The Ultimate Guide to Phishing Simulation

Published by Right-Hand Cybersecurity on September 7, 2020

According to a report from Deloitte

Close to 91% of all cyber attacks start off with a phishing email.


Gone are the days when a phishing email was only a dodgy email from scammers claiming to be a Nigerian Prince offering you mountains of cash. The cyber threat landscape has evolved, and today’s cybercriminals are smart enough to make their phishing attacks appear sophisticated and less easy to flag as a potential attack.

In this article, you will learn the basics of what phishing is, and everything you need to know about running phishing simulations to condition people to be less vulnerable to real attacks. After reading this, we’re confident that you will be ready to plan and execute an important piece of your cybersecurity awareness program. The ultimate goal of this content is to help monitor, measure and mitigate human error risks.

What we will cover:

What is Phishing?

Phishing emails is a delivery mechanism for cybercriminals to coerce you into performing an action to their advantage. Such actions can range from clicking on a link to filling up a form with your username and password. In most scenarios, cybercriminals are able to prey on people’s anxieties and insecurities to make them willingly hand over their data. For example, some phishing emails will try to put you in a state of panic by posing as your superior or a loved one. 

Phishing emails typically include a URL link or attachment. Once you click on them, your computer will either redirect itself to an unsafe website that’ll steal sensitive information from your browser, or infect your device with malware. The latter is also known as a drive-by-download. Cybercriminals will then use your stolen data information to either commit identity fraud, sell it to other hackers, or threaten you with it by asking for a ransom.

Cybercriminals are constantly plotting for new ways to make you give them what they want. Social engineering is the art of manipulating people to give up information or perform certain actions. Cyber criminals use social engineering tactics on phishing attacks because it’s just easier to exploit human insecurity to access valuable information, as opposed to doing all that ‘super coder hacking’ we see in movies.

Here are the top 3 types of phishing attacks:

  • Business Email Compromise (BEC): BEC phishing attacks are when cybercriminals pose as someone of authority within the company and use this fake persona to phish lower-level employees. Cybercriminals typically attempt to impersonate an organization’s CEO or any executive authorized to do wire transfers.  In addition, cybercriminals also do their homework by closely monitoring their potential victims and their organization’s internal structures. 

  • Spear Phishing: Spear phishing attacks are similar to BEC phishing attacks, in that they’re targeted at a specific audience. Unlike generic phishing emails that go out to thousands of people in wide-scale email phishing campaigns, spear phishing attacks hone in on key individuals within an organization. Cybercriminals use social engineering tactics to personalize the phishing emails, so as to catch their victims off-guard with instructions to reveal information or perform certain actions.

  • Whaling: Instead of targeting employees on the lower end of the organisational chain, Whaling is when cybercriminals target C-level executives. This type of phishing attack is often premeditated, and cybercriminals will dedicate a lot of time and planning for whaling attacks. The aim is to trick C-suite executives into revealing sensitive corporate data that they will then threaten to release if a ransom is not paid.

post covid-19 cyber landscape eBook

Main Targets of Phishing Attacks

Previous attacks show that anyone can fall to phishing. Between 2013 and 2015, Facebook and Google collectively lost over $100 million as a result of a phishing email posing as an invoice, as reported by CNBC in 2019. What could have been a routinely marked phishing attack fell through their defences when a Lithuanian cybercriminal sent them several fraudulent invoices by posing as a credible 3rd-party vendor. 

In another real-life crisis, reported by Reuters, the Austrian aerospace firm FACC incurred $61 million in losses due to Business Email Compromise. By impersonating their CEO, a cybercriminal was able to send fake invoices to the company’s accounting team who then transferred funds to his account.

So, does company size matter for phishing attacks?

Although enterprises are an important target for cybercriminals, these companies are often in a better position to prevent attacks than small and medium sized enterprises (SMEs). SMEs don’t always have a Chief Information Security Officer (CISO), or responsible personnel for cyber awareness programs, and therefore are less prepared and seen by cybercriminals as an easier target.

As reported by InfoSecurity Magazine,  a research from Gallagher estimated that

Nearly 60,000 small and medium enterprises could be at risk to collapse in 2019 if hit by a cyber attack.


This article from IT World Canada points that Canada’s massive SME and start-up markets might explain the significant increase in fraud phishing attacks directed at the country. 

The belief that only enterprises and large corporations are targets for phishing attacks couldn’t be more inaccurate. 

It’s also impossible to point to a most important target in terms of industry. Cases of successful phishing attacks happen in healthcare, manufacturing, technology, education and public sector industries.

Why do Phishing Attacks Work?

You can find step-by-step descriptions of ‘How Phishing Attacks Work’ everywhere on the internet, but we want to provoke you by asking ‘Why does it Work?’ instead.

High-level and sophisticated technologies emerged in the last few years to fight breaches and attacks - cloud security, container security, identity management and others, only to mention a few. 

But despite these very targeted defense methods, why is Phishing still the most common and successful type of attack?

Easy answer: because it works. And the more you prepare your employees to prevent and identify frauds, the more established the cyberculture will be within your company. A paper from Carbonite points out:

Phishing scams are on the rise, and individuals who are familiar with trends, who are consistently trained via simulations, and supported in their pursuit of a better work-life balance will be the best defense against advancing and highly personalized phishing scams.


Who Is Responsible For Avoiding Phishing Attacks?

Repeat with us: if everyone in my company is a target, everyone should be prepared! At this point, you might have noticed that we insist on the idea that creating a people-centric cybersecurity culture is the best approach to companies, it doesn't matter what industry.

The best phishing prevention best practices relate to employee awareness and training programs for a reason, and it’s directly connected to phishing simulation activities. If you, as an example, run an specific phishing simulation email campaign for your marketing team using a template that is credible and related to the tools they use, you will have the opportunity to perform a more driven and specific analysis on what their behavior is. Keep in mind that everyone in your organization that holds confidential information is a target of cyber attacks.

What Kind of Damage can a Phishing Attack Cause?

Think as reputational damage is a start point. 22% of organisations compromised by phishing attacks lost customers in the immediate aftermath, according to research by CISCO in 2018. Businesses are especially prone to the negative publicity of successful phishing attacks because it sends the message that potential clients should not trust them with valuable information. 

Cybercriminals responsible for phishing attacks may not always try to lure you into giving up your company’s financial details. What they find more valuable than money is data, and once they get their hands on yours, the repercussions may send your company’s reputation - and eventually your stock prices - into a nosedive. Even the process of recruiting new team members can be affected by a reputation damage caused by a cyber attack.

Another important damage relates to regulatory fines. The data protection regulations that emerged after GDPR set a high cost on data breach incidents. Failure to comply with regulations such as HIPAA, PDPA and CCPA can cost organizations up to millions of dollars. 

This list from CSO Online reports the biggest data breaches fines and penalties applied to companies, such Equifax’s agreement to pay $575 million in consequence of a breach incident in 2017.

The impact caused by a phishing attack can cumulate endless losses, and appearing on the news as the most recent company attacked is the biggest nightmare to any business in our digital reality.

Why Perimeter Defense Cybersecurity Is Not Enough By Itself

As reported by Insurance Business Magazine, a recent study by Akamai says:

Roughly 1 in 5 phishing attacks go undetected despite blacklists.


If a phishing attack is able to bypass a perimeter defense solution or blacklist, then your employee population becomes your complementary line of defense. Having a conditioned workforce that can identify and report phishing attacks goes a long way to create a complementary layer of security to protect critical company assets and information.

How Do Phishing Simulations Help? 

Phishing simulations are a key element of cybersecurity awareness training. By learning to recognise and respond to simulated phishing attacks, employees build confidence in their ability to maintain vigilance against real cyber threats. In addition to the training, employees also get to experience the different scenarios of a phishing attack without actually jeopardising millions of dollars in real-world losses. By removing the stigma associated with committing cybersecurity mistakes, employees can progressively become the company’s strongest asset against cybercriminals. 

Phishing simulations should be your first step when running cybersecurity awareness programs, and its results will help you drive the exact training your employees need, as well as educating them on how to recognize and avoid potential threats.

The crucial benefit of a phishing simulation campaign is to drive long lasting employee behavior improvements and set your employees as a key element in your company’s cyber defense strategy. 

How Phishing Simulations Work

The ideal phishing simulation will resemble a real-world  cyber attack. The email template  and landing page should be realistic and credible, and can include an endless set of common corporate email themes such as password reset, HR communications, bank details and others, always inciting employees to open email attachments, click on links or entering credentials.

The frequency of phishing simulation emails is up to you, but we recommend you do it frequently enough to make sure your employees are being educated on a regular basis. 

When choosing the right tool to help you run phishing simulations, consider the importance of having the right templates that match every department of your company - the more customizable the templates are, the better. Attackers do their best in personalizing the emails they will send to an organization, therefore you should think the same way to better protect your workforce

Also, you might prioritize a product that automates and makes your job easier on integrating with other cybersecurity awareness initiatives. You might have come across predictions on the shortage of cyber talent in the next few years as cybercrime continues to grow, and this is one more reason why automating phishing simulation campaigns should be your priority. Automation will help increase your team’s efficiency while eliminating time-consuming tasks.

Benefits of Phishing Simulations

Thanks to employee behavioural data, phishing simulations allow for companies to identify vulnerable employees that exhibit a high need for more phishing-related training. This information can then be used to create your company’s risk score and set future plans on how to further develop their employees’ strengths and mitigate their isolated weaknesses. In summary, the results you get from a phishing simulation campaign guide you to address your teams’ needs in terms of cybersecurity awareness training. 

Phishing Simulations and cybersecurity training are complementary strategies that should always walk together to keep your workforce aware and protected against cyberthreats.

Fight Off Phishing With the Right Help

Right-Hand’s Phishing Readiness product can help you condition employees to become less susceptible to malicious phishing emails, by creating and launching custom phishing simulations. Schedule a personalized demo and see our product in action:

New call-to-action