Skip to main content

NHS simulated phishing service

Phishing is one of the most common tactics employed by hackers, requiring little effort and generally preys on the less cyber-aware. It's also the most common way for organisations to suffer a cyber attack.

Page contents

About the phishing training

Our simulated phishing training has been developed to raise awareness of phishing emails amongst NHS Staff. It's been created in response to the National Data Guardian’s review to raise public confidence in the security of their personal information.

The training is available upon request to NHS organisations using NHSMail and NHS.uk domains.

How it works

The training consists of a simulated phishing email, which is sent to up to 15,000 staff within your organisation. A link within the email will take them through to an animation on how to spot the signs of a phishing attack, to increase their understanding of what to look out for in the future.

We offer a range of 10 email templates for you to choose from per campaign – these are refreshed every 3 months.

We can stagger the release of the phishing email across the 2-week campaign, to minimise impact on your service desk and avoid suspicion amongst your workforce.

After the simulation has finished, we will provide you with a report on the actions your staff took. We will also provide a link to the animation, which you can share with your staff.

Best practice recommends that organisations perform phishing simulations regularly. Your first phishing simulation will provide you with a baseline for how successful the simulation was. Future simulations will allow you to identify how well your staff have performed against the initial baseline.

NHS Digital is the service provider for the NHS Simulated Phishing Service. Responsibility for local communication of the phishing campaign should be managed by the organisation.

View the full user journey.

How to register

Complete this form to request a simulated phishing campaign. Once submitted, a member of our team will be in touch to discuss your requirements.

If you have any questions, or would like to reach out to the team before submitting a request, please contact [email protected],

GDPR compliance

NHS Digital’s Data Security Centre acts as a data processor. We have direction (s.254 of Health & Social Care Act 2012) to process this information under the Health and Social Care Act 2012.  You can email us at  [email protected] for further information.

How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.a You have effective organisational security management led at board level and articulated clearly in corresponding policies

Objective D: Minimising the impact of cyber security incidents

D1.c Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.

Last edited: 15 November 2023 2:44 pm