In 2021, 86% of organizations said that at least one of their employees had clicked on a phishing link. this statistic is dangerously high. It’s more vital than ever for organizations to invest in phishing simulation and testing solutions to train your users to spot these phishing lures and decrease the chances of having to deal with a full cyber attack.
As cyberthreats evolve, your security defenses need to evolve in lock step—and that includes training your employees. But for every security improvement that your employees make, cybercriminals will innovate once again.
Cybersecurity awareness training needs to be more than a formality. It’s not enough to provide a few unengaging, click-through training modules once-a-year—users need to continuously be engaged and tested so that cyberattacks are always fresh in their minds. After all, employees that both know what to look for and can regularly practice those skills are far more likely to spot and report a real attack when faced with one.
Phishing awareness training is one of the best ways to train your employees in a real-life, safe environment. Simulations work by sending users mock phishing emails that are designed to look and feel genuine. The testing part comes in the user’s response—to successfully pass a simulation, users must report the emails as phishing attempts. Many vendors offer a free plugin that enables users to safely and easily report any suspicious emails directly to their security teams. A user that clicks on any of the attachments or URLs within the email has failed. Many of the tools can automatically enroll these users on another training course (thanks to comprehensive reporting tools) enabling organizations to identify and remediate these behaviors.
We’ve put together a list of the top phishing simulation testing solutions, so your organization can transform its employees into human phishing detectors. We’ll talk through some of their key features and how they work, as well as how easy they are to use and implement.
Phished is a security awareness training provider that empowers users to identify and confidently report email threats. Their holistic approach to security awareness training combines four key features which likens users to a “human firewall” that can help block sophisticated social engineering attacks. These four features are: awareness training and checkpoints, phishing and SMiShing simulations, active reporting, and threat intelligence.
Phished delivers awareness training via bite-sized micro-learning modules. These incorporate gamified content (users can earn badges, medals, and certificates) to keep the modules engaging. Phished automatically sends users personalized phishing and SMiShing simulations to test their response to attacks. The difficulty, frequency, and message type are tailored according to each user’s actions and response to training. Alternatively, admins can create their own simulations. If a user opens a link or enters credentials into Phished’s fake phishing page, Phished explains how they should have responded. Users can also report threats via the Phished Report Button which sits within their email client. Users receive notifications detailing whether reported emails are safe, a simulation, or a genuine threat; real threats are automatically analyzed and quarantined. Finally, the platform uses threat intelligence to identify malicious campaigns taking place globally and notifies users of any activity that they should look out for.
The combination of training with threat simulations and reporting capabilities enables Phished to generate a Behavioral Risk Score for each user; a quantifiable number that gives users and admins immediate insight into where their vulnerabilities lie and how to improve their security hygiene. The platform deploys easily within any email client, including Google Workspace and Microsoft 365. Users can be onboarded manually, via .csv files, or via Active Directory integration. These strong capabilities, combined with ease of use and deployment, make Phished a strong solution for any organization looking to train their employees to identify and report phishing threats.
Hook Security is a phishing simulation and training provider that offers an easily deployable, cloud-based phishing simulation and testing program that can be deployed in a short space of time. Admins can launch regular automated phishing simulations with hundreds of phishing templates to choose from based on real-life phishing threats, along with template customization capabilities.
Alongside phishing simulations, Hook Security also offers easily digestible and visually appealing training content that uses psychology to train users how to respond effectively to threats. Training materials use humor and storytelling to make it both more fun and memorable for users.
Additional features include auto-enrollments, which automatically enroll those who failed phishing tests into additional training to refresh their knowledge, as well as API and webhooks for effective data sharing and analytics, helping admins to make better decisions. It also provides Hookmail—a plugin for Office 365 that allows for users to flag and report suspicious phishing emails—whether simulated or real. Detailed reporting features also present admins with any security problems so they can troubleshoot easier.
We recommend Hook Security for SMBs and large organizations looking for engaging security awareness training to improve phishing resilience and meet regulatory requirements.
Founded in 1999, TitanHQ is an international leader in email and web security, as well as data archiving. Its security awareness training offering, SafeTitan, is a behavior-driven security awareness solution that uses gamified and tailored up-to-date training material as well as automated phishing simulations to deliver security training in real-time and create changes in user behavior. The solution can be managed and monitored from a single easy-to-use portal.
SafeTitan’s security awareness training solution targets specific user behaviors, providing real-time intervention training in combination with simulated phishing attacks to reinforce employee defenses. The training is tailored and gamified, with an extensive library of relevant and up-to-date training courses, videos, and quizzes provided. All of these are designed to be interactive and engaging—and with each module lasting a short 8–10-minutes to minimize disruption to employee productivity. The phishing simulations are fully automated, adaptable, and come with a regularly updated library of thousands of phishing templates to choose from.
The solution helps organizations meet compliance requirements—including HIPPA, GDPA, ISO EU NIS, and Cyber Essentials. The platform is also SCORM compliant and LMS compatible. The solution also provides holistic reporting, providing admins with a 360-degree view of their users’ progress and reporting on training content as well as phishing simulations in a digestible way. This ensures that admins and management teams can oversee outcomes and track ROI.
The digestible and engaging nature of the content alongside the customizable and quick to deploy phishing simulations help to reinforce learning and can be targeted to individuals whose reports indicate a need for extra help. This makes SafeTitan a strong and highly effective solution for organizations looking to reduce human error and mitigate cyber risk. TitanHQ caters to a range of sectors including education, business, and healthcare. We recommend its security awareness training offering for organizations looking for strong cyber risk management with real behavioral change and measured effectiveness.
ESET is a cybersecurity provider that specializes in digital security and anti-malware solutions, serving homes, businesses, and enterprises.
Their contribution to this list is ESET Cybersecurity Awareness Training. Training is delivered using a gamified approach, including easy-to-understand, bite-size videos, so as not to overload participants with information.
ESET streamlines the learning process as much as possible to create a more digestible program for your staff that doesn’t compromise on important details. The training program is being constantly updated, with advanced bonus training packs and new, single-topic learning modules being added to make sure your staff stays up to date on the latest threats.
ESET provides various courses, modules, and topics to choose from, making sure that your employees get a broad, but detailed, range of knowledge from their training. One of their most notable training segments is a 90-minute gamified training module that acts like an RPG. Your employees can choose a character to play in their role as an IT technician that can assist their fictional team with any security problems, making it not only enjoyable, but helps your staff put their knowledge to practice.
Training is then tested and reinforced through customizable, pervasive phishing email simulations. Admins are able to monitor user progress through the training, letting you know how far along they are, and providing reports on their success with the phishing simulations. Any users who fail can be automatically re-enrolled in more targeted training. Users are rewarded with a certificate upon completion, plus a LinkedIn badge notifying others they have successfully completed the training.
We recommend this service for small to mid-sized enterprises looking for effective, easy-to-manage security awareness training and phishing simulation, particularly those utilizing ESET’s wider endpoint protection solution suite.
IRONSCALES is a market-leading cloud-based email security solution that combines artificial and human intelligence to provide fast and highly-effective protection against advanced attacks that traditional email security gateways miss. It is particularly effective at identifying BEC, account takeover, and VIP impersonations. Its comprehensive, all-in-one anti-phishing platform is designed to protect against social engineered attacks—by using AI-driven email security technology and by training users to spot and report phishing emails when they receive them. The solution is offered in three solutions—Starter, Email Protect, and Complete Protect—all packages include the ability to run phishing and smishing simulation testing campaigns. In its approach to phishing simulations, IRONSCALES makes its solution relevant to specific users based on real-time data from real attacks their company is facing.
IRONSCALES phishing simulation campaigns are fully customizable—admins can choose from a library of real-world templates then target smart groups of employees within their organization. Campaigns can also be tailored to individual users’ security awareness levels. Benchmarking assessments are used to analyze each user’s ability to recognize phishing emails and assign them a score. This score then determines the difficulty of future phishing simulations sent to each individual. This score will change over time as their awareness improves. Complimentary to this, IRONSCALES provides a Report Phishing button in their preferred email client (desktop, browser, or mobile), if an employee identifies a suspicious email, they simply click the button to have an IT Security admin review the email for them.
IRONSCALES’ advanced reporting capabilities allow admins to track users’ progress in real-time via an easy-to-use dashboard to identify users who fall “victim” to simulations and administer further training as required.
Overall, IRONSCALES is rated highly as an all-in-one solution for email security and phishing simulation testing. Users find the platform easy to use and understand, deem it good value for the money, and great at providing executive-level reporting. The solution can be integrated with Microsoft 365 and Google Workspace (G-Suite) in minutes using native APIs, with no configuration changes, risk, or interruptions to your email delivery. IRONSCALES is ideal for SMBs as well as enterprise organizations, and is best suited for businesses looking for market-leading email security alongside phishing simulation.
Cofense—formerly PhishMe—is an industry leader in advanced phishing detection and defense solutions. Its phishing threat intelligence leverages data from 26 million users across the globe to detect phishing attacks, providing actionable and accurate insights for organizations. Serving more than 2,000 enterprise businesses globally, it’s an easy-to-deploy security awareness training solution that emulates potent real-life threats. Its phishing simulations are built with input from its threat analysis, research labs, and defense center team. Offering a library of 1,500 templates in 36 languages—as well as localized content—Cofense’s simulations are up to date, relevant, and customizable.
Cofense’s PhishMe is its user-intuitive phishing simulation tool that allows admins to test users by sending simulated phishing attacks based on real world content. Admins can automate campaigns over a 12-month period and use of smart suggestions that are based on historical simulation results, active threats, and relevant to specific industries. As well as this, campaigns can be customized so that phishing simulations are delivered only when users are active. Its free email reporting plugin, Cofense Reporter, is easily integrated with Outlook, Microsoft 365, Gmail, and Lotus Notes, and helps track which users report simulations and can track response times. Its intuitive reporting tool includes industry benchmarking and digestible executive-level reporting, as well as more granular metrics.
Overall, Cofense’s phishing simulation platform is a leading cloud-based training solution. Users rate this platform highly and find it user-friendly, reliable, and flexible—although some users report that the platform could be improved with greater reporting capabilities and a more diverse template library. Cofense’s awareness training and simulation solution is suitable for organizations of all sizes across multiple industries—including infrastructure, government, finance, healthcare, and energy. A version of its PhishMe tool is also available at no cost to small businesses with fewer than 500 employees. This solution is ideal for organizations seeking powerful phishing simulations and strong awareness training alongside Cofense’s technical security tools.
Hoxhunt is a fast-growing European startup that specializes in teaching employees to identify and respond to phishing attacks in innovative, fun, and engaging ways. Its user-centric platform uses gamification to reward users for correctly identifying and reporting simulated phishing emails, and enables them to track their own progress using a user-friendly, real-time dashboard. The solution is a fully managed service, and this includes the full end-to-end automation of all phishing campaigns. Currently supporting more than 20 languages, its simulated content is continuously updated to mimic real-life attacks and keep users aware of evolving threats. Training can be targeted at both security teams and individual employees.
To keep training fun, Hoxhunt refers to its phishing campaigns as “quests”. These are deployed automatically by Hoxhunt and can be sent to users multiple times per month. This ensures that phishing awareness is at the forefront of uers’ minds. Hoxhunt’s analysts and content team work to personalize and tailor quests towards each user’s skill level and role, as well as to be relevant to their specific organization and sector. Users can report suspected phishing emails via a free plugin, which integrates with Microsoft 365, Outlook, and Gmail. When users correctly identify and report simulated emails, they are instantly rewarded with stars—these are recorded on their personal user dashboard and contribute to their total point score. Points can later be redeemed for real-life prizes. Using this real-time dashboard, users can track their success rates, as well as emails clicked on, and compete for a spot on the top 10 leaderboard within their organization.
Overall, Hoxhunt’s solution a fun and engaging way to keep phishing awareness at the forefront of employees’ minds. Personal support is available for technical setup and onboarding, while onboarding new users takes minutes. Users find the platform user-intuitive, engaging, fun, and seamless to integrate, while security teams can focus on training users and remediating threats rather than personalizing and managing campaigns. This solution is suitable for SMBs and enterprises, and is a great option for organizations looking for a fully-managed, personalized, and engaging phishing simulation platform.
KnowBe4 is an industry giant in security awareness training, dominating the market with its easy-to-deploy and user-intuitive security awareness training platform. Serving over 35,000 customers globally, its user focused solution provides engaging simulations and informative content for a range of abilities. KnowBe4 offers unlimited use of its phishing simulations, as well as access to its library of more than 5,000 templates that are available in 34 languages. Its Software-as-a-Service solution is priced on a tiered basis—ranging from silver to diamond.
KnowBe4’s phishing simulations are quick to set up, can be sent via email, phone, and SMS—vishing is available from gold tier and above—and are fully customizable. Admins can make use of automated, pre-scheduled campaigns, and target recipients by group. The vendor also offers its free Phish Alert button plugin, which enables users to safely and easily report any phishing emails they might receive and sends a report to the Admin Console when a user passes a test. KnowBe4’s reporting and analytics tools include industry benchmarking, advanced reporting, smart groups, and automated risk assessments. Smart Groups—available from Platinum tier and above—enable admins to group users based on behavior and attributes, and tailor campaigns accordingly based on real-time data.
Overall, KnowBe4’s phishing simulation platform is rated highly. Users describe the solution as easy to deploy and configure, great value for money, flexible, and effective at reducing the number of employees falling for emails. Some users, however, find that the analytics and reporting tool lacking in customization and filtering options for specific results or viewing real-time dashboards. It’s also worth noting that some of the more complex or tailored features—such as Smart Groups—that are better suited to enterprise organizations are included in higher tiers only. KnowBe4’s solution is well-suited for organizations of all sizes as it is flexible, built to scale, and easy to deploy and roll out to your employees.
Mimecast offers a comprehensive, easy-to-use, cloud-based email security platform that includes awareness training, a secure email gateway, email continuity, and archiving. Mimecast Awareness Training enables organizations to train their users in security awareness, as well as run phishing simulations and analyze individual risk scores. Phishing simulations can be fully customized or based on real-life emails that users within that organization have clicked on. Supporting more than 36,100 businesses across 26 languages, Mimecast Awareness Training is suited for commercial and enterprise organizations.
Mimecast SAFE Phish is an integrated phishing simulation platform. Simulated vishing and CEO phishing campaigns can be set up in under ten minutes. Mimecast Awareness Training works well in conjunction with Mimecast’s email security suite, including Mimecast Targeted Threat Protection—which rewrites malicious URLs before emails can reach users’ inboxes. If a user falls for one of these genuine—but rewritten—emails, the email is stored in Mimecast’s awareness training log and can be used in future simulations to test others. Mimecast provides a comprehensive, real-time reporting dashboard that calculates a risk score for both individuals and the entire organization. Using this dashboard, admins can track progress and benchmark against others in their industry or region.
Overall, users find Mimecast Awareness Training easy to use and particularly like its comprehensive and customizable reporting capability. The solution can be run on Amazon Web Services or Mimecast’s native cloud platform, Mime|OS. Mimecast recommends 60 minutes for configuration of this solution. Mimecast Awareness Training is best suited for SMBs and enterprise organizations across all industries, that are looking for a strong and comprehensive email security solution alongside the ability to test and track users, particularly existing Mimecast customers.
Proofpoint is an industry leader in securing businesses and their data against advanced threats and email compromise attacks. Proofpoint Security Awareness Training was developed by Wombat Security Technologies—acquired by Proofpoint in March 2018—and enables organizations to test their users in a safe environment. Its security awareness training can be licensed either as a standalone solution or as part of the Proofpoint Essentials stack for SMBs. To run phishing campaigns, admins can leverage Proofpoint’s library of more than 700 templates, which are customizable, available in over 35 languages, and localized—meaning brands, character names, currencies, etc., are relevant to each end user’s location. Proofpoint’s phishing simulations can be sent via email or SMS—but please note that SMS is available in the US only.
Part of its offering, ThreatSim is a powerful phishing simulation tool that enables organizations to test users based on real-life phishing tactics and pinpoint vulnerabilities. Proofpoint also includes a free customizable plugin, Phish Alarm, which integrates with both Outlook and Gmail and enables users to easily report suspicious emails at the push of a button. Its responsive, easy-to-read reporting capabilities include benchmarking, filtering, and insights on end-user risk, as well as specific information on device, browser, and location when users fail a simulation. Admins can also leverage information on average failure rates to determine the difficulty of future phishing campaigns.
Proofpoint is a market leader in the email security space, with a global threat intelligence network collecting data from over 100 million inboxes, which is used to inform its awareness training programs. Overall, users find Proofpoint’s platform easy to use and great at providing detailed reports. Some users experienced that implementation, as well as initially learning how to use the platform, can take some time—but report that it’s worth the effort. Proofpoint’s solution is suitable for SMBs across all industries that are looking for a standalone security awareness training product or a full stack of security solutions, combining awareness training with technical email threat protection.
FAQs
What Is Phishing?
Phishing is a type of cyber-attack where malicious actors attempt to lure unsuspecting users into a specific action. In some instances, the user may be encouraged to click on a link, or download a file, that appears to be innocent and harmless, but is in fact malware. This malware can wreak havoc on a user’s system. Alternatively, a malicious actor may pose as a reliable individual or organization and encourage the target to divulge sensitive information.
Phishing attackers often use a “scatter gun” approach. They will spam hundreds and thousands of accounts with the same phishing attack, in the hope the one or two of the users will overlook the risk. This type of attack is not particularly sophisticated, but it still gets results.
How Can Phishing Simulation And Testing Solutions Help?
Phishing simulation can be particularly effective at preventing phishing as it gives users and opportunity to experience what a phishing attack is like. Rather than seeing an example email in a training environment, the phishing simulation will be sent to their actual inbox. By seeing a phishing email when they are not consciously expecting to, will ensure that users know what indicators to look out for.
From an admin’s perspective, deploying simulation is useful as you can easily see how effective security awarneess training is. Individuals who fail the test can easily be identified, and tasked with completing further training modules until they pass.
The training itself is often very simple, with short, targeted modules to keep users engaged. This type of training has very real and useful benefits. For the sake of a couple of hours training per year, you can greatly decrease the potency and effectiveness of any real phishing campaigns that do make it to your inbox.
What Are The Different Types Of Phishing?
Phishing is an umbrella term for these speculative cyber-attacks that attempt to make a user perform a specific action. Today, there are an increasing variety of phishing attack types, each with its own target or method.
Vishing – Vishing is an amalgamation of Voice Phishing and refers to phishing attacks that use calls or VoiceNotes to carry out the attack. In this case, we might be more easily convinced as we are not expecting a phishing attack to be carried out in this way.
Whaling – Rather than a method of phishing, Whaling refers to the target. Namely, someone big and important in an organization, such as a CEO or board member. Instead of using a scatter gun approach, this method will be more specific and may impersonate real employees. This attack is more convincing as spoofed domains and other fraudulent material may be used to make the attempt more realistic.
Spear Phishing – This attack is like Whaling but can be targeted at a less senior individual. Again, these attacks can be very specific to give the greatest chance of fooling an employee. Again, impersonation may be used to make the attempt more convincing.
What Is Phishing Simulation?
Phishing simulation is when a suspicious email is sent out to test how susceptible employees are to falling victim to a phishing message. Rather than this test mail actually containing malware or a fraudulent link, a notification will pop up, revealing that the user has been tricked. Their response will be logged and passed onto a network administrator. From there, the admin can decide if the user should undertake further training.
Phishing simulations often use templates from genuine phishing attacks. This makes the training more realistic, ensuring that admin can understand a user’s authentic response. Ideally, when a phishing simulation message is sent out, users will be naturally suspicious and either report the message or delete it. This will suggest that when faced with a genuine phishing attempt, the user will be cautious, and not fall victim to it.
Phishing attackers are ever evolving, so it’s important that your phishing simulation adapts too. The latest attack methods, like voice phishing (vishing), should be taken into account. A good phishing simulation solution will be able to distribute a range of realistic phishing messages and collect the response. Your solution should also be able to automate the frequency of phishing simulation tests to ensure the users are always ready to respond appropriately.
How Do Email Phishing Tools Work?
Phishing email tools work by scanning emails for “tell-tale” signs that they are malicious. This could be an email address that uses a special character to make an email look like it is from a reputable brand. For instance, the letter “o” might be replaced by the number “0”. In a URL, this will take you to a completely different site, but to the average reader it will appear valid.
Email phishing tools will monitor mail for a range of these indicators, using an ever-expanding database of known phishing threats and templates. If detected, the tool can block an email from being delivered, or attach a warning notification instructing the user to exercise caution.
Many email phishing tools will also install a button within your email application that allows you to report suspicious mail. This can then be flagged to admin users, who can investigate the message. Some solutions will remove phishing mail even after it has been delivered to your inbox if another user reports it as suspicious.
Email phishing solutions often include additional features to detect and remediate phishing attempts.
- URL scanning – this assesses URLs at the moment that users click on them to ensure that the link is not malicious
- AI analysis – this allows the tool to detect new phishing attempts that cannot be identified from the database
- Header analysis – ability to assess an email’s metadata to understand its provenance and risk likelihood
- Compliance – many solutions will align with regulatory frameworks, and produce audit reports to prove compliance