ForgeAwareness
Get started
← Back to shop

Phishing Simulation Message Pack

31 ready-to-customize phishing templates across 3 difficulty tiers, plus a 5-minute debrief, manager coaching script, and 10 educational landing pages.

Section 1 of 6~5 min read
Download raw ↗

Phishing Simulation Message Pack

A complete, ready-to-deploy toolkit for running safe, ethical phishing simulations.

What's Inside

SectionContents
Templates40+ realistic phishing email templates across 3 difficulty tiers (Easy, Medium, Hard)
Landing Pages10 educational landing pages that teach immediately after a click — no credential harvesting
Microlearning5-minute debrief module (markdown + HTML) on recognizing phishing red flags
Manager ScriptConversation guide for supporting repeat clickers with coaching, not punishment

Bundle Overview

Templates (/templates)

Easy (15 templates) — Obvious red flags, good for baseline training

  • Generic greetings, poor formatting, suspicious sender addresses
  • High click-through expectations, teaches fundamentals

Medium (15 templates) — Realistic scenarios with subtle red flags

  • Professional formatting, legitimate business context
  • Target departments (finance, HR, IT)
  • Click-through: 15–30%

Hard (10 templates) — Expert-crafted, very realistic attacks

  • Spoofed internal domain variations, plausible urgency
  • Executive impersonation, sophisticated social engineering
  • Click-through: 5–15%

Landing Pages (/landing-pages)

When a user clicks a phishing email, they land on a safe educational page:

  1. Friendly Coaching — Generic "you clicked, here's what to learn" (all scenarios)
  2. Red Flags Breakdown — Specific red flags from this email
  3. Password Safety — For password-reset phishing
  4. MFA Education — For MFA/2FA phishing
  5. Invoice Scam Guide — For vendor phishing
  6. HR Lure Awareness — For HR/benefits phishing
  7. Reporting Reminder — Encourage phishing reports
  8. Package Delivery — For package/shipping phishing
  9. AI Tool Security — For AI platform phishing
  10. Social Engineering — For advanced manipulation tactics

Each page includes:

  • Recognition message (supportive, no shame)
  • Red flags explained
  • 3 key takeaways
  • Report button / contact info
  • Links to deeper resources

Debrief Module (/debrief)

A short, engaging microlearning module:

  • Debrief.md — Markdown source
  • Debrief.html — Standalone HTML (playable in browser)

Topics:

  • Why phishing still works
  • The psychology of urgency and trust
  • How to spot red flags (email, sender, links)
  • When and how to report
  • Building lasting awareness habits

Runtime: ~5 minutes

Repeat Clicker Manager Script (/repeat-clicker-manager-script.md)

A conversation guide for managers supporting employees who click multiple times:

  • Opening (non-punitive, supportive tone)
  • Diagnostic questions (is it distraction? knowledge gap? something else?)
  • Three support paths (additional training, 1-on-1 coaching, resources)
  • Closing (reinforce learning, offer ongoing support)

Licensing & Customization

Single-organization license — Unlimited campaigns within one company.

Editable placeholders throughout:

  • {{company}} — Your organization name (defaults: "your company")
  • {{team}} — Your security team name (defaults: "your security team")
  • {{reportingEmail}} — Where to report phishing (defaults: "your security team")

Replace these at deployment and the entire bundle personalizes.

No credential harvesting — All landing pages are educational only. No forms capture passwords or sensitive data.

Approved use only — This toolkit is for authorized, internal security awareness training. Requires Legal, HR, and Compliance sign-off before deployment.

Quickstart for Buyers

  1. Review the templates in /templates/ — read a few from each tier.
  2. Choose your tier focus — start with Easy if new to simulations, Medium if experienced, Hard for mature programs.
  3. Customize placeholders — replace {{company}}, {{team}}, {{reportingEmail}} with your values.
  4. Review with Legal/HR/Compliance — ensure simulations align with your employee relations and privacy policies.
  5. Pick landing pages — map each template to a corresponding landing page (guidance in each template file).
  6. Use the manager script — brief managers before launch; coach repeat clickers after.
  7. Deploy the debrief module — as post-click education or standalone training.

File Structure

phishing-simulation-message-pack/
├── README.md (this file)
├── templates/
│   ├── easy/
│   │   ├── 01-password-expiration.md
│   │   ├── 02-generic-package-delivery.md
│   │   └── ... (13 more)
│   ├── medium/
│   │   ├── 01-suspicious-login-alert.md
│   │   ├── 02-invoice-correction.md
│   │   └── ... (13 more)
│   └── hard/
│       ├── 01-executive-password-request.md
│       ├── 02-sophisticated-document-share.md
│       └── ... (8 more)
├── landing-pages/
│   ├── 01-friendly-coaching.html
│   ├── 02-red-flags-breakdown.html
│   ├── ... (8 more)
├── debrief/
│   ├── debrief.md
│   └── debrief.html
└── repeat-clicker-manager-script.md

Red Flags & Templates

Each template includes:

  • Sender Name & Email — What appears in the inbox
  • Subject Line — Email subject
  • Body — Full email text (with {{tokens}} for customization)
  • Red Flags Tested — What red flags should employees spot?
  • Difficulty Tier — Easy / Medium / Hard
  • Recommended Landing Page — Which page to show after a click
  • Customization Notes — How to adapt for your organization

Implementation Notes

No real malware, exploits, or credential capture — all templates use safe placeholders and landing pages are educational only.

Generic scenarios only — no impersonation of specific real companies (we use "Acme Corp," "Generic Bank," etc.). Templates are realistic but don't target specific vendors you use.

Approval required — Before running any campaign, get written sign-off from:

  • Legal (liability, terms)
  • HR (employee relations)
  • Compliance (regulatory alignment)
  • Privacy/DPO (data handling)
  • {{team}} lead (campaign design)

Post-campaign support — After employees click, immediately provide:

  1. Landing page education (automatic redirect)
  2. Manager briefing (use the manager script)
  3. Optional deeper training (use the debrief module)
  4. Repeat clicker coaching (see manager script)

Disclaimer

This toolkit is for authorized, internal security awareness training only. Your organization must:

  • Obtain written approval from Legal, HR, Compliance, and Privacy before deployment
  • Notify employees that simulations are coming (optional but recommended)
  • Provide immediate support/education after clicks (landing pages + follow-up)
  • Support repeat clickers with coaching, not punishment
  • Comply with all local privacy and employment laws
  • Document all approvals and campaign results

By using this toolkit, your organization assumes all liability for:

  • Employee relations impact
  • Legal/regulatory compliance
  • Data privacy and protection
  • Business decisions based on campaign results

Support

For questions about:

  • Template adaptation — see customization notes in each template file
  • Landing page personalization — see HTML comments in each page file
  • Manager conversations — see the repeat-clicker-manager-script.md
  • Deployment strategy — consult with your {{team}} and Legal

Version: 1.0 | Customizable | Approved Use Only

Ready to build awareness? Start by picking 3–5 templates from /templates/easy/, customize them, and run your first campaign. 🎯