The pace of change at work has never been faster. New tools, smarter features, endless AI updates — it’s a full-time job just trying to keep up. And as our digital habits shift, so do the tactics used by cybercriminals. The inbox remains their favorite playground, blending helpful-looking nudges with hidden tricks that are harder than ever to spot. This month’s phishing simulations reflect how subtle, familiar, and almost boring a phish can be — until it isn’t.
Download these phishing templates for your in-person security awareness training materials!
Browser extensions are like digital sidekicks — helpful, silent, and easy to forget about. But behind their convenience is a hidden risk. This simulation taps into that often-overlooked layer of our digital workspace, where danger doesn’t look like a warning — it looks like a helpful update.
The Hook:
This phish plays on confusion. A notification from the “Chrome Web Store” says one of your extensions has been disabled due to suspicious activity. The vague threat, paired with a direct call to “Re-enable Extension,” creates a soft urgency. It doesn’t shout — it whispers.
Real-World Risk:
Clicking the link takes users to a fake Chrome extension page that appears legit, prompting them to reinstall the extension, which is malware in disguise. Because it mimics a normal maintenance process, it flies under the radar.
Learning Moment:
It’s a reminder that browser extensions operate with high levels of access, sometimes even reading what you type. Encourage your team to only install from trusted sources, avoid “too helpful” add-ons, and always access browser settings directly instead of through email prompts.
This one uses just enough mystery to spark concern — and just enough branding to seem credible. It doesn’t say “you’re in trouble.” It simply says, “You might be.”
The Hook:
The email looks like it’s from Google. It says unusual account activity has been flagged and asks the recipient to view more information before restrictions are applied. There’s no mention of law enforcement or legal terms — just a quiet note that something may be off and needs a response.
Real-World Risk:
The link leads to a phishing page hosted on a real Google Sites URL — a tactic attackers are currently using to bypass filters. It asks users to log in to verify activity, capturing credentials in the process.
Learning Moment:
This is a great example of “legitimacy laundering” — where real branding and vague urgency are enough to lower defenses. Teach users to navigate to official sites manually and never trust alerts that ask for immediate action via email.
AI tools are becoming everyday companions at work: helping with writing, summarizing, and brainstorming. But with great power comes great policy paperwork. Or in this case… a simulated phishing email.
The Hook:
The email appears to come from HR or IT. It informs users that a new AI usage policy must be acknowledged in order to keep access to tools like ChatGPT, Gemini, or Copilot. There’s no scare tactic — just a subtle nudge that this is standard admin. One click and you’re compliant.
Real-World Risk:
The link leads to a page impersonating an internal HR platform like Workday or BambooHR. Users are asked to sign in to “confirm” their acknowledgment, unknowingly handing over their credentials.
Learning Moment:
Not all phishing pretexts are dramatic. Some lean on routine and formality — mimicking real admin processes your org might already use. Train users to double-check URLs and avoid clicking email-based policy prompts.
Summaries are everywhere now — auto-generated meeting notes, productivity dashboards, AI-fed timelines. So when one lands in your inbox, it barely raises an eyebrow. That’s what makes this simulation so sneaky.
The Hook:
The email mimics a Google Workspace notification, offering a personalized recap of the user’s Docs, Meet, Gmail, and Drive activity. The tone is light, data-driven, and helpful. The button? “View My Summary.”
Real-World Risk:
It leads to a fake Google login screen that captures credentials, wrapped in the aesthetic of productivity tracking and AI insight. Just enough of a novelty to feel new but plausible.
Learning Moment:
This highlights how phishing can evolve alongside workplace trends. As summaries become more common, employees need to develop a healthy skepticism about auto-generated anything, especially if it asks you to sign in first.
Syncing is one of those background tasks we don’t think much about, until something goes wrong. That’s exactly what this phish wants you to believe just happened.
The Hook:
The email claims that some files haven’t synced correctly via OneDrive or Dropbox and may be lost unless action is taken. The CTA reads “Resync Now,” and the tone is gentle, but the implication is serious: you could lose work.
Real-World Risk:
The link mimics a cloud storage login screen, prompting users to reauthenticate. From there, attackers can harvest login credentials or push malware disguised as a sync utility.
Learning Moment:
This one shows how mundane infrastructure, like file syncing, can be weaponized. Help your team understand that sync failures, while annoying, should always be checked via the actual desktop app or official site.
Phishing attacks aren’t going anywhere, but the way they look, feel, and work is always evolving. These simulations help your team build the kind of reflexes that work whether the scam is flashy or quietly clever. Want more templates to run, or ready to roll out your own awareness boost? Check out our full phishing simulation library and give your team the tools to spot what doesn’t belong in their inbox.