Email Security

Phishing Simulation And Testing Buyers’ Guide 2024

How to choose the right phishing simulation and testing solution.

Phishing Simulation and Testing Buyers' Guide

State of the market: Phishing simulation solutions allow IT teams to send fake phishing emails to end users to test their ability to identify and correctly respond to phishing attacks.

  • The phishing simulation market was valued at over USD 93 million in 2024 and is expected to grow at a CAGR of 7.5% to reach a value of over USD 166 million by 2032. 
  • Growth is being driven by the need for advanced cybersecurity awareness training to combat an increase in the frequency of cyberattacks, and to achieve compliance with strict data protection regulations. 
  • As the market grows, we’re seeing a rise in the adoption of cloud-based and AI-driven solutions, which are improving the effectiveness of phishing tests—something that has frequently been called into question within the cybersecurity community.

Why Trust Us: We’ve researched, demoed, and tested several dozen leading anti-phishing solutions, spoken to organizations of all sizes about their email security challenges and the features that are most useful to them, and interviewed executives from leading providers in the anti-phishing space. 

You can find our product reviews, interviews, and Top 10 guides to the best anti-phishing products on the market in our Security Awareness Training Hub and Email Security Hub.

Our Recommendations: Before we dive into the details, here are our top tips on how to choose the right phishing testing solution for your business and avoid getting reeled in by the wrong tool: 

  • For SMBs: If you don’t have much in-house resource to dedicate to running effective phishing simulation campaigns, you should consider investing in a managed service. This is something that most phishing simulation providers offer, and it means that campaigns are scheduled and managed for you by the provider. 
  • For first-timers: If you haven’t run phishing tests in your organization before, don’t throw your users in at the deep end! Start with simulations that the majority of users should be able to identify confidently. 
  • For meeting compliance requirements: If part of the reason you’re deploying a phishing testing tool is to help you meet compliance requirements, then you should look for a tool that a) is compliant itself and b) offers compliance-ready reporting. 
  • For effectiveness: You need your users to engage with your phishing tests. To do that, limit simulation frequency, be aware of the subject matter you’re covering (i.e., avoid fake bonuses), make educational elements interactive, and look for a “Report Phish” button. 
  • For ease of use: No matter your organization’s size, industry, or experience, find a solution that integrates easily into your email environment. This will make it much easier to deploy, configure, and manage.

How Phishing Simulations Work: Phishing simulation and testing tools are straightforward to deploy, whether standalone or—more typically—as part of a broader security awareness training (SAT) platform. To streamline deployment, most solutions integrate directly with Microsoft 365, Google Workspace, or Active Directory so they can pull users’ email addresses in from your directory and deliver simulations directly to each user’s inbox. 

Once deployed, phishing simulation and testing tools enable you to send fake phishing messages to end users. While some tools offer voice phishing (vishing) and text phishing (SMiShing), most solutions focus on email phishing. No matter the medium of simulation you’re sending, phishing simulation tools usually follow the same workflow: 

  1. You create a simulation campaign by browsing a library of pre-built phishing templates or creating your own custom message.
  2. You select which users or user groups you want the campaign to target. 
  3. The solution sends your simulation to the selected users and records whether they ignore it, report it, or interact with it (e.g., by clicking on a link). 
  4. You can view users’ responses and assign further training or step-up security for at-risk users. 

Benefits Of Phishing Simulations: There are three main use cases for phishing simulation and testing tools: 

  1. Phishing simulations can raise awareness of phishing amongst end users, helping them stay vigilant of potentially dangerous messages. 
  • When deployed as part of or alongside an SAT program, users can practice what they’ve learned about phishing in a secure, yet realistic environment.
  • Practice increases our ability to remember new information and to recall and apply knowledge automatically. 
  • Regular, bitesize training is more effective than a once-annual security awareness training course because it encourages continuous, consistent engagement.

2. Phishing simulations can help improve your organization’s overall resilience to phishing attacks. 

  • By training your employees how to identify and correctly respond to phishing attacks, you can lower the risk of them clicking on a link or attachment in a real phishing email. 
  • Some phishing testing tools also allow users to report real phishing attacks, which are then automatically removed from all users’ inboxes. 
  • Once you’ve identified which users are more susceptible to phishing, you can either assign them further training or add more security to their account to reduce the impact of a successful attack (e.g., using strong authentication to mitigate the risk of credential theft). 

3. Phishing simulation and testing solutions, particularly when implemented in conjunction with SAT, can help you achieve compliance with data privacy and protection standards such as GDPR, GLBA, ISO 27001, HIPAA, and PCI-DSS. It can also help you meet requirements set out by cybersecurity insurance providers, who often want proof that you’re training your employees on cyber risks in order for you to qualify for cover. 

Common Phishing Testing Challenges: Phishing simulation is a contentious topic in the IT and cybersecurity world. While some claim it to be highly effective, others argue that it presents too many challenges that can actually have a detrimental impact on phishing resilience when not properly managed. 

So, before you start comparing solutions, it’s important that you’re aware of those challenges and how you can overcome them:

  1. Employee frustration: We recommend sending simulations no more than once a month and being mindful of the content of your messages—don’t phish your employees with something that may lead to disappointment, such as the promise of a holiday bonus! 
  2. Difficulty level: We recommend choosing a solution that allows you to customize the content of your simulations and send different simulations to different users or user groups. This means everyone will receive simulations that are appropriate and provide the right level of challenge. 
  3. Sending simultaneous simulations: We recommend that you send different campaigns to different user groups and stagger the sending of simulations. This will give you a more accurate reflection of users’ resilience by avoiding them warning each other about the phishing test—particularly in an office environment.

Does Phishing Simulation Actually Work?! There have been many studies into the effectiveness of phishing simulations, with varying results. This could be due to the broad range of phishing testing solutions and training materials currently on the market.

A 2024 study found that users who complete interactive training are less likely to fail phishing tests, while those who complete static training (e.g., landing pages) have a higher likelihood of failing phishing tests. This is also evidenced in a 2021 study that found phishing training pages create “a false sense of security”, potentially due to end users misinterpreting the page. 

To get the most out of your phishing tests and ensure they’re as effective as possible:

  • Pair your phishing simulations with an SAT solution that assigns interactive, engaging training that users must complete.
  • Deliver mindful, emotion- or psychological-based training.
  • Train your managers to actively engage with “repeat clickers”.

Best Phishing Simulation Providers: Our team of cybersecurity analysts and researchers has put together a shortlist of the best providers of phishing simulation and testing solutions, as well as adjacent lists covering similar topics:    

Features Checklist: When comparing phishing simulation and testing solutions, Expert Insights recommends looking for the following features: 

  1. Realistic templates: Choose a solution that offers a wide range of email templates and dynamic payloads (e.g., fake login pages/attachments) that cover different phishing scenarios, such as credential harvesting, malicious attachments, and brand spoofing. Templates should support all the languages and region-specific scenarios relevant to your organization, and you should be able to customize them to mimic your organization’s brand.  
  2. Customization: You should be able to target specific users or user groups, customize the level of difficulty of each campaign, and configure deliver timing to simulate real-world email delivery behaviors (i.e., staggered delivery).
  3. Regular updates: Look for a solution that regularly updates its template library to reflect the evolving threat landscape. Some modern solutions use AI to achieve this.
  4. Teachable moments: Look for a tool that delivers interactive, targeted training immediately after a failed phishing attempt and some sort of gamification (e.g., quizzes or points) to incentivize learning. 
  5. Detailed analytics: From a central management console, you should be able to access metrics on open rates, click rates, data entry, and reporting rates. The best phishing testing tools offer user-level reporting to help you tailor training and identify your most high-risk users, and offer insights into how their susceptibility changes over time. 
  6. Compatibility: Your solution should be compatible with mobile devices as well as desktops, particularly if your users use smartphones for work. 
  7. Integration: Your chosen solution must integrate with your email system (e.g., Microsoft 365 or Google Workspace). You could also consider integrations with email reporting tools, SIEM and SOAR platforms for automated response, and threat intelligence tools to make campaigns more realistic. 

Future Trends: As the phishing testing market grows, we expect to see the market evolve in five key areas. 

First, we expect more solutions to start incorporating AI to: 

  • Automatically create realistic phishing campaigns based on real-world threat intelligence. 
  • Tailor the difficulty of phishing campaigns based on individual users’ performance in previous campaigns.
  • Identify users that are more susceptible to phishing so managers can intervene where necessary.

Second, future simulations are likely to become much more realistic, matching phishing tactics and techniques that are being used in the real world. This may include:

  • Using advanced social engineering techniques to craft highly personalized emails.
  • Delivering phishing messages beyond email, e.g., via social media or collaboration apps like Slack or Teams.

Third, we expect phishing simulations to increasingly use behavioral analytics to provide deeper insights into how users are interacting with simulations. Some solutions are already doing this by providing metrics into response times and click rates, but we expect this to become more commonplace. 

Fourth, we expect to see more phishing simulations tools incorporating continuous education and assessment, and adapting their educational content based on both employee performance and the evolving threat landscape. 

Finally, we are seeing increasingly more companies shift away from the terminology “security awareness training” and towards “human risk management”. This places more focus on the outcome of the training (fostering positive security behaviors and a culture of security), rather than simply its delivery


Further Reading: You can find all of our articles on phishing simulation and testing in our Security Awareness Training Hub.  

Want to dive right in? Here are a few articles we think you’ll get hooked on: