Proofpoint Phishing Simulations

Spambrella - Proofpoint Phishing Simulation

Proofpoint Phishing Simulations

Every year, threat actors look for new ways to bypass your security defenses. As one would expect, different languages, cultures, and levels of digital maturity mean some places are more vulnerable than others.

Here are a few highlights:

  • Swedish organizations were the most likely to suffer a successful phishing attack, at 94%.
  • The US and Netherlands was the most targeted for cyber attacks by both insiders (86% vs 66% global average) and outsiders (84% vs 68% global).
  • Only 35% of German organizations train their employees on insider threats.

Phishing is a major headache for information security professionals. As attackers move away from infrastructure and focus on people as targets, phishing emails are becoming the leading social engineering channel. And more popular phishing email types like impostor or business email compromise and ransomware are making this problem even more challenging for security teams to manage.

2021 State of the phish

Effective technical email security controls are essential. However, many information security professionals also want to focus on how their people react to what appears to be a malicious message. That’s why phishing simulations have become such popular components of well-rounded security awareness programs.

What are phishing simulations?

Phishing simulations are emails that appear to be malicious but aren’t sent by real attackers and don’t contain malicious content. IT and information security departments typically send these emails to users in their organization as a test to see how they will react.

The software supporting phishing simulations typically measures how many and which users view, click, download, reply, enter credentials or (best-case scenario) report the message with a phishing reporting tool.

phishing simulation

Figure 2: Examples of Proofpoint phishing simulation tool templates

Our phishing simulation tool lets you choose from thousands of templates, including examples of actual attacks using real brands seen by Proofpoint threat intelligence. You can also send simulations to populations like Very Attacked People (VAPs) or users who have engaged with known malicious content.

If users do click, enter information into a fake landing page or download attachments, they can be presented with a landing page, usually providing tips and telling users it’s a simulation.

Be forewarned, though, that users may view this landing page for only a few seconds. The typical user reaction is to close out of these pages as quickly as possible. So, these pages are not ideal as standalone educational components.

Why conduct phishing simulations?

It’s common for people to think that bad things happening in the world can’t happen to them. But the phishing simulations that users fall for can lead to that critical “Aha!” moment when users realize that they can, indeed, be compromised.

As phishing attacks become more targeted and trickier to spot, creating the concept of vulnerability is important to help drive the “why” of your security awareness program. Users understand after falling for one simulated phishing attack that they could be susceptible to a real attack.

How should your organization perform?

The “click rate” or “failure rate,” which is the percentage of users who engage with phishing simulations, is a common way to measure security awareness. And in our ‘Proofpoint Phishing Report 2023, we found the average “failure rate” for our customers’ users is around 10%.

But that’s only one dimension to measure program success.

Proofpoint Phishing Report 2023

In addition to the click rate, measuring the reporting rate, or percentage of users who report a simulated phish, is a great way to:

  • Show users are taking positive actions, not just avoiding negative ones.
  • Report up to key stakeholders and put your program in a more positive light.
  • Demonstrate potential impact when suspicious messages slip through perimeter defenses; by reporting messages, users reduce further exposure to attacks.

When you have users consistently click or fail less than 5% of the time, and report more than 70% of simulated messages, you’re performing exceedingly well compared to most organizations.

What are best practices for phishing simulations?

We have several recommendations, provided below, based on our experiences helping thousands of our customers to run phishing simulations smoothly.

Before you go live:

  • Safelist appropriately and run a test to a handful of staff in your department to make sure the phishing simulations are delivered as intended.
  • If you have a help desk or similar internal service, give them a heads up about the simulated phish before you send it out; do this every time.
  • Consider keeping another designated group of people in the loop about the simulation, such as human resources, high-level management or others, as appropriate.
  • If you’re sending a simulated phish mimicking another internal department, request that department’s permission and get them to approve the final content.
  • For simulations reaching international audiences, consider finding stakeholders in those areas who are familiar with the culture and can review phishing simulation content to ensure it’s relevant.


Figure 4. Sample data showing a VAPs report in the Proofpoint Targeted Attack Protection advanced email security dashboard; this data can guide phishing simulations and education to create a focused program with impact.

Starting your phishing simulation program

When you send your first simulated phish, send users to a 404-error page to get a solid baseline of user vulnerability to start. Then, after you’ve sent this “blind phish”:

  • Send a notification introducing users to the program and goals; see if the message can be sent by your chief information security officer (CISO) or chief information officer (CIO) or another C-level executive.
  • Next, identify your most attacked people or users engaging with real attacks to focus your simulations or provide more targeted risk-reduction efforts to these populations.
  • And finally, work with other departments or colleagues to measure real security impacts from users before and after the program is implemented to demonstrate the return on investment for your efforts — such as computer remediations from malware, successful phishing attacks and credential breaches.

As your program progresses

Ensure you have a good cadence. We recommend at least one phishing simulation every 4-6 weeks, and more if possible. As your program evolves, you’ll want to:

  • Send more targeted phishing attacks — for instance, use specific templates based on real attacks for certain departments and populations like VAPs.
  • Consider auto-enrolling users who fall for simulations in education to build their skills.
  • Implement a phishing reporting tool to make it easy for users to report suspicious messages.

For users who are “repeat clickers,” consider having a one-on-one meeting to understand why they’re engaging with potentially malicious messages and to reiterate the importance of your program. Also, be sure to share stories about or reward users who are reporting simulations or even actual attacks. That can gamify your program and encourage more positive behavior.

Next steps for successful security awareness programs


Figure 5. Sample content from hundreds of computer-based training modules and educational materials available from Spmbrella via Proofpoint.

It’s important to think of phishing simulations as one component of an effective and ongoing security awareness program. Be sure to also provide engaging security awareness content, webinars, in-person sessions and other components to engage users and drive behavior change. (You can take a deeper dive into best practices with our Managed Security Awareness and Threat Simulation program mSAT.)

If you’re looking for a Proofpoint Essentials Security Awareness partner to drive positive behavior change, Spambrella can help you gauge the strength of your program and the risk of your people with our free People Risk Assessment.

Or, if you have limited resources to run a program, consider the Managed Security Awareness Programs from Spambrella. Our programs are led by experts who have worked on hundreds of programs with organizations of all sizes.

Additional reading:

Managed Security Awareness Training

Proofpoint Essentials Distribution

Ethical Phishing: Testing Your Employees


Related Case Studies

I found spambrella to be easy to set up and has dramatically reduced the number of spam emails hitting our inboxes. It was easy to 'train' the software to release any genuine emails that were caught or add any spam that was not picked up.

Within a couple of weeks of use virtually no spam arrived to our mailboxes. Spam and phishing emails are a growing problem for everyone I'm sure. I now get a very low incidence of spam.

David F., Review via Gartner Capterra

Used the software for: 2+ years - 5/5 Overall
With an ever overloaded department, and with cybersecurity skills shortage getting worse securing the I.T infrastructure.

Offloading the task of e-mail filtering to Spambrella has dramatically helped in the department's performance. The only drawback in our case is that the service is hosted outside of our territory and thus out of the legal jurisdiction.

John P., Review via Gartner Capterra

Easy to onboard my customers from another spam filtering system. Very fast and haven't had any downtime in the 9 months since I have moved to Spambrella. When I have had to use support, responses where quick. I had to move all my customers from another filtering system with little notice. After I moved my customers I realised how bad the old solution I used was. Contact with Sales and Support always been professional

Allen B., Review via Gartner Capterra

It doesn't require an arcane knowledge to set the Spam filtering up, the guides are straight to the point and support staff are very helpful. Functionality wise, in short: we do not get spammed. Thanks to Spambrella.

Archiving wise, the new solution is easy to use, searches well and fast and is by far the cheapest we could find at the time. Ten year retention rocks!

Verified Reviewer, Review via Gartner Capterra

Robust, versatile, and reliable...
The reliability of the service and the level of protection that it provides. My spam levels immediately dropped to near zero.

There are almost no false positives. And I'm easily able to customize the level of protection with whitelists, blacklists, and sensitivity settings. I'm also a big fan of the antivirus and URL scanning features.

Verified Reviewer, Review via Gartner Capterra

The service is great at filtering bad email as well as junk email out while allowing clean email though. I have used a few other options over the years and this is the best I have found. Clients sometimes have trouble configuring their settings to how they want it to be. Or tag emails as approved when they shouldn't and need IT interaction to resolve. Maybe just ease of use or having a more clear way for clients to resolve basics on their own.

Brian M., Review via Gartner Capterra

Latest blog posts

  • On June 14, 2024
Microsoft 365 Email Continuity Service – Is it Needed?

An email continuity service, whilst not strictly required for Microsoft 365, can be highly beneficial for ensuring business continuity. When considering MX (Mail Exchange) backup…

Read more
  • On June 13, 2024
HIPAA Email Security: A Guide for Healthcare Organizations

Sharing sensitive patient information via email goes hand in hand with hidden exposure risks that HIPAA regulations aim to ward off. Traditional email security standards…

Read more
  • On June 12, 2024
Business email archiving: Compliance and accessibility

An email network acts as the central nervous system by spreading critical information throughout the organization. If this network is disrupted, you may be unable…

Read more
  • On May 31, 2024
Why Microsoft 365 is Insufficient for Email Security

This article investigates why Microsoft 365 is insufficient for email security in today’s digital landscape. Email security is a critical concern for businesses of all…

Read more