Phishing Simulation & Security
Awareness: The Complete Business Guide

Spear Phishing and Whaling

Spear phishing uses personalized information — the target's name, role, manager, recent activities, and organizational context — to craft emails that appear to come from trusted sources. Whaling is spear phishing directed specifically at executives (CEO, CFO, CISO) or high-value targets. AI tools have dramatically lowered the cost of personalized attack content: what once required hours of manual research now takes seconds. A well-crafted spear phishing email referencing a real recent business event and appearing to come from a known counterparty achieves click rates five to ten times higher than generic phishing attempts.

Business Email Compromise (BEC)

BEC attacks impersonate executives, vendors, or business partners to manipulate employees into transferring money or sharing sensitive information. Unlike malware-carrying phishing, BEC emails typically contain no links or attachments — they rely entirely on social engineering and a spoofed or compromised sender identity. This makes them near-invisible to technical controls and entirely dependent on employee recognition for defense. BEC scenarios include CEO fraud (fake wire transfer requests), vendor impersonation (payment redirection), payroll fraud (direct deposit modification), and attorney impersonation (confidential fund transfer).

Vishing and Smishing

Voice phishing (vishing) using AI-generated voice cloning now enables attackers to impersonate executives, colleagues, and IT helpdesk staff in real-time calls with near-perfect voice matching. Smishing (SMS phishing) exploits the higher open rate of text messages (98% vs. 20% for email) and the reduced security awareness most people apply to mobile communications. Multi-channel attacks that begin with a phishing email and escalate to a vishing call for "verification" are increasingly common and achieve significantly higher success rates than single-channel attacks.

Adversary-in-the-Middle (AiTM) Phishing

AiTM phishing uses reverse proxy infrastructure to sit between the target and a legitimate login page — capturing both credentials and session tokens in real time. This bypasses traditional multi-factor authentication (MFA) methods, including SMS OTP and authenticator app codes, because the attacker captures the valid session token before MFA can validate the session. AiTM phishing kits are now commercially available on criminal forums for under $500, making this sophisticated technique accessible to low-skill threat actors. Phishing-resistant MFA (FIDO2 hardware keys, passkeys) is currently the only technical control that defeats AiTM.

QR Code Phishing (Quishing)

QR code phishing embeds malicious URLs in QR codes within email attachments or physical media, bypassing email security gateways that scan URLs in email body text but cannot decode QR code content. When scanned from a personal mobile device — which typically has weaker security controls than corporate laptops — the target is redirected to a credential harvesting page. Quishing is particularly effective against email security-aware employees who have been trained to hover over links but have not been trained to treat QR codes with equivalent skepticism.

What Simulation Measures

• Click rate: percentage of employees who clicked a simulated phishing link — the primary susceptibility metric
• Credential submission rate: percentage who entered credentials on a fake login page — indicating deeper susceptibility
• Report rate: percentage who identified and reported the simulation to IT/security — the most valuable positive behavior
• Time to click: how quickly employees click after receiving a phishing email — fast clickers are highest risk
• Department and role trends: which business units and job functions show higher susceptibility rates
• Repeat offenders: employees who click across multiple simulation campaigns, indicating training ineffectiveness for that individual
• Trend over time: whether click rates and report rates are improving across successive campaigns

What Simulation Cannot Measure

• Resistance to novel attack techniques not covered by the simulation template library
• Vishing and smishing susceptibility — email simulation does not assess voice or SMS-based social engineering
• Real-world behavior variance — employees who click in simulation may behave differently under real attack pressure, and vice versa
• Physical social engineering — tailgating, USB drop attacks, and in-person pretexting require separate assessment
• Comprehension vs. compliance: simulation measures behavior, not understanding — an employee may avoid clicks without understanding why
• Cultural factors — high-pressure organizational cultures that penalize employees for slow responses to requests create inherent susceptibility that simulation cannot capture

Password & Credential Security

Credential reuse, weak passwords, and shared credentials are among the most persistent human security failures. Training must address password manager adoption, understanding why password length matters more than complexity, recognizing credential-harvesting scenarios, and the specific risks of using corporate email for personal account registration.

Multi-Factor Authentication (MFA)

Employees need to understand not just that MFA exists, but why — and critically, that SMS-based MFA is vulnerable to SIM swapping and AiTM attacks. Training should address MFA fatigue attacks (where attackers spam MFA prompts until users approve out of frustration), how to recognize unauthorized MFA requests, and the difference between phishing-resistant MFA (FIDO2/passkeys) and legacy MFA methods.

Data Handling & Classification

Human error in data handling — emailing sensitive files to personal accounts, storing confidential data in unauthorized cloud services, printing sensitive materials and leaving them unsecured — is a major source of data exposure that no phishing simulation addresses. Data classification awareness training establishes what constitutes sensitive data and the handling requirements for each classification level.

Physical Security

Tailgating (following authorized personnel through secure doors), USB drop attacks (planting infected USB drives in parking lots and common areas), shoulder surfing sensitive information, and leaving workstations unlocked represent physical attack vectors that complement email phishing. Physical security awareness reduces the risk from threat actors who achieve or attempt physical access to facilities.

Social Media & OSINT Awareness

Employees who publicly share organizational information on LinkedIn, Twitter/X, and other platforms are inadvertently providing attackers with the reconnaissance data needed for targeted spear phishing. OSINT (Open Source Intelligence) awareness training helps employees understand what information about themselves and the organization is publicly accessible and how attackers weaponize it — reducing the information advantage attackers gain before the first phishing attempt is even sent.

Ransomware & Malware Recognition

Most ransomware enters organizations through human action — a clicked link, an opened attachment, a downloaded file. Employees do not need deep technical knowledge to be effective defenders: they need to know what macro-enabled documents are and why to decline enabling macros, what to do if a browser warns about a certificate, how to recognize download redirect attacks, and the immediate steps to take (disconnect from network, call IT) if they suspect they have triggered malware execution.

Requires covered entities to implement security awareness and training programs for all workforce members (45 CFR §164.308(a)(5)). Must include awareness of malicious software, login monitoring, and password management. OCR audits specifically examine training records and program documentation. Phishing simulation results serve as evidence of an active, monitored training program.

Requirement 12.6 mandates a formal security awareness program with training upon hire, at least annually thereafter, and upon awareness of new threats. Requirement 12.6.3 specifically requires phishing awareness training and testing. PCI-DSS v4.0 increased scrutiny on phishing training documentation — assessors now request evidence of phishing simulation programs, not just training completion certificates.

SOC 2 Trust Services Criteria CC1.4 and CC2.2 require organizations to demonstrate that security awareness training is provided and that the effectiveness is monitored. Auditors increasingly request phishing simulation click rate trends as evidence that security awareness training is producing measurable behavioral outcomes — not just completion records.

NIST SP 800-171 Requirement 3.2.1 requires organizations to ensure that personnel are aware of the security risk associated with their activities and applicable policies. CMMC Level 2 and Level 3 assessments evaluate security awareness training programs including phishing simulation as part of the AT (Awareness and Training) domain. Defense industrial base contractors without documented, active phishing simulation programs face CMMC certification barriers.

Most cyber insurance applications now specifically ask whether the organization runs regular phishing simulations. Organizations that cannot demonstrate an active simulation program face higher premiums, reduced coverage limits, or policy exclusions. Following a phishing-enabled breach, insurers who discover the organization had no simulation program in place may dispute coverage on the basis that reasonable preventative measures were not taken.

Threat Intelligence-Driven Simulation Campaigns

Every Sentinel phishing simulation campaign is informed by current threat intelligence specific to the client's industry and geography — not recycled generic templates. When a new phishing campaign is targeting healthcare organizations, financial institutions, or defense contractors, Sentinel simulation campaigns reflect those exact techniques, ensuring employees are trained on the attacks they are actually facing rather than last year's threat landscape.

Role-Based Targeting and Segmentation

Sentinel designs simulation campaigns and training content that matches the specific threat scenarios each employee role faces — executive whaling scenarios for leadership, BEC simulations for finance teams, credential harvesting simulations for IT administrators, and resume-embedded malware scenarios for HR. Every department receives a program calibrated to their actual risk profile, not a one-size-fits-all curriculum.

Immediate Teachable Moment & Adaptive Training

Employees who click in simulation receive immediate in-context training that explains the specific red flags they missed. Sentinel tracks individual employee performance across campaigns and automatically escalates training intensity for repeat clickers — delivering targeted content, one-on-one coaching recommendations, or enhanced technical controls for the highest-risk individuals.

Executive & Board Reporting

Sentinel delivers quarterly executive reports translating simulation and training data into business risk language: click rate trends, department-level risk profiles, improvement trajectory, benchmark comparisons against industry peers, and regulatory compliance status for HIPAA, PCI-DSS, SOC 2, and CMMC training requirements. Security awareness program outcomes are presented as risk reduction metrics, not IT activity reports.

Integration with MDR and Incident Response

Sentinel's phishing simulation program integrates directly with ArgusSense MDR monitoring — employee phishing reports feed real-time threat intelligence into the SOC, enabling analysts to identify when a real phishing campaign is targeting the organization before technical controls have flagged it. Security awareness and managed detection become complementary layers of the same defense, not separate programs that operate in isolation.

What is a good phishing simulation click rate?

Baseline click rates for untrained organizations typically run 25–40% on moderate-difficulty phishing templates. After 12 months of regular simulation and training, effective programs reduce click rates to 5–10% at equivalent difficulty levels. Below 5% on moderate-difficulty templates indicates a high-performing security awareness program. However, click rate alone is not sufficient — track it alongside report rate (target 25%+) and repeat clicker rate to get a complete picture of human risk posture.

How often should we run phishing simulations?

Monthly or quarterly campaigns produce the best behavioral outcomes. Annual simulations allow click rates to revert to near-baseline within 4–6 months as behavior conditioning decays without reinforcement. Monthly campaigns maintain conditioning but can cause employee resentment if not managed carefully. Quarterly campaigns with monthly brief security communications represent the optimal balance for most organizations. Programs for high-risk roles (finance, executives, IT) should run more frequently than for general employees.

Should we tell employees in advance that we are running phishing simulations?

Generally, announcing that a phishing simulation program exists (without announcing specific campaign timing) is best practice. Employees should know phishing simulations occur as part of the security awareness program — this transparency builds trust and reduces the sense of being "tricked." However, announcing specific campaign dates or templates defeats the measurement purpose of simulation. The goal is to test realistic recognition behavior, not to create an exam where employees know when to be extra vigilant.

What should happen when an employee clicks a phishing simulation?

The employee should be immediately redirected to a brief (2–3 minute) teachable moment explaining what red flags they missed and what to do next time. This in-the-moment intervention has significantly higher behavior change impact than scheduled training weeks later. The click should be logged for tracking purposes. The employee should not be publicly shamed, disciplined, or notified in a way that creates anxiety — the goal is learning and improvement, not punishment. Repeated clicks by the same individual should trigger escalated training intervention.

Does phishing simulation protect against AI-generated phishing?

Phishing simulation programs must evolve to include AI-generated attack scenarios to remain relevant. Modern simulation platforms and providers now offer AI-personalized phishing templates that mirror what attackers generate with LLMs — hyper-personalized emails referencing real employee LinkedIn profiles, recent company announcements, and industry events. Training should specifically address that AI-generated phishing has eliminated spelling errors and awkward phrasing as reliable detection cues, and that suspicion should now be based on sender verification, link inspection, and request context — not writing quality.

How does security awareness training support cyber insurance requirements?

Cyber insurance applications now specifically ask whether the organization runs regular phishing simulations, the frequency, and the click rate outcomes. Documented, active phishing simulation programs are a direct underwriting factor that reduces premiums and improves coverage terms. Following a phishing-enabled breach, insurers who discover the organization lacked an active simulation program may dispute coverage on grounds that reasonable preventative measures were not in place. Simulation program documentation — campaign schedules, click rate trends, training completion records — should be maintained as insurance compliance evidence.