Simulated phishing training tool

We are moving to a new phishing simulation product designed to enhance the quality and efficiency of the service we provide. This includes:

• future capability to expand campaigns to cover teams phishing and malware links.
• improved templates, tailored to the NHS and other relevant templates
• better reporting capabilities
• increased training capabilities
• alignment to the NHS.net Connect strategy and the benefits this will bring. For more information see NHS.net Connect.

As part of this, it is necessary for us to pause as we have had a significant increase in demand for this service. New requests will be placed on-hold while we reduce the backlog prior to transition. 

What you need to do

NHS.net users

Continue to log your request in the usual way by creating a ticket. 

NHS.uk users

The scope of the service will change to target NHS.net Connect users only. Please note, to use this service and take advantage of a centrally provided service, you will need to transition to NHS.net Connect. For more information, see NHS.net Connect.

If you do not transition to nhs.net connect, you will need to source and fund your own phishing service.

We appreciate your patience and understanding as we work to implement these improvements.

Our simulated phishing training has been developed to raise awareness of phishing emails amongst NHS staff. It's been created in response to the National Data Guardian’s review to raise public confidence in the security of their personal information.

The training is available upon request to NHS organisations using NHSmail and NHS.uk domains.

The training consists of a simulated phishing email, which is sent to up to 15,000 staff within your organisation. A link within the email will take them through to an animation on how to spot the signs of a phishing attack, to increase their understanding of what to look out for in the future.

We offer a range of 10 email templates for you to choose from per campaign – these are refreshed every 3 months.

We can stagger the release of the phishing email across the 2-week campaign, to minimise impact on your service desk and avoid suspicion amongst your workforce.

After the simulation has finished, we will provide you with a report on the actions your staff took. We will also provide a link to the animation, which you can share with your staff.

Best practice recommends that organisations perform phishing simulations regularly. Your first phishing simulation will provide you with a baseline for how successful the simulation was. Future simulations will allow you to identify how well your staff have performed against the initial baseline.

NHS England is the service provider for the NHS Simulated Phishing Service. Responsibility for local communication of the phishing campaign should be managed by the organisation.

View the full user journey.

Complete this form to request a simulated phishing campaign. Once submitted, a member of our team will be in touch to discuss your requirements.

If you have any questions, or would like to reach out to the team before submitting a request, please contact [email protected]

NHS England's Data Security Centre acts as a data processor. We have direction (s.254 of Health and Social Care Act 2012) to process this information under the Health and Social Care Act 2012. You can email us at [email protected] for further information.

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.a You have effective organisational security management led at board level and articulated clearly in corresponding policies

Objective D: Minimising the impact of cyber security incidents

D1.c Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.