Inside a Phishing Simulation: Lessons from the Mastercard Job Sim

What is a Phishing Simulation?

Phishing simulations are controlled exercises where security teams send fake phishing emails to employees to test their awareness and identify training gaps. It's one of the most effective tools in a security awareness program.

The Mastercard Job Simulation

As part of the Mastercard Cybersecurity Job Simulation on Forage, I was tasked with:

1. Designing a phishing email that would realistically target employees
2. Analyzing the results of the simulation campaign
3. Identifying which departments were most susceptible
4. Recommending training based on the findings

Designing the Phishing Email

A convincing phishing email needs to:

• Create urgency — "Your account will be suspended in 24 hours"
• Appear legitimate — matching branding, sender addresses, and formatting
• Include a clear call-to-action — a link to a fake login page
• Exploit trust — impersonating IT, HR, or management

Analyzing Results

After the simulation, the key metrics to analyze are:

Metric	What It Tells You
Open rate	How many employees opened the email
Click rate	How many clicked the malicious link
Credential submission	How many entered their credentials
Report rate	How many reported the suspicious email

Key Takeaways

• Technical controls alone are not enough — human awareness is critical
• Regular, targeted training significantly reduces click rates over time
• The most effective phishing emails exploit current events and emotions