Did you know that in 2021, 86% of organizations said that at least one employee clicked on a phishing link, according to a recent Cisco report? Which is why it’s more vital than ever for organizations like yours to invest in phishing simulation and testing solutions to train your users to spot these phishing lures.
As cyberthreats evolve, your security defenses need to evolve with them—and that includes training your employees. But as employees grow wiser, so do cybercriminals.
It’s not enough to provide a few unengaging, once-a-year, click-through training modules—users need to continuously be engaged and tested so that cyberattacks are always fresh in their minds. After all, employees that both know what to look for and can regularly practice those skills are far more likely to spot and report a real attack when faced with one.
Phishing awareness training is one of the best ways to train your employees in a real-life, safe environment. Simulations work by sending users mock phishing emails that are designed to look and feel genuine. The testing part comes in the user’s response—to successfully pass a simulation, users must report the emails as phishing attempts. Many vendors offer a free plugin that enables users to safely and easily report any suspicious emails directly to their security teams. A user that clicks on any of the attachments or URLs within the email has failed—and often vendors offer reporting tools enabling organizations to identify and remediate these behaviors.
We’ve put together a list of the top phishing simulation testing solutions, so your organization can transform its employees into human phishing detectors. We’ll talk through some of their key features and how they work, as well as how easy they are to use and implement.
Phished is a security awareness training provider that empowers users to identify and confidently report email threats. Their holistic approach to security awareness training combines four key features, which transform users into a “human firewall” that can help block sophisticated social engineering attacks. These four features are awareness training and checkpoints, phishing and SMiShing simulations, active reporting, and threat intelligence.
Phished delivers awareness training via bite-sized micro-learning modules. These incorporate gamification—though which users can earn badges, medals, and certificates—to keep users engaged. Phished automatically sends users personalized phishing and SMiShing simulations to test their response to attacks. The difficulty, frequency, and message type are tailored according to each user’s actions and response to training. Alternatively, admins can create their own simulations. If a user opens a link or enters credentials into Phished’s fake phishing page, Phished explains how they should have responded. Users can also report threats via the Phished Report Button, which sits within their email client. Users receive notifications detailing whether reported emails are safe, a simulation, or a genuine threat; real threats are automatically analyzed and quarantined. Finally, the platform uses threat intelligence to identify malicious campaigns taking place globally and notifies users of any activity that they should look out for.
The combination of training with threat simulations and reporting capabilities enables Phished to generate a Behavioral Risk Score for each user; a quantifiable number that gives users and admins immediate insight into where their vulnerabilities lie and how to improve. The platform deploys easily within any email client, including Google Workspace and Microsoft 365, and users can be onboarded manually, via .csv file, or via Active Directory integration. These strong capabilities, combined with ease of use and deployment, make Phished a strong solution for any organization looking to train their employees to identify and report phishing threats.
Hook Security is a phishing simulation and training provider that offers an easily deployable, cloud-based phishing simulation and testing program that can be up and running in a short space of time. Admins can launch regular automated phishing simulations with hundreds of phishing templates to choose from based on real-life phishing threats, along with template customization capabilities.
Alongside phishing simulations, Hook Security also offers an easily digestible, visually appealing training that uses psychology to train users to respond quickly and effectively to threats. Training materials use humor and storytelling to make it both more fun and memorable for users.
Additional features include auto-enrollments, which automatically enroll those who failed phishing tests into additional training to refresh their knowledge, and API and webhooks for effective data sharing and analytics, helping admins to make better decisions. It also provides Hookmail—a plugin for Office 365 that allows for users to flag and report suspicious phishing emails—whether simulated or real. Detailed reporting features also present admins with any security problems so they can troubleshoot easier.
We recommend Hook Security for SMBs and large organizations looking for engaging security awareness training to improve phishing resilience and meet regulatory requirements.
Founded in 1999, TitanHQ is an international leader in email and web security, as well as data archiving. Its security awareness training offering, SafeTitan, is a behavior-driven security awareness solution that uses gamified and tailored up-to-date training material as well as automated phishing simulations to deliver security training in real-time and create changes in user behavior. The solution can be managed and monitored from a single easy-to-use portal.
SafeTitan security awareness training solution targets specific user behaviors, providing real-time intervention training in combination with simulated phishing attacks to reinforce employee defenses. The training is tailored and gamified, with an extensive library of relevant and up-to-date training courses, videos, and quizzes provided, all of which are designed to be interactive and engaging—and with each module lasting a short 8–10-minutes to minimize disruption to employee productivity. The phishing simulations are fully automated, adaptable, and come with a regularly updated library of thousands of phishing templates to choose from.
The solution helps organizations meet compliance requirements—including HIPPA, GDPA, ISO EU NIS, and Cyber Essentials, and is also SCORM compliant and LMS compatible. The solution also provides holistic reporting, enabling admins a 360-degree view of their users’ progress and reporting on training content as well as phishing simulations in a way that is digestible—so management can oversee outcomes and track ROI.
The digestible and engaging nature of the content alongside the phishing simulations, which are customizable and can be deployed immediately after training to reinforce learning or be targeted to individuals whose reports indicate a need for extra help, makes SafeTitan a strong solution for organizations looking to reduce human error and mitigate cyber risk. TitanHQ caters to a range of sectors including education, business, and healthcare. We recommend its security awareness training offering for organizations looking for strong cyber risk management with real behavioral change and measured effectiveness.
ESET is a cybersecurity provider that specializes in digital security and anti-malware solutions, serving homes, businesses, and enterprises.
Their contribution to this list is ESET Cybersecurity Awareness Training, a security awareness and phishing simulation solution. Training are delivered via a gamified approach, including easy-to-understand, bite-size videos, so as not to overload watchers with information.
ESET streamlines the learning process as much as possible to create a more digestible program for your staff that doesn’t compromise on important details. The training program is being constantly updated, with advanced bonus training packs and new, single-topic learning modules being added to make sure your staff stays up to date on the latest threats.
ESET provides various courses, modules, and topics to choose from, making sure that your employees will get a wide, yet in-depth, range of knowledge from their training. The most notable of these training segments is their 90-minute gamified training module that acts as an RPG. Your employees can choose a character to play in their role as an IT technician that can assist their fictional team with any security problems, making it not only enjoyable but helps your staff put their knowledge to practice.
Training is then tested and reinforced through customizable, pervasive phishing email simulations. Tracking is available for your users’ training, letting you know how far along they are, and gives reports on their success with the phishing simulations. Any users who fail can be automatically re-enrolled in more targeted training. Users are rewarded with a certificate upon completion, plus a LinkedIn badge notifying others they have successfully completed the training.
We recommend this service for small to mid-sized enterprises looking for effective, easy-to-manage security awareness training and phishing simulation, particularly those utilizing ESET’s wider endpoint protection solution suite.
IRONSCALES is a market-leading cloud-based email security solution that combines artificial and human intelligence to provide fast and highly-effective protection against advanced attacks that traditional email security gateways miss, like BEC, account takeovers, and VIP impersonations. Its comprehensive, all-in-one anti-phishing platform is designed to protect against social engineered attacks—by using AI-driven email security technology and by training users to spot and report phishing emails when they receive them. Offering three solutions—Starter™, Email Protect™, and Complete Protect™—all packages include the ability to run phishing and smishing simulation testing campaigns. In its approach to phishing simulations, IRONSCALES makes its solution relevant to specific users based on real-time data from real attacks their company is facing.
IRONSCALES phishing simulation campaigns are fully customizable—admins can choose from a library of real-world templates and target smart groups and VIPs within their organization. Campaigns can also be tailored to individual users’ security awareness levels. Benchmarking assessments are used to analyze each user’s ability to recognize phishing emails and assign them a score. This score then determines the difficulty of future phishing simulations sent to each individual and can improve over time as their awareness develops. Complimentary to this, IRONSCALES provides a Report Phishing button in their preferred email client (desktop, browser, or mobile), if an employee identifies a suspicious email, they simply click the button to have an IT Security admin review the email for them.
Its advanced reporting capabilities also allow admins to track users’ progress in real-time via an easy-to-use dashboard to identify users who fall “victim” to simulations and administer further training as required.
Overall, IRONSCALES is rated highly as an all-in-one solution for email security and phishing simulation testing. Users find the platform easy to use and understand, good value for the money, and great at providing executive-level reporting. The solution can be integrated with Microsoft 365 and Google Workspace (G-Suite) in minutes using native APIs, with no configuration changes, risk, or interruptions to your email delivery. IRONSCALES is ideal for SMBs as well as enterprise organizations, and is best suited for businesses looking for market-leading email security alongside phishing simulation.
Cofense—formerly PhishMe—is an industry leader in advanced phishing detection and defense solutions. Its phishing threat intelligence leverages data from 26 million users across the globe to detect phishing attacks, providing actionable and accurate insights for organizations. Serving more than 2,000 enterprise businesses globally, its easy-to-deploy security awareness training solution emulates real-life threats that are known to slip past secure email gateways. Its phishing simulations are built with input from its threat analysis, research labs, and defense center team. Offering a library of 1,500 templates in 36 languages—as well as localized content—Cofense’s simulations are up to date, relevant, and customizable.
Cofense’s PhishMe is its user-intuitive phishing simulation tool that allows admins to test users by sending real-life, mock phishing attacks. Built into this is the ability to automate campaigns over a 12-month period, as well as to make use of smart suggestions that are based on historical simulation results, active threats, and are relevant to specific industries. As well as this, campaigns can be customized so that phishing simulations are delivered only when users are active. Its free email reporting plugin, Cofense Reporter, is easily integrated with Outlook, Microsoft 365, Gmail, and Lotus Notes, and helps track which users report simulations, as well as their response times. Its intuitive reporting tool includes industry benchmarking and digestible executive-level reporting, as well as more granular metrics.
Overall, Cofense’s phishing simulation platform is a leading cloud-based training solution. Users rate this platform highly and find it user-friendly, reliable, and flexible—although some users report that the platform could be improved by greater reporting capabilities and a more diverse template library. Cofense’s awareness training and simulation solution is suitable for organizations of all sizes across multiple industries—including infrastructure, government, finance, healthcare, and energy. A version of its PhishMe tool is also available at no cost to small businesses with fewer than 500 employees. This solution is ideal for organizations seeking powerful phishing simulations and strong awareness training alongside Cofense’s technical security tools.
Hoxhunt is a fast-growing European startup that specializes in teaching employees to identify and respond to phishing attacks in innovative, fun, and engaging ways. Its user-centric platform uses gamification to reward users for correctly identifying and reporting simulated phishing emails, and enables them to track their own progress using a user-friendly, real-time dashboard. The solution is a fully managed service, and this includes the full end-to-end automation of all phishing campaigns. Currently supporting more than 20 languages, its simulated content is continuously up to date to mimic real-life attacks and keep users aware of evolving threats. Training can be targeted at both security teams and individual employees.
To keep training fun, Hoxhunt refers to its phishing campaigns as “quests”. These are deployed automatically by Hoxhunt and sent to users multiple times per month, so that phishing awareness is constantly fresh in their minds. Hoxhunt’s analysts and content team work to personalize and tailor quests towards each user’s skill level and role, as well as to be relevant to their specific organization. Users can report suspected phishing emails via a free plugin, which integrates with Microsoft 365, Outlook, and Gmail. When users correctly identify and report simulated emails, they are instantly rewarded with stars—these are recorded on their personal user dashboard and contribute to their total point score. Points can later be redeemed for real-life prizes. Using this real-time dashboard, users can track their success rates, as well as emails clicked on, and compete for a spot on the top 10 leaderboard within their organization.
Hoxhunt’s solution is overall a fun and engaging way to keep phishing awareness at the forefront of employees’ minds. Personal support is available for technical setup and onboarding, while onboarding new users takes minutes. Users find the platform user-intuitive, engaging, fun, and seamless to integrate, while security teams can focus on training users and remediating threats rather than personalizing and managing campaigns. This solution is suitable for SMBs and enterprises, and is a great option for organizations looking for a fully-managed, personalized, and engaging phishing simulation platform.
KnowBe4 is an industry giant in security awareness training, dominating the market with its easy-to-deploy and user-intuitive security awareness training platform. Serving over 35,000 customers globally, its solution aims to keep the user at the forefront, with engaging simulations for a range of abilities. KnowBe4 offers unlimited use of its phishing simulations, as well as access to its library of more than 5,000 templates that are available in 34 languages. Its Software-as-a-Service solution is costed on a tiered basis—ranging from silver to diamond—with more features becoming available in higher tiers.
KnowBe4’s phishing simulations are quick to set up, can be sent via email, phone, and SMS—vishing is available from gold tier and above—and are fully customizable. Admins can make use of automated, pre-scheduled campaigns, and target recipients by group. The vendor also offers its free Phish Alert button plugin, which both enables users to safely and easily report any phishing emails they might receive—whether simulated or genuine—and sends a report to the Admin Console when a user passes a test. KnowBe4’s reporting and analytics tools include industry benchmarking, advanced reporting, smart groups, and automated risk assessments. Smart Groups—available from Platinum tier and above—enable admins to group users based on behavior and attributes, and tailor campaigns accordingly based on real-time data.
Overall, KnowBe4’s phishing simulation platform is rated highly. Users describe the solution as easy to deploy and configure, great value for money, flexible, and effective at reducing the number of employees falling for emails. Pain points for users are that some find the analytics and reporting tool lacking in customization and filtering options for specific results or viewing real-time dashboards. It’s also worth noting that some of the more complex or tailored features—such as Smart Groups—that are better suited to enterprise organizations are included in higher tiers only. KnowBe4’s solution is well-suited for organizations of all sizes as it is flexible, built to scale, and easy to deploy and roll out to your employees.
Mimecast offers a comprehensive, easy-to-use, cloud-based email security platform that includes awareness training, a secure email gateway, email continuity, and archiving. Mimecast Awareness Training enables organizations to train their users in security awareness, as well as run phishing simulations and analyze individual risk scores. Phishing simulations can be fully customized or based on real-life emails that users within that organization clicked on—turning genuine threats into tests. Supporting more than 36,100 businesses across 26 languages, Mimecast Awareness Training is suited for commercial and enterprise organizations.
Mimecast SAFE Phish is Mimecast’s integrated phishing simulation platform. Types of simulations available include vishing and CEO phishing, and campaigns can be set up in under ten minutes. Mimecast Awareness Training works well in conjunction with Mimecast’s email security suite, including Mimecast Targeted Threat Protection—which rewrites malicious URLs before emails can reach users’ inboxes. If a user falls for one of these genuine—but rewritten—emails, the email is stored in Mimecast’s awareness training log and can be used in future simulations to test others. Mimecast provides a comprehensive, real-time reporting dashboard that calculates a risk score for both individuals and the entire organization. Using this dashboard, admins can track progress and benchmark against others in their industry or region.
Overall, users find Mimecast Awareness Training easy to use and particularly like its comprehensive and customizable reporting capability. The solution can be run on Amazon Web Services or Mimecast’s native cloud platform, Mime|OS. Mimecast recommends 60 minutes for configuration of this solution. Mimecast Awareness Training is best suited for SMBs and enterprise organizations across all industries, that are looking for a strong and comprehensive email security solution alongside the ability to test and track users, particularly existing Mimecast customers.
Proofpoint is an industry leader in securing businesses and their data against advanced threats and email compromises. Proofpoint Security Awareness Training was developed by Wombat Security Technologies—acquired by Proofpoint in March 2018—and enables organizations to test their users in a safe environment. Its security awareness training can be licensed either as a standalone solution or as part of the Proofpoint Essentials stack for SMBs. To run phishing campaigns, admins can leverage Proofpoint’s library of more than 700 templates, which are customizable, available in over 35 languages, and localized—meaning brands, character names, currencies, etc., are relevant to each end user’s location. Proofpoint’s phishing simulations can be sent via email or SMS—but please note that SMS is available in the US only.
Part of its offering, ThreatSim is a powerful phishing simulation tool that enables organizations to test users based on real-life phishing tactics and pinpoint vulnerabilities. Proofpoint also includes a free customizable plugin, Phish Alarm, which integrates with both Outlook and Gmail and enables users to easily report suspicious emails at the push of a button. Its responsive, easy-to-read reporting capabilities include benchmarking, filtering, and insights on end-user risk, as well as specific information on device, browser, and location when users fail a simulation. Admins can also leverage information on average failure rates to determine the difficulty of future phishing campaigns.
Proofpoint is a market leader in the email security space, with a global threat intelligence network collecting data from over 100 million inboxes, which is used to inform its awareness training programs. Overall, users find Proofpoint’s platform easy to use and great at providing detailed reports. Some users experienced that implementation, as well as initially learning to use the platform, can take some time—but report that it’s worth the effort. Proofpoint’s solution is suitable for SMBs across all industries that are looking for either a standalone security awareness training product or a full stack of security solutions, combining awareness training with technical email threat protection.
What Is Phishing?
Phishing is a type of cyber-attack where malicious actors attempt to lure unsuspecting users into a specific action. In some instances, the user may be encouraged to click on a link, or download a file, that appears to be innocent and harmless, but is in fact malware. This malware can wreak havoc on a user’s system. Alternatively, a malicious actor may pose as a reliable individual or organization and encourage the target to divulge sensitive information.
Phishing attackers often use a “scatter gun” approach. They will spam hundreds and thousands of accounts with the same phishing attack, in the hope the one or two of the users will overlook the risk. This type of attack is not particularly sophisticated, but it still gets results.
How Can Phishing Simulation And Testing Solutions Help?
Phishing simulation can be particularly effective at preventing phishing as it gives users and opportunity to experience what a phishing attack is like. Rather than seeing an example email in a training environment, the phishing simulation will be sent to their actual inbox. By seeing a phishing email when they are not consciously expecting to, will ensure that users know what indicators to look out for.
From an admin’s perspective, deploying simulation is useful as you can easily see how effective security awarneess training is. Individuals who fail the test can easily be identified, and tasked with completing further training modules until they pass.
The training itself is often very simple, with short, targeted modules to keep users engaged. This type of training has very real and useful benefits. For the sake of a couple of hours training per year, you can greatly decrease the potency and effectiveness of any real phishing campaigns that do make it to your inbox.
What Are The Different Types Of Phishing?
Phishing is an umbrella term for these speculative cyber-attacks that attempt to make a user perform a specific action. Today, there are an increasing variety of phishing attack types, each with its own target or method.
Vishing – Vishing is an amalgamation of Voice Phishing and refers to phishing attacks that use calls or VoiceNotes to carry out the attack. In this case, we might be more easily convinced as we are not expecting a phishing attack to be carried out in this way.
Whaling – Rather than a method of phishing, Whaling refers to the target. Namely, someone big and important in an organization, such as a CEO or board member. Instead of using a scatter gun approach, this method will be more specific and may impersonate real employees. This attack is more convincing as spoofed domains and other fraudulent material may be used to make the attempt more realistic.
Spear Phishing – This attack is like Whaling but can be targeted at a less senior individual. Again, these attacks can be very specific to give the greatest chance of fooling an employee. Again, impersonation may be used to make the attempt more convincing.