Simulated phishing training tool

Our NHS simulated phishing training reduces the risk from phishing emails. It's been created to measure NHS organisations' baseline awareness of phishing attacks and improve users’ learning through the campaign. The training is available to NHS organisations using NHS.net Connect.

You can submit a request which is picked up by one of our campaign managers. They will support you through the process and set up the phishing campaign.

The topics in the request include:

• the date you wish to start the campaign, your campaign manager will work with you to finalise the start date. Please allow as much time as possible to ensure we can meet your preferred start date. Campaigns typically run for 2 weeks. A final report is produced for the requestor showing data on how recipients interacted with the phishing email, and how recipients interacted with the training. No amendments can be made once the final report has been produced
• the number of email addresses in scope. The upper limit is 30,000 although we can set up multiple campaigns to meet greater demand
• the email template you wish to use from our phishing catalogue. These are refreshed on a regular basis using the latest techniques and learning. Your campaign manager will ensure you are choosing from the latest templates
• discuss and run tests to check whether any local mail filtering will block the phishing email from being sent. This may need support from your local mail admin resource. We have some helpful documents to get you started
• ensuring the right level of authorisation has been obtained. This will be captured on the form that is submitted

NHS England is the service provider for the NHS Simulated Phishing Service. Responsibility for local communication of the phishing campaign should be managed by the NHS organisation taking part.

View the user journey.

Complete this form to request a simulated phishing campaign. Once submitted, a member of our team will be in touch to discuss your requirements.

If you have any questions before submitting a request, contact [email protected]

NHS England's Data Security Centre acts as a data processor. We have direction (s.254 of Health and Social Care Act 2012) to process this information under the Health and Social Care Act 2012. You can email us at [email protected] for further information.

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.a You have effective organisational security management led at board level and articulated clearly in corresponding policies

Objective D: Minimising the impact of cyber security incidents

D1.c Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.