Reinforce training with continous mock phishing tests

Hackers are bypassing traditional perimeter security and going after the weak link - your users. They need to be trained and then tested to reinforce what they have learnt and to keep them on their toes, keeping security top of mind.

Bait and Phish offers administrators an easy to use, intuitive portal to create campaigns to test your users with real life phishing emails.

Campaigns can be set to target all of your users or a sub-group, for instance your Accounting department. They can be a one time campaign or continous, which we recommend to reinforce consistent behaviour. You can also select an individual template, group of templates or a random template for each user..

If your users click on one of these mock phishing emails they will be sent to a landing page which will provide them with a quick training message and will track and record who clicked the message so you can follow up with more training if necessary.

Our phishing reports will tell you who is clicking on emails, what they have clicked on and on ongoing campaigns you will see the number of people clicking going down over time.

Why use our simulated phishing tool?

UNLIMITED USE

Changing behviour requires frequent testing. Schedule and ongoing campaign to test your users with real life mock phishing emails. We recommend you set this for every two weeks.

RANDOM FUNCTIONALITY

Your phishing campaigns can use multiple templates with a random one going to each user. They can also be scheduled to deliver the emails over a number of days. This largely prevents people discussing the email and warning their colleagues to watch out for it, as well as minimizing the load on your email servers and the amount of calls to your helpdesk.

REAL WORLD PHISHING TEMPLATES

We have hundreds of ready-to-use real life phishing templates to use. These are added to on a regular basis to keep up with current events and trends. You can also easily create your own using our intuitive WYSIWYG.

IN-THE-MOMENT LEARNING

What happens when a user clicks on a link? You can assign them a variety of landing pages which have a brief teaching message. Users presented with immediate feedback on point of failure are much more willing to take notice which further reinforces future behaviour.

Modern attack pattern coverage

Templates are refreshed against current threats. Our library covers the post-2022 attack landscape that traditional phishing tools still miss.

Microsoft 365 attack patterns

Cloned login.microsoftonline.com sign-in pages, OAuth consent abuse, AiTM proxy lures, Teams external-chat attacks and SharePoint document-share lures. Three difficulty tiers.

Google Workspace patterns

Cloned accounts.google.com, OAuth consent abuse on Drive and Gmail scopes, fake share notifications and Google Voice vishing.

MFA-bypass and AiTM

Adversary-in-the-Middle reverse-proxy templates that simulate session-cookie-capture attacks. Trains URL-bar inspection over page-content recognition.

Callback phishing (TOAD)

Telephone-oriented attack delivery. Zero-link emails with phone-number lures (fake invoice, subscription renewal, refund offer). Bypasses URL-scanning gateways.

PhaaS-grade lures

Templates that mirror what current PhaaS platforms (Tycoon, EvilProxy, Greatness) generate. Updated as the threat landscape shifts.

AI-generated lures

Grammatically perfect, brand-accurate templates that retire the "check for typos" heuristic. Behavior-based recognition required.

Multi-channel coverage beyond email

Most platforms test email only. We test all three modern channels - QR-code phishing (quishing), deepfake vishing, Slack and Teams collaboration-tool lures - because attackers do.

More Features Of Our Phishing Service

Custom Campaigns

Create phishing campaigns or tests that target one or more individuals, groups you define (eg your HR department) or your entire user base. You have the option using a single template, group of templates or a random template choice.

Custom Phishing Templates

Apart from the hundreds of easy-to-use existing templates, you can customize scenarios based on personal information, creating targeted spear-phishing campaigns, which replace fields with personalized data.

Direct to Training

If users click on the simulated phishing email they can be redirected to a choice of landing pages with an education message and/or you can assign them an instant remedial training module.

Instant Notifications

Anytime a employee clicks a phishing link you can be notifited immediatly by email to begin coaching.

Reporting

View detailed records and charts of all activities including progress of users, campaigns and all click events. Track paired click rate AND report rate trends over rolling 12 months - the metric pair cyber-insurance underwriters and SOC 2 auditors now ask about. You will also know whether employees fell for an attack through a mobile phone, a tablet or a computer; the browsers they were using; and their locations when they fell for the attack.

Schedule Campaigns

Administrators can schedule your phishing tests for one-time, weekly, bi-weekly or monthly attacks. Our recommendation is to schedule regular (every 2 weeks) tests to your entire user base to keep them on their toes and to re-inforce best practices when dealing with phishing attacks.

REQUEST A FREE PHISHING CAMPAIGN

Featured Reading

The pillar guides that pair with simulated phishing program design and operation.

Phishing Trends 2026 - the seven attack patterns shaping 2026 simulation-program design.
2026 Phishing Simulation Industry Report - click-rate benchmarks, attack-vector trends and compliance adoption synthesis.
Phishing Simulation Maturity Model - 5-tier framework for program-design decisions.
90-Day Phishing Program Rollout Plan - day-by-day operational sequence from zero to evidence-bearing program.
Phishing Simulation Whitelisting Guide - exact Microsoft 365 Defender, Google Workspace, Mimecast and Proofpoint allow-list values.
What Cyber Insurers Ask About Phishing Training - the 9-question 2026 renewal application reference.
View all pillar guides & the full blog index ->