Simulated Phishing: A Critical Part of Cybersecurity Training

Simulated phishing

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

March 28, 2024

Simulated phishing tests are critical to a well-rounded cybersecurity awareness program. By sending fake phishing emails to employees, you can condition your staff to identify and respond appropriately to attacks, all within a safe environment.

The goal of simulated phishing

Simulated phishing should be part of a larger program that educates users on:

  • what exactly phishing is
  • what the warning signs are to look out for, and
  • how to respond (or how NOT to respond)

The simulation serves both as an educational  tool, and as a test to gauge what has been learned.

Here’s how it works: The program sends a fake phishing email to employee inboxes, which includes some of the warning signs they learned about during previous training. If the recipient responds to the message despite the warning signs (by clicking a link, attempting to download an attachment, etc.), they are redirected to a safe landing page and informed of how they should have responded. IT receives reports of these test results so they can track the effectiveness of the training and determine if additional training is needed.

Features of an effective simulation

If you’re ready to implement a phishing simulation program, here are some things to consider during the selection process:

  • Choose a program that offers simulated messages that are tailored or customizable to your organization’s industry. For example, it wouldn’t make sense to send a message designed to phish someone in the educational sector to someone working in healthcare. The message would likely be perceived as spam and discarded, without any further analysis.
  • The simulated attacks should become more sophisticated as employees become better at identifying the signs. They should also be updated regularly to reflect the constantly evolving nature of real-world attacks.
  • The program should include robust administrative tools. It should have tools that track and analyze test results, prepare detailed reports, and include a “Report Phishing” button for users to report the simulated message to IT.

The benefits of phishing simulation and testing

Preventing data breaches

This is the most obvious benefit. By using simulated phishing emails, you teach your employees how to identify a phishing attack. That way, they (hopefully!) won’t fall victim to a real one.

Spotting the weakest links

Phishing simulations allow you to identify individuals or departments who may not be as tech-savvy or security-aware. This allows you to target further training to those who need it most.

Gathering useful data

The information gathered during training and testing allows you to monitor the progress of the campaign. Reports also demonstrate to senior leaders in the organization the seriousness of the phishing threat, potentially motivating an increase in your security budget.

Providing motivation

Not only do simulated phishing tests measure what your employees have learned, but they can also serve as a motivational tool. Knowing that there will be a test after training (albeit a sneaky one, delivered without warning at an undetermined time) encourages staff to be engaged during the learning process.

Fostering a security culture

Ongoing awareness training and testing ensure that cybersecurity is always top of mind for your employees. Helping employees become aware of and actively engaged with the topic will help foster a culture of security across your entire workforce.

5 ways to ensure a successful program

By following these 5 steps, your simulated phishing program should achieve the desired outcome:

Conduct baseline phishing tests

This will help you determine where your organization stands before starting your program. (Staff do not need to be informed of the baseline testing, as it is being done purely for the purpose of designing the program.)

Be transparent

Once the program is designed, inform your staff about the plan to use simulated phishing tests as a learning exercise. Then, provide them with initial security awareness training on phishing.

Emphasize the importance

Explain to both current staff and new hires why the phishing program is important. Your program will be more successful if staff understand its critical role in the security of the organization.

Encourage communication

Provide a way for staff to report phishing (or suspected phishing) to IT. A “report phishing” button within your email system is one simple solution. Additionally, ensure that staff feel they have an open line of communication with the IT team. It is important that employees feel encouraged to approach IT and not made to feel that they are being a nuisance.

Focus on the positive

Ensure that staff understand that the program is intended as a positive training tool, not an attempt to trick them or make them feel foolish if they make mistakes. The goal is to provide education based on positive reinforcement and reward, not embarrassment and punishment.


Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

You May Also Like…

You May Also Like…


Submit a Comment

Your email address will not be published. Required fields are marked *

Translate »
Share This