A phishing simulation is a controlled, fake cyberattack designed to test employee awareness and resilience against phishing scams. It involves sending realistic, malicious-looking emails or messages to identify security gaps, with common examples including fake credential login pages, simulated ransomware, and targeted spear-phishing. However, in an increasingly adversarial cyber landscape, they are no longer simply about observing who clicks; they are about getting our workforce fully prepared. As attackers use AI and automation, security teams must also innovate in terms of their training methodologies to move beyond the low-hanging fruit of 2010s-era scams. A realistic simulation that runs today must mirror the modern threat landscape, focusing on psychological triggers, technical authenticity, and a culture of proactive reporting.
The gradual decline of the generic phish
The most significant innovation in phishing simulation is the move toward hyper-personalization. Traditional one-size-fits-all campaigns, such as a generic "Your package is delayed" email, often fail to challenge savvy employees and produce misleadingly low click rates. According to Gartner, nearly 29% of cybersecurity leaders reported that their organizations have faced GenAI-driven attacks in the past year, with GenAI used across a broad range of use cases, including phishing, deepfakes, and social engineering. The simulations of today must leverage new-age tactics, such as Business Email Compromise (BEC). These tactics leverage no malicious links at all, but rather a request for a conversation or a change in banking details. According to the FBI IC3 2023 Report, BEC remains one of the most financially devastating forms of cybercrime, with losses exceeding $2.9 billion, underscoring that the human element is the ultimate exploit.
By replicating the exact essence and cadence of corporate communications, employees can be pushed to look for the subtle technical red flags rather than obvious stylistic ones.
To simulate this effectively, internal security teams should analyze the specific software and communication styles used within their own organization. If an organization uses Slack for 90% of its internal chatter, an email-based "Internal Memo" will look suspicious from the start. On the contrary, a simulated direct message on a collaboration platform or a notification from a specific SaaS tool like Jira or Workday is far more likely to test the user's actual judgment. By replicating the exact essence and cadence of corporate communications, employees can be pushed to look for the subtle technical red flags rather than obvious stylistic ones.
Technical sophistication and MFA bypass
We are gradually going to an era where a simple message such as "don't enter your password" warning is insufficient. Threat actors are increasingly using Adversary-in-the-Middle (AiTM) techniques to bypass Multi-Factor Authentication (MFA). In such cases, the victim is directed to a certain proxy server that mimics a real login page. After the victim enters their credentials and enables MFA, the attacker captures the session cookie, granting them full access without ever needing the password again. Microsoft’s Security Blog highlights how these session-theft attacks are becoming a standard in the criminal toolkit.
Innovating simulations in organizations means moving toward "session hijacking" simulations. Instead of a static page that tells the user they failed, the simulation should demonstrate the danger of "proxy phishing." This involves using tools that can simulate the redirection of a user through a middleman server. When employees see that their MFA code, something they previously thought was an "invincibility cloak," can be intercepted, the educational impact is significantly higher. This shift in training aligns with MITRE ATT&CK Technique T1566, which categorizes the various ways attackers subvert traditional defenses.
Also read: Meet rising compliance requirements with smarter workflows
The psychology of the 'teachable moment'
The goal of a simulation is not to catch people; it is to teach them. The "teachable moment" occurs within seconds of a user failing a simulation. If a user clicks and is met with a 30-minute mandatory training video, they will feel punished and likely grow resentful of the security team. Innovation in this space involves Just-in-Time micro-learning. A successful landing page after a click can be visually engaging and immediately highlight the missed cues in the specific email they just interacted with.
The "teachable moment" occurs within seconds of a user failing a simulation.
Furthermore, the NIST PhishScale provides a framework for security leaders and teams to understand why certain emails are more effective than others. It analyzes the cue visibility and the human context of a phish. For example, an email sent during a busy period, such as year-end accounting, is naturally more difficult to handle than one sent during a quiet summer week. By using the PhishScale, innovators can ensure they aren't just making hard phishes, but relatively fair ones that provide measurable data on employee resilience under different levels of cognitive load.
Accessibility for all: the nonprofit strategy
It goes without saying that nonprofits often operate under very tight constraints, such as limited budgets and skeleton IT teams, making them a prime target for threat actors who know that their defenses are not that robust. However, the reality doesn’t have to be that expensive with modern phishing simulation tools and techniques. They can innovate using powerful open-source tools like Gophish, which is an industry-standard toolkit for managing phishing campaigns for free. As outlined in the Gophish User Guide, the platform allows organizations to clone their own login pages and track results without a recurring subscription fee.
For a low-friction approach, nonprofits can also utilize the starter or free tiers of commercial platforms. For example, certain organizations offer a free phishing simulation starter tool that includes incident insights. Additionally, for the educational component, the SANS OUCH! Newsletter provides high-quality, free security awareness materials that can be linked directly to the failure pages of a Gophish campaign. This allows a nonprofit to run a professional-grade simulation program with limited or even zero software spend, focusing its limited resources on remediating the vulnerabilities identified during the tests.
From click-rates to a reporting culture
The final frontier of innovation in phishing simulation is the metric of success. For too long, the industry has obsessed over the click rate. However, a low click rate might simply mean the simulation was too easy. The more valuable metric is the reporting rate. A high reporting rate indicates that with humans in the loop, they can actively contribute to the company's threat intelligence.
A high reporting rate indicates a vigilant human team that actively contributes to the company's threat intelligence. When an employee clicks the ‘Report Phishing’ button, they are not just protecting themselves; they are alerting the SOC to a potential campaign.
When an employee clicks the ‘Report Phishing’ button, they are not just protecting themselves; they are alerting the SOC to a potential campaign.
Building this culture requires positive reinforcement. According to a benchmark report, it is observed that organizations that gamify the reporting process, including regular simulation, training, and reporting mechanisms, see a drastic reduction in their phish-prone percentages. Instead of shaming those who fail, companies that thrive tend to celebrate their top reporters. This shifts the perception of the security team from simply being digital police to partners in defense. Ultimately, a realistic simulation program should strive to turn every employee into a sensor, creating a mesh network of human intelligence that is far more difficult for an attacker to penetrate than any single technical control.
Atish Kumar Dash
Solutions Consultant, Advance Solutions Corp.
