What Is a Phishing Simulation?

Most aspects of information security are necessary-but-imperfect practices. As security practitioners, we see the gaps a bad actor could exploit, but we know removing or ignoring a layer of protection will only increase the risk.

Defending against phishing suffers from this problem. Phishing attacks increased by 11% in the last year, and about 82% of breaches involve a human element. So having protection against phishing attacks is vital, yet the tools at our disposal are far from perfect.

Let’s start with proactive, inbound detection. Detecting and stopping attacks before they reach their targets is necessary and must be constantly improved. But, unfortunately, inbound protection against phishing attacks will never be perfect. So what then? Do we put the onus entirely on our end users? Of course not - it’s still the security team’s responsibility to reduce the messages end users receive, and reduce the impact of an end user falling victim to an attack. We don’t ignore inbound protection because it isn’t perfect. 

Another defense against phishing attacks is simulation-based training. Anyone who’s run these, or received them, knows they’re imperfect. But like other security practices, they can benefit our organization when done correctly. So what’s the best approach? We’re going to dive into that today by looking at phishing simulations, the typical problems, and how to do phishing training in a way that best supports security efforts without putting all the responsibility on users.

What Is a Phishing Simulation? 

Let’s back up first and do a quick level-set to discuss what phishing is in the first place. Phishing is a type of cyber attack, and it’s heavily utilized by malicious actors because it’s relatively low-effort with high results when it’s successful. Phishing can come in many forms. It might be a mass email trying to get victims to click on a link or a form, or it might involve cloning an email or mimicking a legitimate website.

Phishing takes advantage of our reliance on email to complete business-critical workflows. We’re inundated with messages asking us for something, and in our rush to be productive, we miss cues that something is off. And that’s how attackers get access to an organization. One tool many organizations use to combat this problem is something called a phishing simulation. 

A phishing simulation is a phishing campaign run within an organization that mimics a real-world attack. Typically, a security expert will run the phishing campaign without warning employees at the organization so they will respond to the phishing simulation like they would to a real attack. That gives the security team an opening to discuss the appropriate response to a phishing attack to hopefully help tighten security and prevent successful attacks. 

Phishing simulations help remind us that we can’t be in such a rush that we forget basic security steps. A simulation can be a reality check. They’re also an opportunity to teach us about the latest types of attacks and to help prepare the company to hold strong against these. 

But phishing simulations can have problems too. Next, we’ll dive into those so you can best evaluate a phishing simulation solution for your organization.  

Typical Problems with Phishing Simulations

Running phishing simulations isn’t a perfect solution to preventing phishing attacks from being successful. Let’s look at some common problems with phishing simulations and why many security teams shy away from them. Keep in mind that not every phishing simulation has these problems. These are just some of the typical problems that occur throughout the industry as a whole. 

Lack of realism

The biggest problem with phishing simulations is that they’re simply not realistic. Typically, a phishing simulation requires an allow list to bypass inbound protection because otherwise the test would never make it to an employee’s inbox. So the test is something an employee would never see! 

This lack of realism means that security teams aren’t teaching people about the types of attacks they could face at any time. Instead, they’re giving employees false confidence that they know what to expect, potentially having the opposite of the intended effect.  

Limited ROI

Phishing simulations have a limited return on investment. A security team has to invest manual work into a simulation—creating templates, managing allow lists, deploying a new ‘button’ for reporting simulations, and more. Some tools are better than others, but they all still take resources. And if simulations have limited success in preparing employees for real-life scenarios because of the problems discussed earlier, even a small investment isn’t worth it. Security teams could instead use those resources for other initiatives. 

Shifting responsibility

It’s also worth considering what simulations say about who’s responsible for security. Too often simulations put the burden of protection on the employees, which can add extra stress and distract employees from the work they need to do. How the security team communicates with end users about these tests makes a difference. 

In reality, it’s the security team’s responsibility to protect the organization from security threats. That’s why we believe in making Simulations one part of a cohesive phishing defense, and never shaming users who fail a test. 

Key Features to Look for in Phishing Simulations

These problems don’t mean all phishing simulations are ineffective. When done thoughtfully, they can meet the goals of reminding users of what to look for when reading email, and how to respond to protect the organization. 


The most important aspect of creating an effective phishing simulation is to ensure that it’s realistic. A big rule of thumb is that if you are bypassing any existing detection or protocols, the simulation isn’t realistic. You want to run a simulation where you utilize your existing protocols and detection tools because then you’re really testing how your organization can withstand an attack. 

Convenient and usable

To improve your ROI, make sure that your phishing simulation tooling is convenient and easy-to-use. Choose software that integrates with the rest of your phishing tooling, doesn’t require your end users to learn a new reporting method, and doesn’t force you to create allow lists to prevent wasting time managing false positives. This isn’t the only, or even the most important, part of your phishing protection and the effort put in by the security team should reflect that.  

Avoids shame

Employees have a lot on their plates. If they fall for a phishing simulation, it will only add to their stress if the security team shames them. An effective phishing simulation will avoid shame, and instead focus on teaching employees how to identify the latest attacks and report them to security. Remind them the security team has their back as they work together to defend against attackers who are continuously refining their methods. 

Material’s Phishing Simulation Offering

Material’s phishing simulation solution is built on these principles. It’s easy-to-use; it’s realistic; it offers tips on how to communicate with users who pass or fail but puts you in control. Here are some of the specifics: 


Choose the right phishing simulator 

Phishing simulations are a complement to the other security defenses in place to protect against phishing attacks. And like many practices, it’s imperfect. But new approaches like those in Material’s Phishing Protection offer improvements that can significantly increase your ROI from running simulations and make it a useful piece of your phishing defenses. 

To learn more about Material's Phishing Protection, request a demo here.

Subscribe to our blog

Get the latest updates from Material