October 6, 2025

October is Cybersecurity Awareness Month (CAM). GuidePoint Security is proud to join the national effort, championed by the US National Cybersecurity Alliance (NCA) in collaboration with the Cybersecurity & Infrastructure Security Agency (CISA), to amplify essential cybersecurity practices under the 2025 themes: Stay Safe Online and Building a Cyber Strong America.

In this part of our CAM series, we’re looking at how the decisions of an individual worker can make or break an organization’s security posture. Malicious actors target the people at the keyboards for one reason: it works. Even highly trained employees still click links, believe text messages, and fall for deepfakes, opening the doors for attackers.

The human factor is a significant corporate risk, despite improvements in awareness training. 

Threat and Attack Simulation (TAS) exercises serve as a critical evaluation step that helps organizations identify patterns of risky employee behavior. When you involve your workforce in tabletop exercises and security testing, you: 

• Determine the effectiveness of your security training 
• Demonstrate the critical importance of following procedures and adhering to policies
• Show your employees how they can become part of the security solution

Here are three practical exercises your security team can run to reveal the human weaknesses in your security posture.

Phishing & Spear‑phishing Simulations

A phishing attack is one of the most common attack vectors that leads to a breach. Simulated phishing emails and texts put your employees’ awareness to the test.

To run this exercise, you can either stand up an internal red team, or consult with a trusted vendor. Employees who handle sensitive information, like HR staff, executives, or legal teams, make good test subjects for this simulation. However, every employee is at risk, so broader tests are a good idea, too. Make your phishing messages believable. Add fake invoices, calendar invites, and urgent requests. You’ll also want to include links to phishing forms or attachments that mimic what an attacker might use. Note: do not save or store credentials on your test forms, and make sure that all data transmissions are encrypted!

Pro Tip: In the past, phishing emails typically contained several obvious “tells,” such as misspelled words, close-but-not-exact URLs and email addresses, and poor layouts. With the advent of artificial intelligence (AI) phishing campaigns, these communications can now be deceptively accurate. They do, however, still demonstrate some of the same features as traditional phishing emails: urgent demands, poisoned links, and malicious attachments are all more dangerous than ever, given the newfound believability of the emails themselves. Make sure your simulated emails reflect the evolving nature of these scams so that you are preparing your teams for real threats.

As the test unfolds, track how employees respond in an anonymous way. Record how many opened the emails, clicked links, or downloaded attachments. Count how many users entered information on your simulated form. Record phishing reporting statistics, including how many reports your IT team received and the mean time between message receipt and reporting. Measuring these metrics pinpoints where awareness is strong or weak while also giving your team a safe environment to learn how to respond to phishing attempts before a real attack happens.

After running each phishing test, share your insights with your organization. Highlight both your wins and your losses, and discuss the potential impact of falling for similar real-world attacks. Then, use the findings to refine your phishing training. Over time, repeat the tests with different scenarios and user groups to keep employees sharp and your training relevant.

Deepfake Voice (AI Vishing) Simulation

They say imitation is the sincerest form of flattery. It’s also a perfect way for attackers to toy with your people. Deepfake voice attacks, also known as AI vishing, uses machine-learning generated or modified voices to impersonate trusted people during phone calls. The attacks  combine synthetic speech, pretexting (urgent or alarming scenarios), and automated call workflows to trick targets into revealing sensitive information or taking harmful actions. By simulating this type of attack, you put your workers’ vigilance to the test.

To implement a deepfake simulation, work with authorized testers or a vetted vendor and run social engineering exercises only in pre-approved, bounded scopes. Use synthetic audio that mimics the cadence or tone of an internal leader or trusted vendor, but only with explicit consent from those individuals and leadership. This test is run by either cold-calling target staff or running the audio in a classroom format. Once engaged with your target, keep the ask low-risk and observable. For example, ask that the employee confirm a non-sensitive detail that would typically require a call-back procedure or other policy check before divulging. Never ask for secrets or passwords, and do not ask your employees to perform real transactions during these simulations.

When placing each call, ensure all audio files and calls are logged for analysis. However, you’ll want to take care not to place employees in a situation that could cause operational harm or panic. Rely on scripted prompts and safe, staged scenarios so you can observe behavior without escalating real-world risk. Include a clear escalation path for any employee who becomes distressed and an opt-out mechanism for sensitive targets.

Remember: these scenarios are not about getting your people in trouble. It’s about teaching them that anyone can be fooled by a savvy attacker, and that their best bet is to understand and follow procedures at all times.

When measuring the results, look at the percentage of staff who complied with the voice request without following policy and procedures. Additional valuable metrics include the reporting rate to security, time-to-escalate to a manager, and the number of actions taken that could have been harmful had the attack been real (e.g., willingness to approve a vendor change, send money, or provide information). These measurements reveal weaknesses in voice-based authentication and help you tune policies, introduce mandatory callback procedures, and design training that emphasizes “verify before you act.” 

Business-logic & Insider Threat Scenarios

Malicious insiders and attackers who have gained a foothold in your network can work within your processes to attempt theft. Business-logic and insider threat exercises put your organization’s processes and controls to the test by simulating complex, multi-step attacks that mix social engineering with technical tricks. Think of scenarios like a fake supplier invoices combined with an attempt to manipulate approvals or hack payment processing.

These exercises involve a red team with tightly defined rules of engagement. The red team’s goal is to achieve a specific objective, such as convincing a user to authorize the fake invoice described above.

Reminder: you don’t want to cause any real damage or theft during an cybersecurity simulation or pentest. That’s why you’ll want to operate with a clearly defined scope, full signoff by all stakeholders, and a carefully controlled environment.

As the exercise unfolds, track how quickly the attempt is detected, which process gaps were exploited, and where points of failure exist in approval workflows. Look for common weaknesses like single-person approvals, over-reliance on email and other low-security checks, or confusing policies that lead to circumvention.

After the test, review the findings with your teams and take action. Enforce dual approvals for high-risk transactions, strengthen verification of change requests, and run tabletop exercises on fraud scenarios. Repeating these exercises over time helps teams recognize risky patterns, reinforces secure processes, and builds resilience against sophisticated insider or business-logic attacks.

Signs of Success

The best indication that your security awareness program is working is when your employees consistently act as the first line of defense. The fewer human errors your organization makes, the harder it is for threat actors to exploit them. When secure behaviors become routine, it’s clear that your workforce has internalized the principles of security awareness, and people are no longer the weakest link.

Signs that your security awareness program investments are paying off include:

• Proactive reporting: Employees quickly flag suspicious emails, links, or requests to IT or security teams.
• Adherence to policy: Staff follow procedures for verifying approvals, handling sensitive data, adhering to callback policies, and validating changes through multi-channel authorization processes.
• Healthy skepticism: Employees across all parts of the organization (not just cybersecurity) pause before clicking links, opening attachments, or responding to urgent requests, especially when something feels “off.”
• Collaborative culture: Teams openly discuss potential security concerns, share lessons learned from simulations, and participate actively in tabletop exercises.
• Continuous improvement: Mistakes made during simulations lead to targeted training rather than blame, reinforcing the idea that security is everyone’s responsibility.

Weaknesses to Watch For

Recognizing weaknesses is the critical first step for security improvement. Since so much of cybersecurity relies on what people do, the goal of simulations is to shine a light on risky human behavior in a controlled environment. Once you identify those risks, you can reinforce training, tweak processes and policies, and foster a culture where vigilance and verification become second nature.

Some common weaknesses to watch for include:

• Clicking before thinking: Employees open emails, attachments, or links without verifying legitimacy.
• Shortcutting approved processes: Single-person approvals, emailed confirmations, or bypassing verification steps create exploitable gaps.
• Low reporting rates: Staff fail to report suspicious activity or devices, leaving potential threats unaddressed.
• Curiosity over caution: Employees follow unclear instructions or respond to unexpected requests without checking first.
• Inconsistent follow-through: Policies are known but not consistently applied across teams or locations, creating uneven defenses.

Critical Considerations Before You Start

Simulated attacks should never be conducted without the full knowledge and consent of your stakeholders. Before you run any simulations, make sure you have clear, documented approval from leadership, legal, HR, and IT. You will also need a narrowly scoped Rules of Engagement that spells out allowed targets, time windows, escalation and kill-switch procedures. Simulated security tests also need to account for privacy and data-handling rules that anonymize results and limit retention. Your legal or HR teams may identify and request opt-outs for sensitive staff. And you’ll need to coordinate with your incident response and security operations center (SOC) teams so real incidents aren’t accidentally triggered.

Also, remember that the purpose isn’t to call out your employees, but to create remediation plans to coach, support, and educate. To that end, your metric gathering process should anonymize results. It’s not important to know who fell for the attacks – just how many did. By running tests in this manner, you maintain trust with your employees, and you open the lines of communication to discuss test results. This way, you help your workforce understand the crucial role they play in cybersecurity without calling them out, causing distress, or fostering distrust.

Ready to Put Your People to the Test?

Don’t wait for attackers to be the ones who test your workers’ security know-how. The GuidePoint Security TAS team can help you run simulations that identify risky employee behaviors. From phishing scenarios to social engineering setups to pinpointed red team exercises, we’ll help you find the weaknesses in your workforce so you can build a culture of cybersecurity awareness.

Learn more >