NHS simulated phishing tool user journey
Phishing is one of the most common tactics employed by hackers, requiring little effort and generally preys on the less cyber-aware. It's also the most common way for organisations to suffer a cyber attack.
This is the process you should expect to follow when requesting a simulated phishing campaign.
| Stage | Activity |
|---|---|
| Request | Request form submitted to register your interest. This is sent to our service desk: [email protected]. |
| Contact | A ticket is logged and your campaign manager contacts you to schedule the date of your simulation. |
| Email templates | Your campaign manager will provide you with the templates available to choose from. Your organisation chooses an available email template per campaign (these are updated every 3 months). The email can be sent to a maximum of 30,000 users in your organisation. |
| Campaign set-up |
Your campaign manager walks you through all the aspects of your campaign. The campaign will run for a minimum of 2 weeks. Before we can launch a phishing email, we require the relevant resource in your organisation to ensure that the relevant domains are added where appropriate. The documents are as follows:
We have moved to a new product, and at the moment, it does not support staggered releases. This means that the submission form no longer includes the option to schedule phishing email deliveries at intervals. Our teams are actively working together with the provider to bring this feature back as we know how valuable it is for our operations. In the meantime, please be aware that all phishing emails will be sent out simultaneously. |
| Exercise | When the email lands in the recipient's inbox, we will be able to record whether they open the email, click the link, submit credentials (no data captured), delete the email, or report it as phishing. |
| Training |
As part of the service, users who click a phishing link and enter their credentials are automatically assigned training. Although this training can be removed on request, it is generally recommended. All users who enter credentials are directed to a landing page containing a link to the NHS England phishing email training video, regardless of whether the training assignment has been disabled. Users receive a notification confirming their training assignment, with reminder emails sent weekly until completion. Compromised users are required to watch the phishing email training video and complete a separate online training module. Completion of this module is recorded and included in your final campaign report. Training is normally required to be completed within 7 days. This deadline can be extended to 15 or 30 days on request. Positive reinforcement messages can also be sent to users who report the phishing email. These are typically issued after the campaign has concluded. Examples of the end user notifications: |
| Report | At the end of the 2 weeks, we will compile a final report to send you, which will include data on how recipients interacted with the email and the training for the campaign. The report will be final and no amendments can be made once it has been produced. |
| Communicate | We will also provide a link to our training video, so this can be shared amongst all staff when or if you choose to publish your results. |
| Compare | We recommend running another simulation soon after to measure effectiveness. |
Last edited: 9 April 2026 3:38 pm