What’s simulated phishing training?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine an email lands in your employee's inbox. It looks like it's from IT, asking them to reset their password immediately. They click the link. Nothing bad happens, but a second later, a page appears telling them they just fell for a simulated phishing test.

That's the core idea. Simulated phishing training is a security awareness program where your organization sends fake phishing emails to employees to see how they respond. The emails are completely safe. No real malware, no stolen data. But they're designed to look convincing enough to test whether people recognize the red flags.

When an employee clicks, they don't get punished. They get educated right then and there, in the moment when the lesson is most likely to stick. A quick explainer shows up: here's what you missed, here's how to spot it next time. That immediate feedback loop is what makes simulated phishing more effective than a one-time training video watched once and forgotten.

Most programs track a few key things over time. How many employees clicked on each simulation. Which departments or roles click more often. Whether click rates drop after repeated training (they usually do). This gives you a real picture of where your organization is vulnerable and whether training is actually working.

A few things worth knowing if you're setting one up. Varying the difficulty matters. Starting everyone on obvious fake emails and never increasing the challenge doesn't build real resilience. You also want leadership to participate, not just front-line staff. And the tone of the program should be "we're all learning" rather than "let's catch people out." Punitive phishing programs tend to create resentment rather than awareness, which is the opposite of what you want.

Done well, simulated phishing isn't about tricks. It's about building the kind of instinct that makes your team pause for two seconds before clicking anything suspicious. That pause is genuinely valuable.

If you want to go deeper on the vendors that run these programs, or how often you should be running simulations, both are covered in the almanac. You can also talk to a human if you're trying to figure out the right approach for your team's size and risk level.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Walk me through setting up simulated phishing training

I'm setting up simulated phishing training at my organization. Based on our setup, walk me through what an employee actually experiences when they click a fake phishing email, what I should be measuring, and how to structure the program so it builds awareness rather than just catching people out. Give me a ranked list of the most important decisions to get right.

Edit the yellow boxes, then send to the AI of your choice.