Phishing Simulation

If a business is breached, there is a strong likelihood that the breach started with a phishing attack. Phishing scams are fraudulent attempts to acquire sensitive information such as credit card details, usernames and passwords. Pretending to be a trusted source through digital communications, typically email, scammers will convince people into submitting information, downloading malware and more usually with the aim of monetary gain.

Get Instant Online Quote
Phishing Simulation Reporting Software

The basics

What is a Phishing Simulation Service?

At OnSecurity, we provide a phishing simulation service which is a phishing test that is designed to improve awareness of phishing scams across your organisation.

With a phishing test, simulated phishing emails are sent to staff across your organisation. The emails act like real phishing emails to get your employees to click links, enter passwords and other actions often requested by phishing emails. The purpose of the test is that staff can make mistakes and fall for simulated phishing emails and learn from their mistakes in a safe environment without the drastic consequences of a real phishing scam.

OnSecurity Magnifying Glass
Network Penetration Test Reporting

Testing Benefits

What are the benefits of a Phishing Simulation Service?

Phishing scams can be extremely damaging to individuals and your business so your staff must stay vigilant and aware of the latest phishing scams. Due to this, we can send emails either annually or periodically throughout the year, to maintain constant awareness of the threat of phishing scams.

We also offer 'spear-phishing', which is a phishing attack targeted at high-value targets like C-level execs, or executive PAs and other people high up in within your organisation. These high-value targets need to be particularly wary of scams as they often have access to the most sensitive information which poses to be the biggest risk to your business if it is stolen.

Phishing scams are unique in that the weakest link in your security when it comes to them is not passwords, firewalls or outdated software but the people within your company. A phishing test will;

  • Assist your team in learning to identify, avoid and report phishing emails
  • Increase awareness on phishing emails and scams

Basic Phishing


Basic phishing campaigns will send a specially crafted phishing email to an email or emails of your choice. This specially crafted email will contain a tracker and a link to a blank website. Once emails are issued to the target emails OnSecurity will then log whether the recipients;

  • Open the email.
  • Follow the web link in the email to the blank website.

We will then generate a full report detailing which users opened the email and followed the web link.

Basic Phishing
Phishing Email Envelope

Intermediate Level Phishing


Intermediate phishing campaign will again send a specially crafted phishing email with a tracker and a link to a website. However in this instance the website will be a specially crafted page simulating a legitimate service, such as a user login area or data entry area. Once emails are issued to the target emailsOnSecurity will then log whether the recipients;

  • Open the email
  • Follow the web link in the email
  • Enter any credentials or data in the specially crafted web page

We will then generate a full report detailing which users opened the email, followed the web link andentered any data in the website.

Advanced Phishing

Spear Phishing

Advanced email phishing service will be a more targeted attack against specific individuals/emails. The advanced phishing emails will contain:

  • Malicious payloads or links to OnSecurity websites hosting malicious payloads

The aim of this test is to obtain remote code execution access on the targets and thus indicating full compromise of the victims device.

Once this access is obtained OnSecurity will inform the client and await further guidance on whether they use this access to further target the corporate network.

Spear Phishing Email Envelope
CREST Penetration Testing Logo

CREST Registered - CREST Certified

Are you CREST Certified?

OnSecurity is a CREST (Council of Registered Ethical Security Testers) approved vendor. This means that all our test methodologies, processes, policies and procedures have been externally vetted by CREST to ensure we are operating to the highest standards possible in the pentesting industry.

On top of this the majority of our testers are CREST certified, meaning they have been through a CREST assault course (or CREST-recognised equivalent) to ensure they have the requisite skills needed to find and exploit vulnerabilities in a safe and controlled manner.

This external validation means you can be confident your pentests are being carried out to the highest standard, by vetted and tested consultants, who use a best-in-class manual-first approach to testing.

Getting Started

How do I book a Phishing Test?

To book a phishing test, you simply need to get in touch with our team. You can do this by calling us on +44 (0) 20 3289 6710 or email us on

Get A Quote
Question Speech Bubble


Our Services Area

Web Application Testing

Make sure hackers can’t steal data via your main web app, and protect your app users.

Read More

Mobile Application Testing

Android, iOS and cross platform we test them all.

Read More

Cloud Security Testing

Make sure your deployments are secure - including AWS, Azure and GCP.

Read More

External Infrastructure Testing

Test to see how your external IT perimeter would hold up against intruders.

Read More

Internal Infrastructure Testing

See what hackers can do once they are inside your network.

Read More

Phishing Simulation

32% of breaches involve phishing, test to make sure you’re not next.

Read More

Physical Penetration Testing

Office blocks, factories and power plants - if it has a door we can test it.

Read More

Social Engineering

Grabbing sensitive information over the phone or via email - you’ll be suprised what attackers can get

Read More

Need A Hand?

Get In Touch