Phishing continues to be one of the most prevalent modes of cyberattack in modern times. An alarming 57% of organizations experienced a successful phishing attack in 2020 – which isn’t something that should be taken lightly. And now, with more of us reliant on online communications than ever, it’s never been more important for your employees to be able to spot those phishing lures.
As cyberthreats evolve, organizations’ security defenses need to evolve with them – and that includes their staff. But as employees grow wiser, so do cybercriminals.
It’s not enough to provide a few unengaging, once-a-year, click-through training modules – users need to continuously be engaged and tested so that cyberattacks are always fresh in their minds. After all, employees that both know what to look for and can regularly practice those skills are far more likely to spot and report a real attack when faced with one.
Testing by phishing simulations is one of the best ways an organization can train their staff in a real-life, but safe environment. Simulations work by sending users mock phishing emails that are designed to look and feel genuine. The testing part comes in the user’s response – to successfully pass a simulation, users have to report the emails as phishing attempts. Many vendors offer a free plugin that enables users to safely and easily report any suspicious emails directly to their security teams. A user that clicks on any of the attachments or URLs within the email has failed – and often vendors offer reporting tools enabling organizations to identify and remediate these behaviors.
We’ve put together a list of the top phishing simulation testing solutions, so your organization can transform its employees into human phishing detectors. We’ll talk through some of their key features and how they work, as well as how easy they are to use and implement.
The Top 9 Phishing Simulation Testing Solutions include:
Barracuda | Cofense | Hoxhunt | Infosec | IRONSCALES | KnowBe4 | LUCY Security | Mimecast | Proofpoint
Enterprise-grade simulations and advanced reporting capabilities
Barracuda is a leading email and network security provider, serving 200,000 organizations globally and providing enterprise-scale, multi-layered security solutions. Having acquired PhishLine in January 2018, they offer Barracuda PhishLine as an easy-to-use phishing simulation and testing platform that can be licensed either standalone, or as part of their Total Email Protection stack alongside Barracuda Essentials, Sentinel, and Forensics and Incident Response. PhishLine leverages intelligence from their threat database to offer real-world simulations that are not only relevant, but customizable and user-friendly. The platform supports more than 20 languages, but what sets it apart from others on the market is the strength and detail of its reporting capability.
Offering not only the ability to run phishing campaigns, but SMiShing and vishing too, Barracuda PhishLine is scalable and versatile, and offers up-to-date, relevant content that’s updated daily. Admins can choose between running a fully customized campaign or can make use of ready-to-send templates using their five-step Quick Launch option. PhishLine Concierge is an optional managed-service add-on that provides an expert consultant to manage campaigns end-to-end. Barracuda PhishLine also provides their free Phish Reporting Button plugin, that’s easily integrated with Outlook, Exchange, and Gmail and enables users to report suspicious messages. Known for its robust reporting capabilities, the platform captures more than 16,000 points of data for analysis, alongside capabilities for benchmarking, identifying risk levels, viewing user behavior and trend data, and creating customizable reports.
Overall, users rate Barracuda PhishLine highly for its quality material and robust reporting capabilities. In their report, Gartner observed some enterprise customers expressing concerns about levels of data being collected and recommends those with data protection and privacy requirements should deploy advanced configurations to address their needs. The solution is best suited for enterprise organizations looking for up-to-date simulation content and advanced reporting capabilities alongside multi-layered, comprehensive email security solutions.
Industry-Leading Phishing Protection And Simulations
Cofense – formerly PhishMe – is an industry leader providing advanced phishing detection and defense solutions for organizations. Their phishing threat intelligence leverages data from 26 million users across the globe to detect phishing attacks, providing actionable and accurate insights for organizations. Serving more than 2,000 enterprise businesses globally, their easy-to-deploy security awareness training solution emulates real-life threats that are known to slip past secure email gateways. Their phishing simulations are built with input from their threat analysis, research labs, and defense center team. Offering a library of 1,500 templates in 36 languages – as well as localized content – Cofense’s simulations are up to date, relevant, and customizable.
Cofense’s PhishMe is their user-intuitive phishing simulation tool that allows admins to test users by sending real-life, mock phishing attacks. Built into this is the ability to automate campaigns over a 12-month period, as well as to make use of smart suggestions that are based on historical simulation results, active threats, and are relevant to specific industries. As well as this, campaigns can be customized so that phishing simulations are delivered only when users are active. Their free email reporting plugin, Cofense Reporter, is easily integrated with Outlook, Microsoft 365, Gmail, and Lotus Notes, and helps track which users report simulations, as well as their response times. Their intuitive reporting tool includes industry benchmarking and digestible executive-level reporting, as well as more granular metrics.
Overall, Cofense’s phishing simulation platform is a leading cloud-based training solution. Users rate this platform highly and find it user-friendly, reliable and flexible – although some users report that the platform could be improved by greater reporting capabilities and a more diverse template library. Cofense’s awareness training and simulation solution is suitable for organizations of all sizes across multiple industries – including infrastructure, government, finance, healthcare, and energy. A version of their PhishMe tool is also available at no cost to small businesses with fewer than 500 employees. This solution is ideal for organizations seeking robust phishing simulations and strong awareness training alongside Cofense’s technical security tools.
An Innovative, Fully Managed, And Gamified Phishing Simulation Solution
Hoxhunt is a fast-growing European startup that specializes in teaching employees to identify and respond to phishing attacks in innovative, fun, and engaging ways. Their user-centric platform uses gamification to reward users for correctly identifying and reporting simulated phishing emails, and enables them to track their own progress using a user-friendly, real-time dashboard. The solution is a fully managed service, and this includes the full end-to-end automation of all phishing campaigns. Currently supporting more than 20 languages, their simulated content is continuously up to date to mimic real-life attacks and keep users aware of evolving threats. Training can be targeted at both security teams and individual employees.
To keep training fun, Hoxhunt refers to their phishing campaigns as “quests”. These are deployed automatically by Hoxhunt and sent to users multiple times per month, so that phishing awareness is constantly fresh in their minds. Hoxhunt’s analysts and content team work to personalize and tailor quests towards each user’s skill level and role, as well as to be relevant to their specific organization. Users can report suspected phishing emails via a free plugin, which integrates with Microsoft 365, Outlook, and Gmail. When users correctly identify and report simulated emails, they are instantly rewarded with stars – these are recorded on their personal user dashboard and contribute to their total point score. Points can later be redeemed for real-life prizes. Using this real-time dashboard, users can track their success rates, as well as emails clicked on, and compete for a spot on the top 10 leaderboard within their organization.
Hoxhunt’s solution is overall a fun and engaging way to keep phishing awareness at the forefront of employees’ minds. Personal support is available for technical setup and onboarding, while onboarding new users takes minutes. Users find the platform user-intuitive, engaging, fun, and seamless to integrate, while security teams can focus on training users and remediating threats rather than personalizing and managing campaigns. This solution is suitable for SMBs and enterprises, and is a great option for organizations looking for a fully managed, personalized, and engaging phishing simulation platform.
Customizable, scalable security awareness training and phishing simulations
Infosec is a cybersecurity education company that offers professional training and certification as well as security awareness training and phishing simulations. Currently serving 5 million learners in 185 countries, Infosec Skills is aimed at upskilling and certifying, while Infosec IQ offers training modules and resources to help improve organizational culture and employee awareness. Included with Infosec IQ are more than 1,000 phishing templates – 300 of these are translated across 18 languages and localized for multinational organizations – and new templates are added weekly.
Infosec’s IQ PhishSim is a customizable phishing simulation tool, enabling admins to create bespoke campaigns based on real threats facing their organization or choose from Infosec’s expansive library. With a wide range of attack types to choose from, as well as options to customize branding and create landing pages, this platform offers the flexibility to train users across all levels and job types. Infosec also include their free plugin, PhishNotify, which enables users to flag suspicious emails and records which users are reporting simulations. Infosec’s reporting capabilities extend to measuring an organization’s overall phish rate, automated campaign reports, email reply tracking, and overall progress over time.
Infosec IQ is a highly rated solution. All subscriptions include 1:1 support for implementation, as well as a client success manager and technical support. Users recommend Infosec IQ as easy to use, highly flexible and customizable. This platform is suitable for both SMBs and enterprises looking for a flexible and scalable security awareness training and phishing simulator. The solution is priced at three different levels – Standard, Enterprise, and Infosec IQ + Skills – but all three include unlimited phishing simulations and user risk scoring.
Market-Leading Email Security Platform That Tailors Phishing Campaigns To Individual User Requirements
IRONSCALES is a market-leading cloud-based email security platform that combines artificial and human intelligence to provide fast and effective email threat protection. Their comprehensive, all-in-one anti-phishing platform is designed to protect against social engineering attacks – both by providing strong email security, and by training users to spot and report phishing emails when they receive them. Offering three levels to their solution – Core, Core+, and Ultimate – all packages include the ability to run phishing and smishing campaigns, as well as track individual user analytics. In its approach to phishing simulations, IRONSCALES makes their solution relevant to specific users based on real-time data from real attacks their company is facing.
IRONSCALES’ phishing campaigns are fully customizable – admins can choose from a library of real-world templates and target specific groups within their organization. Campaigns are also tailored to individual users’ awareness levels. Benchmarking assessments are used to analyze each user’s ability to recognize phishing emails and assign them a score. This score then determines the difficulty of future simulated emails sent to each individual, and can improve over time as their awareness develops. Complimentary to this, IRONSCALES provides an outlook plugin that enables users to report suspected phishing emails in one click. Their advanced reporting capabilities also allow admins to track users’ progress in real-time via an easy-to-use dashboard to identify users who fell “victim” to the simulation and administer further training as required.
Overall, IRONSCALES is rated highly as an all-in-one solution for email security and anti-phishing protection. Users find the platform easy to use and understand, good value for money and great at providing executive-level reporting. The solution is also easy to integrate with Microsoft 365, G-Suite, or Exchange and requires no MX-record configuration on the email side, while onboarding users takes two clicks. IRONSCALES’ solution is ideal for SMBs as well as enterprise organizations, and is best-suited for businesses looking for market-leading email security alongside phishing simulation.
Market-Leading Simulations and Reporting Tools
KnowBe4 is an industry giant in security awareness training, dominating the market with their easy-to-deploy and user-intuitive security awareness training platform. Serving over 35,000 customers globally, their solution aims to keep the user at the forefront, with engaging simulations for a range of abilities. KnowBe4 offer unlimited use of their phishing simulations, as well as access to their library of over 5,000 templates that are available in 34 languages – which certainly sets them apart. Their Software-as-a-Service solution is costed on a tiered basis – ranging from silver to diamond – with more features becoming available in higher tiers.
KnowBe4’s phishing simulations are quick to set up, can be sent via email, phone, and SMS – vishing is available from gold tier and above – and are fully customizable. Admins can make use of automated, pre-scheduled campaigns, and target recipients by group. They also offer their free Phish Alert button plugin, which both enables users to safely and easily report any phishing emails they might receive – whether simulated or genuine – and sends a report to the Admin Console when a user passes a test. KnowBe4’s reporting and analytics tools include industry benchmarking, advanced reporting, smart groups, and automated risk assessments. Smart Groups – available from Platinum tier and above – allows admin to group users based on behavior and attributes, and tailor campaigns accordingly based on real-time data.
Overall, KnowBe4’s phishing simulation platform is rated highly. Users describe the solution as easy to deploy and configure, great value for money, flexible, and effective at reducing the number of employees falling for emails. Pain points for users are that some find the analytics and reporting tool lacking in customization and filtering options for specific results or viewing real-time dashboards. It’s also worth noting that some of the more complex or tailored features – such as Smart Groups – that are better suited to enterprise organizations are included in higher tiers only. KnowBe4’s solution is well-suited for organizations of all sizes as it is flexible, built to scale, and easy to deploy and roll out to your employees.
Penetration Testing And Awareness Training
LUCY Security is a security awareness training and penetration testing platform that enables organizations of all sizes to test and educate their employees, as well as identify any vulnerabilities. There are currently 10,000 installations of LUCY worldwide, and the solution includes four modules – testing users, training users, testing infrastructure, and empowering users to act. It sets out its pricing across five editions that range in suitability from small business to enterprises and managed service providers. Using this platform, phishing simulations are easy to set up and admins can choose from hundreds of templates in 30 languages.
LUCY Security provides a versatile and diverse range of simulation attacks, including smishing, spear phishing, and ransomware simulations. It should be noted, however, that more advanced features and options for customization are only available for higher editions and larger organizations. For example, unlimited campaigns are available from professional edition and above, and smishing from premium and above. There is also the option to fully outsource campaign management to LUCY. The customizable LUCY mail plugin integrates with Outlook, Microsoft 365, and Gmail, and enables users to easily report suspicious emails with one click. Admin reporting capabilities include a real-time dashboard to track users’ progress as well as campaign metrics, benchmarking, and intelligence insights.
Overall, LUCY Security is a versatile and comprehensive phishing simulation, training, and penetration testing platform. Users find this solution intuitive, flexible, easy to deploy and configure, cost effective and highly customizable. The solution can be installed both on-premises, in the cloud, or run on their virtual private server. LUCY Security is suitable for organizations of all sizes, including SMBs, enterprises, and MSPs. Additionally, the solution is suitable across a range of industries, with current customers including organizations in finance, energy, government, manufacturing and healthcare. This solution is a great choice for organizations looking to test both employees and infrastructure, as well as educate and empower users.
A Comprehensive Email Security Platform With Phishing Simulations and User Reporting
Mimecast offers a comprehensive, easy-to-use, cloud-based email security platform that includes awareness training, a secure email gateway, email continuity, and archiving. Mimecast Awareness Training allows organizations to train their users in security awareness, as well as run phishing simulations and analyze individual risk scores. Phishing simulations can be fully customized or based on real-life emails that users within that organization clicked on – turning genuine threats into tests. Supporting more than 36,100 businesses across 26 languages, Mimecast Awareness Training is suited for commercial and enterprise organizations.
Mimecast SAFE Phish is Mimecast’s integrated phishing simulation platform. Types of simulations available include vishing and CEO phishing, and campaigns can be set up in under ten minutes. Mimecast Awareness Training works well in conjunction with Mimecast’s email security suite, including Mimecast Targeted Threat Protection – which rewrites malicious URLs before emails can reach users’ inboxes. If a user falls for one of these genuine – but rewritten – emails, the email is stored in Mimecast’s awareness training log and can be used in future simulations to test others. Mimecast provides a comprehensive, real-time reporting dashboard that calculates a risk score for both individuals and the entire organization. Using this dashboard, admins can track progress and benchmark against others in their industry or region.
Overall, users find Mimecast Awareness Training easy to use and particularly like its comprehensive and customizable reporting capability. The solution can be run on Amazon Web Services or Mimecast’s native cloud platform, Mime|OS. Mimecast recommend 60 minutes for configuration of this solution. Mimecast Awareness Training is best suited for SMBs and enterprise organizations across all industries, that are looking for a strong and comprehensive email security solution alongside the ability to test and track users, particularly existing Mimecast customers.
Flexible Phishing Simulations And Detailed Reporting Capabilities
Serving over 4,000 organizations globally, Proofpoint is an industry leader in securing businesses and their data against advanced threats and email compromises. Proofpoint Security Awareness Training was developed by Wombat Security Technologies – acquired by Proofpoint in March 2018 – and enables organizations to test their users in a safe environment. Their security awareness training can be licensed either as a standalone solution or as part of their Proofpoint Essentials stack for SMBs. To run phishing campaigns, admins can leverage Proofpoint’s library of more than 700 templates, which are customizable, available in over 35 languages, and localized – meaning brands, character names, currencies, etc. are relevant to each end user. Proofpoint’s phishing simulations can be sent via email or SMS – but please note that SMS is available in the US only.
Part of their offering, ThreatSim is a powerful phishing simulation tool that enables organizations to test users based on real-life phishing tactics and pinpoint vulnerabilities. Proofpoint also includes a free customizable plugin, Phish Alarm, which integrates with both Outlook and Gmail and enables users to easily report suspicious emails at the push of a button. Their responsive, easy-to-read reporting capabilities include benchmarking, filtering, and insights on end-user risk, as well as specific information on device, browsers, and location when users fail a simulation. Admins can also leverage information on average failure rates to determine the difficulty of future phishing campaigns.
Proofpoint is a market leader in the email security space, with a global threat intelligence network collecting data from over 100 million inboxes, which is used to inform their awareness training programs. Overall, users find Proofpoint’s platform easy to use and great at providing detailed reports. Some users experienced that implementation, as well as initially learning to use the platform, can take some time – but that it’s worth the effort. Proofpoint’s solution is suitable for SMBs across all industries that are looking for either a standalone security awareness training product or a full stack of security solutions, combining awareness training with technical email threat protection.