Phishing Simulation Programs: Tools, Benchmarks, and Remediation

Phishing simulation programs systematically test employee susceptibility to phishing attacks by sending controlled, fake phishing emails to the organization's own employees. Results measure the baseline vulnerability of the workforce to email-based social engineering, identify individuals who need additional training, track improvement over time, and satisfy security policy and compliance requirements. For Ukraine's public sector, which faces sustained, sophisticated phishing campaigns from Russian cyber operators, simulation programs provide both measurement and training value that directly supports national cyber resilience.

GoPhish and Open-Source Simulation Tools

GoPhish is a free, open-source phishing simulation framework that can be self-hosted on any server. It provides a web interface for creating phishing email campaigns, landing pages that capture user interaction data, and reporting dashboards. GoPhish is widely used by small-to-medium organizations, penetration testers, and government entities globally. Its appeal lies in the zero licensing cost—particularly relevant for budget-constrained Ukrainian municipal and regional government entities—and the ability to customize campaigns without sharing data with third-party vendors.

GoPhish limitations include the operational overhead of self-hosting and maintaining the infrastructure, lack of built-in training content (organizations must link to separate training platforms), and community-only support. Additionally, GoPhish's signature is well-known and may be detected and filtered by some email security systems, requiring configuration to prevent campaign emails from being blocked before reaching targets (which would skew simulation results).

Commercial Simulation Platforms

Commercial phishing simulation platforms offer significantly more features than GoPhish, at a per-user licensing cost. Leading platforms include KnowBe4 (largest market share), Proofpoint Security Awareness Training, Cofense PhishMe, Mimecast Awareness Training, and Microsoft Attack Simulator (included with Microsoft 365 Defender licenses). Commercial platforms offer extensive template libraries of realistic phishing scenarios, integrated training content that automatically assigns remedial training to users who fail simulations, risk scoring at individual employee level, and integration with SIEM and HR systems.

Ukraine's government entities that have Microsoft 365 Enterprise licensing (enabled through Microsoft's "Tech for Ukraine" program under which Microsoft provides enterprise licenses to Ukrainian government at no charge) have access to Microsoft Attack Simulator built into their Microsoft 365 Defender subscription—providing commercial-grade simulation capabilities without additional licensing cost. USAID and EU technical assistance programs have funded KnowBe4 licenses for specific ministries and critical infrastructure operators as part of security capability capacity-building.

Phishing Simulation Platform Comparison

Click-Rate Benchmarks and Interpretation

Verizon's Data Breach Investigations Report and KnowBe4's Phishing By Industry benchmarks provide industry-wide click-rate data. Global average click rates on phishing simulations across industries hover around 17-25% for organizations at program inception. After 90 days of regular training and simulation, the rate typically drops to 5-8%. After 12 months of sustained programs, organizations achieving best-practice outcomes maintain rates below 5%. Organizations with mandated ongoing training maintain rates around 2-4%.

Ukraine-specific considerations affect benchmark interpretation. Simulations using war-relevant lures (military status notifications, government benefit alerts, MilTech procurement) achieve click rates 20-40% higher than generic lures—reflecting context relevance exploited by Russian operators. Ukrainian organizations should calibrate internal benchmarks against war-context scenarios rather than global generic averages when assessing operational risk.

Remedial Training Triggers and Curriculum

Best practice for phishing simulation programs specifies clear triggers for remedial action: any employee who clicks a simulation phishing link or submits credentials receives immediate just-in-time training (a 5-10 minute module explaining the indicators they missed), employees who fail three or more simulations in a 12-month period are enrolled in an extended awareness curriculum, and employees in high-risk roles (executive assistants, finance, IT administrators) who fail simulations receive role-specific supplementary training addressing attacks relevant to their access levels.

Ukraine's SSSCIP-coordinated phishing simulation program specifies mandatory same-day remedial training assignment for simulation failures, with ministry-level reporting of aggregate click rates to SSSCIP on a quarterly basis. Ministries with click rates persistently above 15% receive direct SSSCIP engagement to improve their awareness programs—creating accountability for security awareness outcomes at the organizational level.

FAQ

Do phishing simulations damage employee trust if perceived as "traps"?

Industry research shows that employee trust effects from phishing simulations depend heavily on how programs are communicated and implemented. When organizations clearly communicate that phishing simulation is a learning tool rather than a disciplinary mechanism, and when the response to simulation failure is supportive training rather than punitive consequences, employee trust is maintained and security culture improves. Punitive approaches—publicly naming employees who fail, using simulation results for performance reviews—damage trust and reduce reporting of genuine phishing, which is counter-productive. UK NCSC guidance explicitly recommends against punitive simulation approaches.

How often should phishing simulations be run?

Security awareness researchers recommend monthly or bi-monthly simulations for organizations with known high risk (government, financial sector, healthcare). Annual simulations are insufficient to maintain behavioral vigilance—the training effect decays within weeks without reinforcement. Organizations with resource constraints should target at minimum quarterly simulations with immediate just-in-time training for failures. High-risk roles (executives, IT administrators, finance staff) should receive more frequent targeted simulations than general employees.

Can phishing simulations cause real security incidents?

Poorly designed phishing simulations have caused real security incidents through several mechanisms: employees who receive a realistic-looking simulation email and report it as genuine phishing create incident response work for SOC teams; simulations sent from third-party domains can be mistakenly blocked by email security systems, disrupting legitimate communication workflows; and poorly configured simulation infrastructure whose domain or IP registers as spam can affect email deliverability temporarily. Coordination between simulation programs and SOC/email security teams prevents these issues.

What Ukrainian-specific phishing templates have been most effective in simulations?

Based on reported simulation results, the most effective templates in Ukrainian government contexts have included: Diia service notifications requesting re-verification, government pay/benefit announcements (particularly relevant for public sector workers), MDT policy update notifications requiring employee action, military status/exemption notifications, and news article links about recent major events formatted to appear from legitimate news outlets. These leverage Ukrainian-specific context that employees are conditioned to respond to, making them more challenging than generic simulation templates.

Should simulation click rates be disclosed to all employees?

Aggregate department or organizational-level click rates can be productively shared with employees to create accountability, competitive motivation to improve, and transparency about organizational security posture. Individual click rates should not be disclosed beyond manager and HR channels due to privacy considerations. Publishing organizational aggregate click-rate progress (e.g., "our organization improved from 18% to 11% this year") creates positive reinforcement for collective improvement without stigmatizing individuals who struggled.

Sources

1. KnowBe4 — "Phishing by Industry Benchmarking Report," knowbe4.com 2024
2. Verizon — "Data Breach Investigations Report: Social Engineering Patterns," verizon.com 2024
3. UK NCSC — "Phishing Simulations Guidance," ncsc.gov.uk 2023
4. SANS Institute — "The Security Awareness Report: Human Risk Management," sans.org 2023
5. Proofpoint — "State of the Phish Annual Report," proofpoint.com 2024