top of page
  • Writer's pictureSteven Duckett

Simulated Phishing Exercise - What is it and Who needs it?

A Simulated Phishing Exercise is essentially a test where realistic (but safe) Phishing emails are sent to your staff members to see if they can spot warning signs and red flags and consequently follow the correct procedures to deal with the Phishing email.

In 2023, the Cyber Security Breaches Survey found that 89% of businesses suffered phishing attacks. This shows that all businesses, from sole traders to large corporations, must test and train their staff against the dangers of Phishing attacks.

How often do you need a Simulated Phishing Exercise?

The frequency of Simulated Phishing Exercises is a fine line, conduct them too often, and they begin to lose their effectiveness, but leaving too much time between campaigns can lead to an employee’s awareness declining.

This is why the North West Cyber Resilience Centre recommends conducting a Simulated Phishing Exercise once per quarter (Once every three months). This is because our research shows that this period allows businesses to implement the necessary procedures/policies and retrain key employees.

What is the process of a Simulated Phishing Exercise?

The North West Cyber Resilience Centre staff will conduct an initial scoping call to determine how many staff are to be included in the campaign, what style of email template(s) are required for the Phishing emails, and dates/times the campaign should run from/to.

The first Simulated Phishing Exercise is a baseline assessment paired with our Security Awareness Training program. It can be compared to future campaigns to determine the effectiveness and review improvements in staff cyber awareness.

The aim is that your staff will be able to spot common warning signs and indicators (including but not limited to those below) and report the email in line with businesses processes/policies:

  • Unusual “From” email address

  • A “Reply-To” email address that is different from the “From” email address

  • A sense of urgency in the tone of the email body

  • An unusual email topic, such as confirming bank details or installing a software/application that is not used by the business

  • An unusual email that asks the recipient to enter/confirm Personally Identifiable Information (PII)

Training Banner

How long does a Simulated Phishing Exercise take?

After setup is completed, the campaign will run for 1-2 weeks; this is usually done within a time frame that mimics that of an attacker to make the scenario as realistic as possible.

Once concluded, our team will produce a comprehensive report detailing all of the actions taken by your staff and explaining the risks associated with these actions. This will also be backed up with graphs and key statistics.

Will a Simulated Phishing Exercise affect our normal business operations?

No, our Simulated Phishing Campaigns are designed to run alongside normal business operations with minimal impact. Any email templates we use will not be malicious, and our team will keep you updated with the times/dates the campaign is running so you’re always aware of what is happening.

Raise your staff's awareness of phishing emails and guard your business against the growing trend of social-engineering threats with a Simulated Phishing Exercise today.


How can we support your business?

Phishing 292 x 219px.png

Raise your staff's awareness of phishing emails and guard your business against the growing trend of social-engineering threats.


Training your employees on what a phishing attack looks like makes them more likely to identify and report scams.

security awareness training.png

Our training package is designed and delivered by cyber experts giving you access to the most up-to-date information in an ever-changing cyber landscape.

You can purchase single-place training spots or a cyber security workshop.

Community Members

Our premium membership package is aimed at medium-sized businesses and includes bespoke security awareness training sessions.


This allows your business to train several cyber security champions and an assessment of your cyber risk. 

bottom of page