A phishing simulation, also known as a phishing test, is a program where an organization sends deceptive emails, similar to malicious emails, to their own staff to gauge their response to phishing and similar email attacks. The purpose of a phishing simulation is to train employees to identify and report social-engineering threats like phishing, malware, ransomware, and spyware. Phishing simulations are often launched as part of a wider human risk management approach and are administered periodically using different techniques and messaging.

Phishing simulations are recommended by various official agencies, who often provide guidelines for designing such policies. They allow the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation training is one of the cyber security measures being used to help stop attempted phishing incidents. By integrating the latest phishing threats into security awareness training programs, employees can always have the most up-to-date information at their disposal.

Phishing simulations are important because they teach employees how to detect and avoid phishing attacks in a safe environment. They help protect organizations from phishing attacks that could lead to costly data breaches or ransomware attacks. During a simulated phishing attack, employees receive an email that closely mimics what they might see in a real phishing attack, but any mistakes or inaction will be inconsequential to the organization. Phishing simulations help protect organizations by exposing employees to fake phishing emails and seeing how they react.