I'm looking for some real-world insights into phishing simulation tools as we review our security measures to improve phishing awareness. Everyone's situation is unique, so I'm curious about what tools you've found effective (or not) based on your environments and user base. Have any of these tools led to meaningful changes in user behavior over time, or did they just create frustrations? Also, how important are features like automation, reporting, and integrations with platforms like Microsoft 365 or Google Workspace in your experience? I'd love to hear what you all think before we make any commitments to a tool.
5 Answers
A lot of tools work for the first few months, but interest often declines afterward. HoxHunt was effective for us mainly because they rotate scenarios regularly to keep things fresh; this way, users remain engaged and the training doesn’t stagnate. Engagement levels in click-and-report trends remained high much longer than with other tools.
From my experience, the effectiveness of the phishing simulation tool largely depends on its approach to changing behavior. We used to run aggressive attempts, but it only made users resentful and less compliant. After switching to tools like HoxHunt, which focuses on realistic scenarios and positive reinforcement, we saw much better engagement and reporting from users. It's a gradual process to shift habits, but a supportive environment yields better results in the long run.
We've been using KnowBe4 for a while, and it has made a real difference in behavior. I created an Outlook rule to filter their test emails, so I can easily flag them and help our IT team spot phishing attempts. While it can annoy users initially, it does improve caution over time. However, I also keep hearing good things about CheckPoint SAT for its integrated quizzes and training videos. Has anyone else had experience with that?
I’ve used CheckPoint, and overall it’s pretty user-friendly. The quizzes and simulations are well-received by employees, and they seem to enjoy the training.
I think the best results come from integrating simulation with robust security policies. Just counting on users to spot phishing after watching a couple of videos is a losing strategy. Ensure that when users do click on something, you aren’t making it easy for attackers. Implementing conditional access and risk-based authentication is crucial.
If you're using Microsoft 365, definitely check out the Defender attack simulation tool. It's improved a lot with the E5/P2 licensing. There's no need to rush into purchasing new software if you've already got something that works well!
Exactly! That was pretty much what I was going to recommend. Stick with what's already available, especially with the recent advancements.
+1! I've had good experiences with Defender.
Absolutely! Positive reinforcement makes all the difference. We switched our approach too; instead of punishing failed tests, we now show users what to look for after a simulation, which seems to work a lot better.