A receptionist at a private hospital in Lagos receives an email that appears to be from the hospital's EMR vendor. It says there's been a security update and asks her to log in to verify her account. The branding is perfect. The sender address looks right. She clicks.
Fortunately, this isn't a real attack. It's a simulated phishing test: a controlled exercise designed to find out how staff respond to realistic phishing emails before a real attacker does. Her click doesn't install malware or steal credentials. Instead, it redirects her to a short training page that explains exactly what she missed and how to spot the red flags next time.
Phishing remains the number one way attackers breach organisations. Over one million phishing attacks were recorded globally in the first quarter of 2025 alone, and phishing-related breaches now cost an average of $4.88 million each. In healthcare, the stakes are even higher: locked patient records can delay treatment, disrupt surgeries, and put lives at risk.
in Q1 2025 alone
phishing-related breach
click phishing links
Yet many hospitals still treat phishing awareness as a once-a-year PowerPoint presentation. That approach no longer works. AI-generated phishing emails now arrive with perfect grammar, convincing branding, and personalised details. The only reliable defence is to test your people regularly, under realistic conditions, and give them the feedback they need to improve.
What Is a Simulated Phishing Test?
A simulated phishing test is a controlled exercise in which an organisation sends realistic but harmless phishing emails to its own staff. The emails mimic the tactics real attackers use: fake invoices, password reset requests, delivery notifications, messages from trusted brands. Instead of stealing data, they track behaviour: who opened the email, who clicked, who entered credentials on a fake page, and crucially, who reported it.
A thorough programme goes beyond email to include spear phishing (targeted emails personalised to specific roles), vishing (voice calls, increasingly powered by AI cloning), smishing (SMS and WhatsApp), and even QR code attacks placed physically within the hospital. The goal is never to punish or embarrass anyone. It's to identify where your human vulnerabilities are and address them through education, not blame.
Why Your Hospital Needs Simulated Phishing Tests
Research shows that one in three untrained employees will click a phishing link. In a hospital with 300 staff, that's roughly 100 people who would hand over credentials or click a malicious link if targeted today. Here's what a structured simulation programme changes:
- It dramatically reduces risk. Organisations with ongoing programmes see click rates drop from 33% to as low as 1.5% over 12 months – a measurable reduction in your attack surface.
- It builds a reporting culture. Effective programmes can raise reporting rates from 13% to over 60%, meaning suspicious emails are flagged and neutralised before they cause harm.
- It delivers financial returns and supports compliance. Security awareness training delivers between $3 and $7 for every $1 invested. It also provides documented evidence for frameworks such as Nigeria's Data Protection Act (NDPA), ISO 27001, and NIST.
Running It Right
An effective programme is a structured, ongoing cycle: define objectives, craft role-relevant scenarios, distribute during normal hours, track results, and deliver immediate feedback to anyone who clicks. The feedback – not the test itself – is where the learning happens. Segment results by department to identify high-risk groups, and report findings to leadership with clear, actionable recommendations.
A few principles separate programmes that work from those that don't:
- Run it monthly, not annually. Attackers don't take eleven months off, and neither should your training.
- Include everyone – especially leadership. Executives are among the most targeted individuals (a tactic known as "whaling"), yet are often excluded from simulations.
- Never shame or punish. People who fear punishment hide their mistakes instead of flagging real threats. Frame every touchpoint as a learning exercise, not a test to fail.
- Update your content. If your training still tells staff to "look for spelling mistakes," it's obsolete. Focus on deeper red flags: unexpected urgency, unusual sender addresses, requests for credentials.
- Reward reporting. Recognise staff who correctly identify and flag simulations. Positive reinforcement builds the culture you actually want.
Take the First Step
Simulated phishing tests are most effective as part of a broader security awareness strategy. Simulation results should feed directly into your training programme, and the data should integrate with your incident response process so your security team can spot patterns in real time.
Your staff are your first line of defence. Test them. Train them. Trust them.
