Recent Posts

Recent Blog Posts

The PhishLabs Blog

What Makes a Good Simulated Phish?

Posted by Stephanie Fauvelle on Mar 31, '16


If your security awareness training provider offers personal banking phishing templates, then it’s a good idea to re-think your provider. Why? Because phishers aren’t sending fraudulent banking alerts to corporate accounts. Besides, who links their bank account to their work email anyway? Phishers continue to up their game, moving away from sloppy phishing emails ripe with spelling mistakes and other recognizable signs to sending craftier, what we’ll call, “lite” spear phish.

Although true spear phishing is still a momentous concern, phishers also send malicious emails fashioned for a particular industry as opposed to the more commonly thought of alternative known as the ‘spray and pray’ method. These lite spear phish are usually corporate-themed and tailored to the industry they’re targeting. What do we mean by corporate-themed? Think of all of the B2B products that your employees interact with on a daily basis – file sharing tools, expense tracking and project management software, email clients, CRMs—and you’ve got yourself a corporate-themed phish.

Why is this important?

Because the phishing simulations you send your employees should reflect the actual phish being sent to other companies in your same line of business. Your security awareness training vendor should not offer a one-size fits all library of templates, but instead provide you with a high-quality selection of templates tailored to your industry.

It’s one thing for your employees to recognize a ‘VERIFY BANK ACOUNT OR IT WIL BE LOCKED’ phishing simulation but for your employees to be truly inoculated against real potential phishing attacks, you need to use more realistic templates.

Below is a phishing simulation based off of Dropbox – a popular file-sharing service. There are no spelling mistakes except for the bottom left-hand corner and one small punctuation error (can you spot it?). The email also addresses the employee by their first name and most employees use or have at least heard of Dropbox before. ‘Project files’ is also an enticing link to click – but the employee should question who Max is. They should also hover over the link before clicking it – and if they do, they would see that it isn’t the Dropbox domain.


Stop sending your employees phishing simulations that offer a free iPad or all-expense paid vacation – and start sending them phishing simulations based on actual phish seen in the wild targeting your specific line of business. 

At PhishLabs, our research team helps design the phishing templates we send to our clients. We tailor your phishing simulations based on your industry and the current threat landscape.  

Read about what else you should look for when evaluating phishing simulation training solutions.  

Topics: T2, Phishing Simulation, Employee Defense Training, EDT

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all