Why Generic Phishing Simulations Don’t Prepare You for AI Attacks

Template-based phishing simulations test whether employees click links. They do not test whether your organisation can withstand a targeted attack from a real threat actor. The difference between a generic ‘buy gift cards’ email and a coordinated attack replicating Scattered Spider’s help desk exploitation techniques is the difference between a fire drill and an actual fire.

According to the Verizon 2024 Data Breach Investigations Report, the human element is involved in over 60% of all breaches. Yet most organisations test this critical attack surface with the same recycled templates their employees have seen dozens of times.

The Template Problem

Most security awareness platforms maintain libraries of pre-built phishing scenarios: fake package deliveries, password reset requests, and invoice attachments. These templates serve a purpose. They establish baseline click rates and satisfy compliance requirements that often mandate monthly simulations.

But attackers do not use templates. They research their targets. They study organisational structures. They identify high-value individuals and craft attacks specifically designed to exploit trust relationships within your organisation.

The Proofpoint 2024 State of the Phish report found that 68% of workers admitted to knowingly breaking security policies, despite receiving regular training. This suggests that click-rate metrics from template simulations may not reflect actual organisational resilience.

How Real Threat Actors Operate

Consider Scattered Spider (also known as UNC3944 or 0ktapus), a threat group that has successfully compromised major organisations through sophisticated social engineering. Their methodology includes:

• Targeting help desk staff with convincing impersonation calls
• Using stolen identity information to pass verification checks
• Exploiting multi-factor authentication through SIM swapping and MFA fatigue attacks
• Leveraging internal knowledge to appear legitimate

A generic phishing template does not replicate any of these techniques. An organisation that passes every simulated phishing test may still be vulnerable to the actual tactics these groups deploy.

What Threat Actor Replication Means in Practice

Threat actor replication means studying the specific techniques, tactics, and procedures (TTPs) of known adversaries and incorporating them into red team engagements. This includes:

• Attack chain design: Building multi-stage scenarios that mirror how real attackers progress through an organisation
• Target selection: Focusing on the same roles attackers target, including finance teams, executive assistants, and IT help desks
• Pretext development: Creating believable scenarios based on your organisation’s actual structure and communication patterns
• Timing and context: Launching attacks during periods when targets are likely to be distracted or under pressure

The Gap Between Compliance and Readiness

Insurance companies and regulators often require monthly or quarterly phishing simulations. Meeting this requirement is straightforward: run a template campaign, report the metrics, check the box.

But compliance does not equal readiness. The question security leaders should ask is not ‘Are we running simulations?’ but ‘Are our simulations testing our actual exposure to the threats we face?’

When Arup, the engineering consultancy, lost $25 million to a deepfake video call attack in 2024, it was not because they lacked awareness training. It was because the attack used techniques that standard simulations do not cover. The attack was reported by the Financial Times and demonstrated how sophisticated social engineering can bypass conventional defences.

Making Simulations Count

If your organisation is required to run monthly simulations, those simulations should test something meaningful. Consider:

• Varying attack vectors: Move beyond email to include voice calls, messaging platforms, and video conferencing, which are the channels attackers actually use
• Testing verification workflows: See whether employees follow callback procedures when receiving unusual requests
• Targeting high-risk roles: Focus simulation intensity on roles that handle financial transactions or have elevated access
• Measuring response, not just clicks: Track whether employees report suspicious activity, not just whether they avoid clicking

Frequently Asked Questions

Does this mean template-based training has no value?

Template-based training serves a purpose. It establishes awareness of common attack patterns and provides baseline metrics. But it should be supplemented with testing that reflects actual threat actor behaviour, particularly for organisations facing sophisticated adversaries.

How do we know which threat actors to replicate?

Start with threat intelligence relevant to your industry and geography. Financial services organisations face different threat actors than healthcare or technology companies. Your security team or external advisors can help identify relevant adversary profiles.

Is threat actor replication only relevant for large enterprises?

No. Attackers target organisations of all sizes, often because smaller organisations may have weaker defences. Voice cloning technology that enables impersonation attacks is now freely available, lowering the barrier for attacks against any organisation. The ENISA Threat Landscape 2024 notes that over 80% of phishing emails now use AI assistance.

How often should we run threat actor simulations versus standard phishing tests?

This depends on your risk profile and resources. A reasonable approach is to run standard awareness campaigns monthly for baseline coverage, supplemented by quarterly or semi-annual red team engagements that replicate specific threat actor techniques.

Breacher.ai specialises in AI social engineering red teaming, including threat actor replication for help desk exploitation, voice cloning attacks, and deepfake video call simulations.