware. This way you can pinpoint who is in need of further training.

Reports are your ally

Of course, the information gathered during training and testing allow you to monitor the progress of the campaign. But reports also demonstrate to senior leaders in the organization how serious the threat of phishing is. This could potentially motivate an increase in your security budget.

Testing as motivation

Not only do the simulated phishing tests measure what your employees have learn, but it can also serve as a motivational tool. Knowing there will be some form of a test after training (albeit a sneaky one, provided unbeknownst to its recipient at some undetermined time) encourages staff to truly be engaged during the learning process.

Security culture

Ongoing awareness training and testing ensure that cybersecurity is always at the forefront of your employees’ minds. Helping employees not only to become aware of the topic but also to actively engage with it will help to foster a culture of security across your entire workforce.

5 ways to ensure a successful program

By doing these 5 things, your simulated phishing program should have the intended outcome:

Conduct baseline phishing tests

This will help you see where your organization stands before starting your program. (Staff do not need to know about the baseline testing, as it is being done purely for the purpose of designing the program.)

Be transparent

Once designed, tell your staff about the plan to use simulated phishing tests as a learning exercise. Then be sure to provide them with some initial security awareness training around phishing.

Stress importance

Explain to both current staff and employees being onboarded why the phishing program is important. Your program will have much more success if staff understand how critical it is to the security of the organization.

Encourage communication

Provide a way for staff to report phishing – or what they believe to be phishing – to IT.  A “report phishing” button within your email system (as I mentioned earlier) is one simple way.  Beyond that, make sure staff feel like they have an open line of communication with the IT team. It is important that employees feel encouraged to approach IT and not be made to feel that they are being a nuisance.

Accentuate the positive

Make sure staff understand that the program is meant as a positive training tool, and not an attempt to trick them or make them feel stupid if they make mistakes. The goal is to provide an education based on positive reinforcement and reward, NOT embarrassment and penalty.



Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

You May Also Like…

You May Also Like…


Submit a Comment

Your email address will not be published. Required fields are marked *

Translate »
Share This