A ,Simulated Phishing Exercise is essentially a test where realistic (but safe) Phishing emails are sent to your staff members to see if they can spot warning signs and red flags and consequently follow the correct procedures to deal with the Phishing email.

In 2023, the Cyber Security Breaches Survey found that 83% of businesses suffered phishing attacks. This shows that all businesses, from sole traders to large corporations, must test and train their staff against the dangers of Phishing attacks.

How often do you need a Simulated Phishing Exercise?

The frequency of Simulated Phishing Exercises is a fine line, conduct them too often, and they begin to lose their effectiveness, but leaving too much time between campaigns can lead to an employee’s awareness declining.

This is why the North West Cyber Resilience Centre recommends conducting a Simulated Phishing Exercise once per quarter (Once every three months). This is because our research shows this time period allows businesses to implement the necessary procedures/policies and retrain any key employees.

What is the process of a Simulated Phishing Exercise?

The North West Cyber Resilience Centre staff will conduct an initial scoping call to determine how many staff are to be included in the campaign, what style of email template(s) are required for the Phishing emails, and dates/times the campaign should run from/to.

The first Simulated Phishing Exercise is a baseline assessment when paired with our ,Security Awareness Training program. It can be compared to future campaigns to determine the effectiveness and review improvements in staff cyber awareness.

The aim is that your staff will be able to spot common warning signs and indicators (including but not limited to those below) and report the email in line with businesses processes/policies:

• Unusual “From” email address
• A “Reply-To” email address that is different from the “From” email address
• A sense of urgency in the tone of the email body
• An unusual email topic, such as confirming bank details or installing a software/application that is not used by the business
• An unusual email that asks the recipient to enter/confirm Personally Identifiable Information (PII)

How long does a Simulated Phishing Exercise take?

After setup is completed, the campaign will run for 1-2 weeks; this is usually done within a time frame that mimics that of an attacker to make the scenario as realistic as possible.

Once concluded, our team will produce a comprehensive report detailing all of the actions taken by your staff and explaining the risks associated with these actions. This will also be backed up with graphs and key statistics.

Will a Simulated Phishing Exercise affect our normal business operations?

No, our Simulated Phishing Campaigns are designed to run alongside normal business operations with minimal impact. Any email templates we use will not be malicious, and our team will keep you updated with the times/dates the campaign is running so you’re always aware of what is happening.

Raise your staff's awareness of phishing emails and guard your business against the growing trend of social-engineering threats with a ,Simulated Phishing Exercise today.