Documentation

How phishing simulations work

What is a phishing simulation?

A phishing simulation is a controlled, safe test of how employees respond to realistic phishing emails. A simulated phishing email is sent to your staff — if someone clicks the link, they are shown an awareness page instead of being harmed. No credentials are captured. No systems are compromised.

The goal is to measure real-world susceptibility before an attacker does, and to build awareness through the experience of almost falling for a phish.

How ExposureIndex runs it

  1. A realistic email is crafted — modelled on real phishing techniques and themed to look plausible for your organisation (e.g. an IT helpdesk password reset, a shared document notification, a payment confirmation or a delivery update).

  2. The email is sent to your employee list — addresses you provide during setup. Delivery is tracked.

  3. A tracking link is embedded — if a recipient clicks, a unique token records the event. No form is shown; the user is redirected to a brief security awareness page explaining that this was a test.

  4. Results are compiled — click rate, delivery rate, and individual records (anonymised in the report) are presented in your ExposureIndex report under the Human Factor section.

Interpreting your results

Click rate Assessment
< 5% Good — low susceptibility
5–30% Moderate — awareness training recommended
> 30% Critical — significant risk; prioritise training

A high click rate does not mean your employees are careless. It means they have not yet been trained to recognise the specific techniques attackers use.

Even if one employee clicks a link, it could mean the entire company is in danger. Make sure you have other security guardrails that prevent RansomeWare or Malware from being installed and credentials from being stolen.

What to do after a simulation

For all organisations

  • Share results with leadership — Frame it as a baseline, not a blame exercise.
  • Run security awareness training — Focus on the exact techniques used in the simulation (urgency cues, sender spoofing, credential harvesting).
  • Re-test after training — Repeat the simulation 60–90 days after training to measure improvement.

For a critical result (> 30% click rate)

  • Prioritise mandatory training for all staff before the next scan cycle.
  • Review email filtering settings — consider adding banner warnings for external senders.
  • Check whether MFA is enforced on all accounts; a clicked phish is far less dangerous when credentials alone are not enough to log in.

  • Consider implementing a security tool that prevent malicious software from being installed by misstake on company computers. AntiVirus was the popular thing in the past, but it's just scanning for known signatures. In todays fast evolving environment, you need something that looks at behaviour of a process instead of its signature.

  • Endpoint Detection and Response (EDR) - Detecting software processes behaviours that shouldn't exist. Examples: (Friends Of Claudia) (Acronis) (MalwareBytes)

  • Endpoint Privilege Management (EPM) — Preventing unauthorised software processes from being installed or started. Examples: (Admin By Request) (ThreatLocker

For individual clickers

The awareness page shown to clickers is the first moment of learning. Follow up with targeted micro-training modules on phishing recognition if your platform supports it. Avoid punitive measures — they discourage reporting of real incidents.

Last updated: March 28, 2026