How to design an effective phishing simulation ?

This article was contributed by Sridhar Govardhan, CISA, CISM, CEH, General Manager-Cyber Security at Wipro

Phishing is a type of social engineering attack. Using phishing email, the attacker cleverly manipulates the natural human tendency to trust others and tricks the victim into act as per the instructed in the email. To be convincing, the fraudster will use a combination of the following elements in the email - Use of authority, Secrecy and Pressure tactics.

Today’s email security solutions are designed to detect and prevent predominantly known threats using signatures and/or heuristics. Signature based detection technology fails in detecting / protecting zero-day threats and is ineffective in handling of polymorphic threats.

Also, Security technology lacks context of human behavior. Today’s security technology doesn’t have consideration of human action factored and completely ignores the social engineering attacks. Various forms of social engineering attack (Phishing, Whale Attack, CEO Fraud) is the highly exploited threat today and this is achieved by exploiting the human trust. To cover above threat scenarios, email security technology as to mature further.

With this background, the best security control an enterprise can design and implement is to make their users first-line of defence. An information security trained and educated user is the best preventive and detective control against phishing email threat.

Regular awareness and training sessions can provide basic concepts of phishing email and some additional knowledge of phishing. This knowledge alone will not suffice for a user to detect all variants of phishing, since targeted (spear) phishing emails can be made to look real with respect to content and context of the email.

To provide users a real-time view of how phishing emails would trick users and manipulate. A controlled phishing simulation exercise along with immediate feedback and training is be the best tactic.

( Read More: Bad USB Defense Strategies )


To achieve better results and effective user training, below key components of selecting the phishing simulation exercise :

  • Phishing Simulation Tool

  • Phishing email theme

  • Frequency of the simulation

  • Reporting and Awareness

1. Phishing simulation solution

One of the critical element in the process of building a phishing simulation is the solution which will be used for conducting the phishing simulation. The tool should have features,

  • Built-in repository of varied templates covering different phishing categories and continually updated phishing email templates (commercial solution)

  • Solution should be highly customizable w.r.t phishing email templates

  • Extensive reporting options on completion data, average score, most missed items, user activity

  • Trend graphing feature to understand the user behaviour over time

  • Easy integration with messaging solution

  • Granular reporting on user activity and overall participation division / project / department

  • Integration with the existing Learning Management Solution (LMS)

( Read More: Free Resources For Kickstarting Your IT-GRC Program )

2. Phishing email theme

In every phishing simulation activity, theme of the phishing plays an important part in meeting the end objective of educating users on real threats. To provide a real-world experience and awareness, phishing simulation theme selected should align with an event or context relevant to the target individual or group. Below points to be considered for an effective simulation activity,

  • Theme chosen for the phishing simulation should be aligned with business context and perceived risk to the user’s role / function / department

  • Phishing simulation theme selected should have relevance to the individual or group selected  

  • To achieve better results and learning experience, the complexity of the theme selected should be gradually elevated to next level

  • Starting with a highly complex phishing theme will make many fail and will not achieve the end objective

  • Each deceiving element of phishing email needs to be combined with other tricks typically used by attackers (example: look alike domain with camouflaged hyperlink, spoofed domain with double extension file)

3. Frequency of the simulation

Every phishing email sent by attackers is well planned and appropriately timed to an event targeting the victim (example: Tax returns, holiday shopping, M&A, etc). Below points to be considered for an effective simulation activity,

  • High risk functions / department / individuals handling important role in the organization should be covered more frequently as part of the simulation. A matrix of risk and functions / department / individual, sample below

Function / Department /  Individual Risk Score Frequency (Days)
  • Frequency of simulation should be changed based on perceived threat
  • If the function or department to be covered is being targeted with phishing emails, change the risk score and increase the frequency

  • Each simulation activity should be time bound, contextual themes if not conducted within the defined timeline will loss the value

  • The coverage of user and frequency of simulation should be decided based on the perceived risk (Finance & Payments – 2 themes / month, senior leadership – 1 theme / month)

  • “Too Much of Anything Is Bad” doesn’t apply to phishing simulation, the more the better

  • When planning the campaign, for each function / department or individual phishing emails initiation “Day of the week” and “Time of the day” is an important element

(Read more : Top 9 Past Security Talks By Dr. Phil Polstra, speaker @SACON ) 

4. Analysis and Reporting

After every phishing simulation campaign, a mandatory detailed analysis of the results of the campaign should be part of the process. Analysis could provide valuable insights into the failure and success points. Analysis should factor the following points,

  • complexity of the selected phishing theme

  • theme of the phishing email

  • targeted group

  • number of times previously covered 

  • Final report on the overall performance of the simulation phishing exercise should be shared with head of function / department

  • Report should cover statics of failure and success points, few sample points below -

    • % of targeted users were successfully phished

    • % of targeted users clicked the URL and submitted details requested

    • % users who have access to critical data / information who failed

    • % of users opened mail, but they didn’t click the phishing URL

    • % of targeted users opened the attachment

  • Good points should also be reported (if process allows reward few to encourage others)

  • At advanced phase, analyse and provide details of timeline graph of failure and user reporting

  • If possible, avoid revealing names of users who failed in the simulation in the management report

  • If users are repeatedly failing, have a discussion with few users to understand the reason and constraint they have. Accordingly arrange for awareness / training sessions for the users

Few considerations to be taken care of :

  • Communicate about the phishing simulation to the head of function / department before initiating the phishing simulation campaign

  • If you are using an in-house solution, never use your enterprise external IP address range and frequently change the IP address

  • Don’t use irreverent and loose themes, the sanity of the whole exercise will be lost

  • If the campaign is targeted to large group of users belonging to same function / department, avoid using online feedback and declaration. Have delayed feedback, this will ensure users don’t inform others in the group.

What are your go-to solutions for designing an effective phishing simulation ? Community members share their knowledge here to help the community collaborate and grow faster. You can help too. Write an article today Click here to write(If you don't have an account, kindly register - It's Free)


E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)