Simulated phishing or a phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements. This is especially the case for those who "fail" by opening email attachments, clicking on included weblinks, or entering credentials.
There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary.[1] Simulated phishing allows the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation is recommended by various official agencies, who often provide guidelines for designing such policies.[2] Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour.[3]
Such campaigns need to be authorised at an appropriate level[4] and carried out professionally.[5] If such a technique is used carelessly, it may breach laws, attract lawsuits, and antagonise or traumatise staff.
However, if employees are advised of a change to policy such that "the company reserves the right to send deceptive 'simulated phishing' email to staff from time to time to gauge staff security awareness and compliance", and training and guidance has been given in advance, then such problems should not occur. Some organisations may choose to require users to give their consent by opting in,[6] and others may allow staff the option to opt out.[7]
The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training.[8] [9] [10]
Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons. These would include emails with content likely to cause distress to the recipient or the use of third-party trademarks,[5] [8] although it is also sometimes argued that this is covered by fair use.[11]
Such testing can be done in a number of ways.
Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some whitelisting to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon.
Most advice is that testing should be done several times per year, to give staff practice in responding correctly, and to provide management feedback on the progress in staff identifying and reporting potentially dangerous email.