Simulated phishing or a phishing test is where deceptive

email Electronic mail (usually shortened to email; alternatively hyphenated e-mail) is a method of transmitting and receiving Digital media, digital messages using electronics, electronic devices over a computer network. It was conceived in the ...

s, similar to malicious emails, are sent by an organization to their own staff to gauge their response to

phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...

and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements. This is especially the case for those who "fail" by opening email attachments, clicking on included weblinks, or entering credentials. Typically, phishing simulations are conducted on a recurring basis to measure long-term improvement in user behavior and to maintain heightened awareness among staff. Regular simulations also serve to identify employees who may need extra support in understanding cybersecurity threats.

Rationale

There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary. Simulated phishing allows the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation is recommended by various official agencies, who often provide guidelines for designing such policies. Phishing simulations are sometime compared to

fire drill A fire drill is a method of practicing how a building should evacuate in the event of a fire or other emergencies. In most cases, the building's existing fire alarm system is activated and the building is evacuated by means of the nearest avail ...

s in giving staff regular practice in correct behaviour. In some regions, legal frameworks exist to support the implementation of phishing simulations as part of a broader cybersecurity compliance strategy. These regulations often emphasize the need for regular employee training and awareness programs as a preventative measure against cybercrime. Phishing simulation programs are recommended by various official bodies, including ENISA and

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...

, as part of a comprehensive approach to improving organizational

cybersecurity Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

Ethics

Such campaigns need to be authorised at an appropriate level and carried out professionally. If such a technique is used carelessly, it may breach laws, attract lawsuits, and antagonise or traumatise staff. However, if employees are advised of a change to policy such that "the company reserves the right to send deceptive 'simulated phishing' email to staff from time to time to gauge staff security awareness and compliance", and training and guidance has been given in advance, then such problems should not occur. Some organisations may choose to require users to give their consent by opting in, and others may allow staff the option to opt out. The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training. Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons. These would include emails with content likely to cause distress to the recipient or the use of third-party trademarks, although it is also sometimes argued that this is covered by

fair use Fair use is a Legal doctrine, doctrine in United States law that permits limited use of copyrighted material without having to first acquire permission from the copyright holder. Fair use is one of the limitations to copyright intended to bal ...

Methods

Such testing can be done in a number of ways. * Many vendors offer web-hosted platforms to do this, and some provide limited free "test" campaigns. * A wide range of freely-available open-source tools allow more technical organisations to host and run their own testing. * Some email service now have such testing as a built-in option. Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some

whitelisting A whitelist or allowlist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of ...

to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon. In some cases, organizations may simulate phishing attacks across multiple channels, including email, SMS, and social media, to test employees' ability to recognize threats on various platforms. By implementing phishing simulations across multiple channels, organizations can create a more comprehensive cybersecurity awareness program that addresses diverse threat vectors.

References

{{reflist Cybercrime Identity theft Social engineering (security)

Rationale

Ethics

Methods

See also

References