Phishing Simulation
Test your organization's resilience to phishing attacks with realistic simulation campaigns that measure awareness and improve security behavior.
Phishing Simulation Features
Email Templates
Pre-built phishing scenarios:
- Generic phishing
- Brand impersonation
- Urgent action requests
- Prize/reward scams
- Invoice/payment requests
Custom Templates
Create your own:
- Custom email content
- Branded templates
- Targeted scenarios
- Multi-language support
Landing Pages
Simulated phishing destinations:
- Credential harvesting pages
- Download pages
- Survey forms
- Branded login pages
Tracking Capabilities
Measure user behavior:
- Email opened
- Link clicked
- Credentials entered
- Attachments opened
- Report to security
Running Phishing Campaigns
Creating a Campaign
- Navigate to Attack Simulation → Phishing
- Click New Campaign
- Configure campaign:
- Name and description
- Template selection
- Target audience
- Schedule
- Review and launch
Selecting Targets
Target Options
- All users
- Specific departments
- Random sampling
- Custom groups
- Exclude VIPs
Target Considerations
- Representative sample
- Various departments
- Different risk levels
- Repeat testing
Campaign Configuration
Timing
- Send all at once
- Staggered delivery
- Time zone consideration
- Business hours only
Duration
- Campaign length
- Tracking period
- Follow-up timing
Campaign Types
Awareness Testing
Measure baseline awareness:
- General phishing attempt
- Measure click rates
- Track credential submission
- Identify training needs
Spear Phishing
Targeted attacks:
- Personalized content
- Role-specific scenarios
- Executive targeting
- Custom pretexts
Credential Harvesting
Test credential protection:
- Fake login pages
- SSO impersonation
- Password capture
- MFA bypass attempts
Payload Delivery
Test endpoint protection:
- Simulated attachments
- Macro-enabled documents
- Executable links
- Download tracking
Results and Metrics
Campaign Dashboard
- Emails sent
- Emails opened
- Links clicked
- Credentials captured
- Reports to security
User-Level Results
For each participant:
- Actions taken
- Time to action
- Previous history
- Risk score
Department Analysis
Compare across groups:
- Click rates by department
- Credential submission rates
- Reporting rates
- Improvement trends
Trend Analysis
Track over time:
- Campaign comparison
- Improvement metrics
- Seasonal patterns
- Training effectiveness
Training Integration
Just-in-Time Training
When users click:
- Immediate education
- What they missed
- Correct behavior
- Report mechanism
Follow-up Training
Based on results:
- Targeted training assignments
- Risk-based curriculum
- Progress tracking
- Certification
Positive Reinforcement
Recognize good behavior:
- Acknowledge reporting
- Security champions
- Team recognition
- Gamification
Reporting
Executive Reports
- Campaign summary
- Risk assessment
- Comparison to industry
- Recommendations
Technical Reports
- Detailed metrics
- User-level data
- Trend analysis
- Training recommendations
Compliance Reports
- Testing evidence
- Awareness metrics
- Training completion
- Audit support
Best Practices
- Regular campaigns - Test frequently
- Vary scenarios - Different phishing types
- Educate, don't punish - Focus on learning
- Measure improvement - Track progress
- Recognize reporters - Encourage reporting
- Use real examples - Relevant scenarios
Related: