The Phishing Kill Chain – Simulation Delivery

Share Now


Part 4 in a series on being “Left of Breach” in the Phishing Kill Chain.

In part 3 we looked at Simulation Design, where we discussed utilization of simulation results analysis and active threat intelligence in anti-phishing programs. We will now take a closer look at simulation delivery practices.

Once again, we want to model the real world as much as possible in our approach to simulations. Generally, malicious actors and advanced persistent threats use two approaches in their phishing campaigns.

  1. Traditional Phishing – utilizing mass emailing for both reconnaissance and exploitation
  2. Spear Phishing – targeted emails based on reconnaissance that exploit known or presumed weaknesses

Because of this, it’s important that we plan delivery of simulations in an analogous manner. Anti-phishing programs should include delivery of simulations to the general population and targeted spear phishing simulations based on the self-enumeration and analysis of previous simulation results.

A typical 1st year simulation delivery plan might look like the following:

Timeline Simulation Audience Purpose
Month 1 Program Announcement with Simulation Sample All Announce program and provide initial recognition / reporting guidance and practice for the entire user base.
Month 2 eCard Click Only Simulation All Provide a straightforward example of risk that many overlook. Remember, simplicity of an email’s construction may not relate to difficulty in recognition.
Month 3 Package Delivery Click Only Simulation All Identify the company’s potential exposure to an often-used delivery format. Stress technical identifiers and reporting in education.
Month 4 Targeted Invoice Attachment Finance Begin to address known attack styles and develop increased resilience in those users likely to be phished in this manner.
Month 5 Repeat lowest resiliency simulation from month 2 or 3 All Reinforce the initial lesson and measure for retention and increases in reporting.
Month 6 Join Co-Workers on Social Media Data Entry All Expose users to the dangers of providing private / confidential information via social media platforms. Measure against initial data entry simulation results.
Month 7 Targeted Security Report Simulation IT Ensure known phishing attacks that target IT and Security organizations gain wider recognition and stress reporting even in the event of susceptibility.
Month 8 Unauthorized Access Data Entry Simulation All Re-emphasize the dangers of credential phishing and points of recognition across the user base. Highlight the dangers of credential re-use across accounts.
Month 9 Repeat lowest resiliency simulation from month 2,3, or 6 All Reinforce the initial lesson and measure for retention and increases in reporting.
Month 10 Avoid Charges Attachment All Introduce the dangers of enabling macros in attachments sent via email. Measure for resiliency and current exposure.
Month 11 BEC – Wire Fraud Finance / Executives Introduce executive compromise attacks to those most likely to receive them. Measure resilience of the organization’s financial processes and procedures.
Month 12 Scanned File (Benchmark) All Measure performance against a common style of attack, compare to your industry peers and develop a resiliency trend across the first year of the program.


As we can see in the simulation delivery plan above, we covered multiple types of phish (click only, data entry, and attachment across multiple themes) and incorporated mass emails and active threat spear-phishing. By doing so, we accomplish multiple goals:

  1. Increased the resiliency of our entire user base
    1. Resiliency is equal to total number reported / total number susceptible
  2. Reinforced and hardened high value targets against known attacks
    1. Note the spear-phishing against Finance, IT, and Executives
  3. Identified and mitigated specific exposures associated with phishing
    1. Note the importance of reducing risk through repetition of low resiliency simulations

Remember – The importance of providing simulations to your entire user base cannot be overstated. With ever changing attack profiles, shifts in job responsibilities and broad access to data, everyone in an organization needs to be prepared to recognize and report suspicious activity.

In the next part of this series, we will take a closer look at stressing the importance of reporting.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.