# Phishing Simulation Message Pack

**A complete, ready-to-deploy toolkit for running safe, ethical phishing simulations.**

---

## What's Inside

| Section | Contents |
|---------|----------|
| **Templates** | 40+ realistic phishing email templates across 3 difficulty tiers (Easy, Medium, Hard) |
| **Landing Pages** | 10 educational landing pages that teach immediately after a click — no credential harvesting |
| **Microlearning** | 5-minute debrief module (markdown + HTML) on recognizing phishing red flags |
| **Manager Script** | Conversation guide for supporting repeat clickers with coaching, not punishment |

---

## Bundle Overview

### Templates (`/templates`)

**Easy (15 templates)** — Obvious red flags, good for baseline training
- Generic greetings, poor formatting, suspicious sender addresses
- High click-through expectations, teaches fundamentals

**Medium (15 templates)** — Realistic scenarios with subtle red flags
- Professional formatting, legitimate business context
- Target departments (finance, HR, IT)
- Click-through: 15–30%

**Hard (10 templates)** — Expert-crafted, very realistic attacks
- Spoofed internal domain variations, plausible urgency
- Executive impersonation, sophisticated social engineering
- Click-through: 5–15%

### Landing Pages (`/landing-pages`)

When a user clicks a phishing email, they land on a safe educational page:

1. **Friendly Coaching** — Generic "you clicked, here's what to learn" (all scenarios)
2. **Red Flags Breakdown** — Specific red flags from *this* email
3. **Password Safety** — For password-reset phishing
4. **MFA Education** — For MFA/2FA phishing
5. **Invoice Scam Guide** — For vendor phishing
6. **HR Lure Awareness** — For HR/benefits phishing
7. **Reporting Reminder** — Encourage phishing reports
8. **Package Delivery** — For package/shipping phishing
9. **AI Tool Security** — For AI platform phishing
10. **Social Engineering** — For advanced manipulation tactics

Each page includes:
- Recognition message (supportive, no shame)
- Red flags explained
- 3 key takeaways
- Report button / contact info
- Links to deeper resources

### Debrief Module (`/debrief`)

A short, engaging microlearning module:
- **Debrief.md** — Markdown source
- **Debrief.html** — Standalone HTML (playable in browser)

Topics:
- Why phishing still works
- The psychology of urgency and trust
- How to spot red flags (email, sender, links)
- When and how to report
- Building lasting awareness habits

**Runtime:** ~5 minutes

### Repeat Clicker Manager Script (`/repeat-clicker-manager-script.md`)

A conversation guide for managers supporting employees who click multiple times:
- Opening (non-punitive, supportive tone)
- Diagnostic questions (is it distraction? knowledge gap? something else?)
- Three support paths (additional training, 1-on-1 coaching, resources)
- Closing (reinforce learning, offer ongoing support)

---

## Licensing & Customization

**Single-organization license** — Unlimited campaigns within one company.

**Editable placeholders** throughout:
- `{{company}}` — Your organization name (defaults: "your company")
- `{{team}}` — Your security team name (defaults: "your security team")
- `{{reportingEmail}}` — Where to report phishing (defaults: "your security team")

Replace these at deployment and the entire bundle personalizes.

**No credential harvesting** — All landing pages are educational only. No forms capture passwords or sensitive data.

**Approved use only** — This toolkit is for authorized, internal security awareness training. Requires Legal, HR, and Compliance sign-off before deployment.

---

## Quickstart for Buyers

1. **Review the templates** in `/templates/` — read a few from each tier.
2. **Choose your tier focus** — start with Easy if new to simulations, Medium if experienced, Hard for mature programs.
3. **Customize placeholders** — replace `{{company}}`, `{{team}}`, `{{reportingEmail}}` with your values.
4. **Review with Legal/HR/Compliance** — ensure simulations align with your employee relations and privacy policies.
5. **Pick landing pages** — map each template to a corresponding landing page (guidance in each template file).
6. **Use the manager script** — brief managers before launch; coach repeat clickers after.
7. **Deploy the debrief module** — as post-click education or standalone training.

---

## File Structure

```
phishing-simulation-message-pack/
├── README.md (this file)
├── templates/
│   ├── easy/
│   │   ├── 01-password-expiration.md
│   │   ├── 02-generic-package-delivery.md
│   │   └── ... (13 more)
│   ├── medium/
│   │   ├── 01-suspicious-login-alert.md
│   │   ├── 02-invoice-correction.md
│   │   └── ... (13 more)
│   └── hard/
│       ├── 01-executive-password-request.md
│       ├── 02-sophisticated-document-share.md
│       └── ... (8 more)
├── landing-pages/
│   ├── 01-friendly-coaching.html
│   ├── 02-red-flags-breakdown.html
│   ├── ... (8 more)
├── debrief/
│   ├── debrief.md
│   └── debrief.html
└── repeat-clicker-manager-script.md
```

---

## Red Flags & Templates

Each template includes:
- **Sender Name & Email** — What appears in the inbox
- **Subject Line** — Email subject
- **Body** — Full email text (with `{{tokens}}` for customization)
- **Red Flags Tested** — What red flags should employees spot?
- **Difficulty Tier** — Easy / Medium / Hard
- **Recommended Landing Page** — Which page to show after a click
- **Customization Notes** — How to adapt for your organization

---

## Implementation Notes

**No real malware, exploits, or credential capture** — all templates use safe placeholders and landing pages are educational only.

**Generic scenarios only** — no impersonation of specific real companies (we use "Acme Corp," "Generic Bank," etc.). Templates are realistic but don't target specific vendors you use.

**Approval required** — Before running any campaign, get written sign-off from:
- Legal (liability, terms)
- HR (employee relations)
- Compliance (regulatory alignment)
- Privacy/DPO (data handling)
- {{team}} lead (campaign design)

**Post-campaign support** — After employees click, immediately provide:
1. Landing page education (automatic redirect)
2. Manager briefing (use the manager script)
3. Optional deeper training (use the debrief module)
4. Repeat clicker coaching (see manager script)

---

## Disclaimer

This toolkit is for **authorized, internal security awareness training only**. Your organization must:

- Obtain written approval from Legal, HR, Compliance, and Privacy before deployment
- Notify employees that simulations are coming (optional but recommended)
- Provide immediate support/education after clicks (landing pages + follow-up)
- Support repeat clickers with coaching, not punishment
- Comply with all local privacy and employment laws
- Document all approvals and campaign results

**By using this toolkit, your organization assumes all liability** for:
- Employee relations impact
- Legal/regulatory compliance
- Data privacy and protection
- Business decisions based on campaign results

---

## Support

For questions about:
- **Template adaptation** — see customization notes in each template file
- **Landing page personalization** — see HTML comments in each page file
- **Manager conversations** — see the repeat-clicker-manager-script.md
- **Deployment strategy** — consult with your {{team}} and Legal

---

**Version:** 1.0 | **Customizable** | **Approved Use Only**

Ready to build awareness? Start by picking 3–5 templates from `/templates/easy/`, customize them, and run your first campaign. 🎯