Skip to main content

Simulated phishing training tool

Phishing is one of the most common tactics employed by hackers, requiring little effort and generally preys on the less cyber-aware. It's also the most common way for organisations to suffer a cyber attack.

The simulated phishing training tool has been developed by NHS Digital’s Data Security Centre (DSC) to raise awareness of phishing emails amongst health and care staff. It has been created in response to the National Data Guardian’s review to raise public confidence in the security of their personal information. The simulation is available to organisations across the health and social care sector upon request.

The phishing training tool

The training tool involves a simulated phishing email being sent to targeted staff within your organisation. A link within the email will take them through to a training animation on how to spot the signs of a phishing attack, to increase their understanding of what to look out for in the future.

The phishing simulation will run for two weeks. After the simulation has finished we will provide you with a report to determine what actions your staff took when they received the email. We will also provide a link following the simulation to the training animation which you can share with your staff to improve their confidence in identifying a phishing email.

The service is only available to NHSmail organisations at the moment. We're piloting an additional service for non-NHSmail health and social care organisations - if you're interested in being part of this pilot, please contact for more information.

By choosing to use the simulated phishing training tool you will be agreeing that the DSC, Department of Health and Social Care (DHSC), Care Quality Commission (CQC), NHS Improvements and NHS England are updated on the statistics to gain an overall view of awareness across the health and social care sector. Personal email addresses will never be revealed.

Best practice recommends that organisations perform phishing simulations every six months. Your first phishing simulation will provide you with a baseline for how successful the simulation was, future simulations will allow you to identify how well your staff have performed against the initial baseline. To run an additional simulation please complete the request template

How to register your organisation to take part

If you feel that your organisation will benefit from a simulated phishing email, then fill in the request form template

Before you start

Before completing the request form you will need to provide some key information. Please have it ready before proceeding.

We will need you to:

  • upload a .csv file containing - as a minimum - the first name; last name and email addresses of those you want the simulated phishing campaign to be sent to.  You can supply a maximum of 5,000 names
  • A preferred start date for your campaign
  • contact details of two people with whom we will liaise to deliver the campaign
  • authorisation - the name, title and contact details of an authorising person who has approved delivery of the campaign within your organisation.

GDPR compliance

NHS Digital’s Data Security Centre acts as a data processor. We have direction (s.254 of Health & Social Care Act 2012) to process this information under the Health and Social Care Act 2012.  You can email us for further information. 

Last edited: 18 May 2020 1:29 pm