Phishing Security Test

Find out what percentage of your employees are Phish-prone with your free phishing simulator test.

Did you know that 91% of successful data breaches started with a spear phishing attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks!
Phishing Security Test

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS.

Why? If you don't do it yourself, the bad actors will.

Here's how it works:
  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page 
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. Fill out the form, and get started immediately!

Sign up for your Free Test


Phishing Defined

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.

Emails claiming to be from popular social websites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.

Phishing FAQs

What can be done to prevent phishing attacks?
This is not an exhaustive list by any means, and there is no 'silver bullet' that will stop phishing. However, here is a brief list of what we have found to be best practices:
  1. Understand the risks you face
  2. Develop adequate policies
  3. Keep systems up-to-date
  4. Ensure you have good and recent backups
  5. Deploy anti-phishing solutions
  6. Implement best practices for user behavior
  7. Use robust threat intelligence

Additionally, here are our top 10 prevention tips to share with your users to help keep them safe from anywhere:

  1. Keep informed about phishing techniques
  2. Think before you click!
  3. Install an anti-phishing toolbar
  4. Verify a site’s security
  5. Check your online accounts regularly
  6. Keep your browser up to date
  7. Use firewalls
  8. Be wary of pop-ups
  9. Never give out personal information if you're unsure
  10. Use antivirus software 

Your last line of defense against phishing attacks is your users. That's why the most important step you can take towards prevention is a new-school security awareness training program combined with regular simulated phishing tests.

How do I phish my users?

Phishing and training your users as your last line of defense is one of the best ways to protect yourself from attacks. Here are the 4 basic steps to follow: 

  1. Baseline Testing to assess the Phish-prone percentage of your users before training them. You want to know the level of attack they will and won't fall for as well as have data to measure future success.
  2. Train Your Users with on-demand, interactive, and engaging training so they really get the message.
  3. Phish Your Users at least once a month to reinforce the training and continue the learning process.
  4. See The Results for both training and phishing, getting as close to 0% Phish-prone as you possibly can

An additional 5 points to consider:

  1. Awareness in and of itself is only one piece of defense-in-depth, but crucial
  2. You can't and shouldn't do this alone
  3. You can't and shouldn't train on everything
  4. People only care about things that they feel are relevant to them
  5. The ongoing process is to help employees make smarter security decisions

...and what we've found to be the 5 best practices to embrace:

  1. Have explicit goals before starting
  2. Get the executive team involved
  3. Decide what behaviors you want to shape - choose 2 or 3 and work on those for 12-18 months
  4. Treat your program like a marketing effort
  5. Phish frequently, once a month minimum

Phishing your users is actually FUN! You can accomplish all of the above with our security awareness training program. If you need help getting started, whether you're a customer or not you can build your own customized Automated Security Awareness Program (ASAP) by answering 15-25 questions about your organization

What are some common phishing email types?

Cybercriminals are constantly updating their phishing techniques. While the content of phishing emails have come a long way and continue to evolve over the years, here are a few basic variations that are most common: 

  1. Classic Phishing Email: Over the past few years, online service providers have gone the route of messaging customers when they detect unusual or worrisome activity on their users' accounts. Not surprisingly, the bad guys are using this to their advantage. Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention.

  2. Social Media Exploits: Many users have publicly available information on platforms like Facebook, LinkedIn, and Twitter. The bad guys scrape this information to craft targeted spear phishing emails against your users and your organization. These emails are part of campaigns designed to hijack accounts, damage your organization's reputation, or gain access to your network. 
  3. Infected Attachments: Malicious .HTML attachments aren't seen as often as .JS or .DOC file attachments, but they are desirable for a couple of reasons. First, there is a low chance of antivirus detection since .HTML files are not commonly associated with email-borne attacks. Second, .HTML attachments are commonly used by banks and other financial institutions so people are used to seeing them in their inboxes. 

    Malicious macros in phishing emails have also become an increasingly common way of delivering ransomware. These documents too often get past antivirus programs with no problem. The phishing emails contain a sense of urgency for the recipient. If users fail to enable the macros, the attack is unsuccessful.

  4. CEO Fraud Scams: CEO fraud is a type of scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information. Typically, cybercriminals have gathered enough data to know who they want to target.
How does the Phishing Security Test work?

KnowBe4's free Phishing Security Test can determine the vulnerability level of your network by giving you an indication of how many people may be susceptible to an email-borne social engineering attack.

It can also be used to supplement and reinforce training received in the KnowBe4 training modules by giving your users real world “practice” in recognizing social engineering attacks and responding to them appropriately.

It works like this: The PST sends one email to each user in your organization. In our initial, free phishing security test, the email sent is a link test, which involves some text meant to lure the user into clicking an embedded link. Once the link is clicked, the user is directed to a Landing Page. Our Basic Landing Page tells the user they have been part of a simulated phishing test and gives them some rules to apply when inspecting emails in their inbox.

The results of the test include the number of users who failed the test divided by the number of users to whom the test was delivered. This gives you a Phish-Prone Percentage – the percentage of your users who “failed” the PST.

I just sent a Phishing Security Test, now what?

After you run the test, you can return to your account at any time to view the results on the Dashboard page. You will be able to see your Phish-Prone Percentage, showing your vulnerability if a similar phishing attack were to occur within your organization. You will also see how your Phish-Prone Percentage compares with others in your industry, after one year of combined computer-based security awareness training and simulated phishing.

A PDF report will also be emailed to you automatically after 24 hours. If you would like to know who clicked, your rep or reseller can get you that information!

Armed with this knowledge, you can help protect your organization by teaching your users about the dangers of these types of attacks. Enrolling in KnowBe4's new school security awareness training can help you achieve this goal. Through KnowBe4, you can train your users to spot the warning signs and keep their skills sharp by sending fake phishing attacks much like the ones in this free tool.

Is mobile phishing getting worse?

Mobile phishing attacks in the first quarter of 2020 have increased by 475% from the same period in 2019, according to a recent report by Lookout. Attacks on mobile devices are nothing new, however they are gaining momentum as a corporate attack vector.

Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organizations at risk.

Here are just a few phishing related risks posed by mobile device use:

  • Apps - lack built-in security. Free apps usually ask for a lot of access they shouldn’t need.
  • WiFi - your device typically picks up the strongest signal, which may be a rogue WiFi that seems legitimate but is actually an attacker just waiting to monitor, intercept or even alter communications from your device.
  • Bluetooth - can be used to spread viruses, and hackers can use it to hack into phones to access and exploit your organization’s data.
  • Human error - thieves sell lost and stolen devices to buyers who are more interested in the data than the device itself.
  • Smishing - aka phishing conducted via SMS. Similar to phishing emails, an example of a smishing text might attempt to entice a victim into revealing personal information. asking the recipient to take action on any number of seemingly mundane activities, i.e., the user’s bank claiming it has detected unusual activity or a congratulatory notice saying the person has won a prize from their favorite store.
Learn about more phishing examples, mobile phishing, and how to prevent attacks on our Ultimate Resource to Phishing.