Skip to main content
Version: Next 🚧

Phishing Simulation

Test your organization's resilience to phishing attacks with realistic simulation campaigns that measure awareness and improve security behavior.

Phishing Simulation Features​

Email Templates​

Pre-built phishing scenarios:

  • Generic phishing
  • Brand impersonation
  • Urgent action requests
  • Prize/reward scams
  • Invoice/payment requests

Custom Templates​

Create your own:

  • Custom email content
  • Branded templates
  • Targeted scenarios
  • Multi-language support

Landing Pages​

Simulated phishing destinations:

  • Credential harvesting pages
  • Download pages
  • Survey forms
  • Branded login pages

Tracking Capabilities​

Measure user behavior:

  • Email opened
  • Link clicked
  • Credentials entered
  • Attachments opened
  • Report to security

Running Phishing Campaigns​

Creating a Campaign​

  1. Navigate to Attack Simulation β†’ Phishing
  2. Click New Campaign
  3. Configure campaign:
    • Name and description
    • Template selection
    • Target audience
    • Schedule
  4. Review and launch

Selecting Targets​

Target Options​

  • All users
  • Specific departments
  • Random sampling
  • Custom groups
  • Exclude VIPs

Target Considerations​

  • Representative sample
  • Various departments
  • Different risk levels
  • Repeat testing

Campaign Configuration​

Timing​

  • Send all at once
  • Staggered delivery
  • Time zone consideration
  • Business hours only

Duration​

  • Campaign length
  • Tracking period
  • Follow-up timing

Campaign Types​

Awareness Testing​

Measure baseline awareness:

  • General phishing attempt
  • Measure click rates
  • Track credential submission
  • Identify training needs

Spear Phishing​

Targeted attacks:

  • Personalized content
  • Role-specific scenarios
  • Executive targeting
  • Custom pretexts

Credential Harvesting​

Test credential protection:

  • Fake login pages
  • SSO impersonation
  • Password capture
  • MFA bypass attempts

Payload Delivery​

Test endpoint protection:

  • Simulated attachments
  • Macro-enabled documents
  • Executable links
  • Download tracking

Results and Metrics​

Campaign Dashboard​

  • Emails sent
  • Emails opened
  • Links clicked
  • Credentials captured
  • Reports to security

User-Level Results​

For each participant:

  • Actions taken
  • Time to action
  • Previous history
  • Risk score

Department Analysis​

Compare across groups:

  • Click rates by department
  • Credential submission rates
  • Reporting rates
  • Improvement trends

Trend Analysis​

Track over time:

  • Campaign comparison
  • Improvement metrics
  • Seasonal patterns
  • Training effectiveness

Training Integration​

Just-in-Time Training​

When users click:

  • Immediate education
  • What they missed
  • Correct behavior
  • Report mechanism

Follow-up Training​

Based on results:

  • Targeted training assignments
  • Risk-based curriculum
  • Progress tracking
  • Certification

Positive Reinforcement​

Recognize good behavior:

  • Acknowledge reporting
  • Security champions
  • Team recognition
  • Gamification

Reporting​

Executive Reports​

  • Campaign summary
  • Risk assessment
  • Comparison to industry
  • Recommendations

Technical Reports​

  • Detailed metrics
  • User-level data
  • Trend analysis
  • Training recommendations

Compliance Reports​

  • Testing evidence
  • Awareness metrics
  • Training completion
  • Audit support

Best Practices​

  1. Regular campaigns - Test frequently
  2. Vary scenarios - Different phishing types
  3. Educate, don't punish - Focus on learning
  4. Measure improvement - Track progress
  5. Recognize reporters - Encourage reporting
  6. Use real examples - Relevant scenarios

Related: