Built for US businesses

Phishing simulation for US businesses

Email and WhatsApp phishing simulation and security awareness training — with BEC and payroll scenario templates and HIPAA, PCI-DSS and SOC 2-aligned reporting.

Start Free 30-Day TrialTalk to our team

No credit card required. Compliance-ready reports included.

$16.6B
reported US cybercrime losses in a single year (FBI IC3)
859K+
cybercrime complaints filed with the FBI in 2024
$2.7B+
lost to business email compromise (BEC) alone
68%
of breaches involve a human element (Verizon DBIR)

Sources: FBI IC3 Internet Crime Report 2024; Verizon Data Breach Investigations Report 2024.

The threat landscape

Why US businesses need phishing simulation

Business Email Compromise is the costliest cybercrime in the US, and it starts with a single employee acting on a convincing message.

Business Email Compromise (BEC)

Attackers impersonate executives and vendors to push urgent wire transfers and payment-detail changes. PhishSkill simulates these so finance teams meet them in training first.

Payroll & IRS / W-2 phishing

A uniquely US pattern: fake IRS W-2 requests and payroll-redirect emails aimed at HR and finance, peaking each tax season. The library models them directly.

Microsoft 365 & SaaS credential theft

Fake password-expiry and MFA-enrollment prompts for Microsoft 365, ADP and Paylocity are the highest-volume US lures. Training builds the instinct to check the real source.

AI-enhanced CEO fraud

Voice-cloned 'CEO calls' and AI-written emails are escalating against US finance staff. Training reinforces the one habit that defeats them — verifying every urgent request out-of-band.

Anatomy of a BEC attack

The email your finance team needs to recognise

Most wire-fraud emails look ordinary. The tells are small — a look-alike domain, urgency, secrecy, and a payment request that skips your normal process. PhishSkill puts these in front of staff safely, so the first time they see one isn't with real money on the line.

  • Look-alike sender domain (one character off)
  • Manufactured urgency and a request for secrecy
  • An unusual payment or detail-change request
  • Pressure to skip the normal verification step
One program, every framework

Built for US compliance and US threats

The same simulation and training cycle supports HIPAA, PCI-DSS, SOC 2 and NIST awareness requirements at once.

US-specific templates

BEC, IRS W-2, ADP/Paylocity payroll, Microsoft 365 and DocuSign lures modelled on real US campaigns — not generic global templates.

WhatsApp simulation

Runs authorised phishing simulations on WhatsApp as well as email, as US teams adopt it for internal and client communication.

Compliance-aligned reporting

Per-employee, timestamped records that support HIPAA, PCI-DSS, SOC 2 and NIST SP 800-50 evidence requirements.

Risk scoring

Per-employee and per-department risk scores pinpoint your real exposure, so follow-up training goes where it's needed.

Cyber-insurance evidence

Documented proof of an ongoing simulation and training program — increasingly expected by cyber insurance underwriters.

Custom on request

Need a scenario specific to your sector or stack? Request it and we deliver in days, not quarters.

US-specific simulation templates

CEO / executive wire-transfer BEC
IRS W-2 request impersonation
ADP & Paylocity payroll-redirect fraud
Microsoft 365 password / MFA prompts
DocuSign & Adobe Sign e-signature phishing
IT helpdesk credential-reset spoofing
Compliance context

Frameworks our reports help you evidence

One monthly cycle, multiple audit requirements satisfied at once.

FrameworkWhat it asks for
HIPAA Security RuleA security awareness and training program for all workforce members (45 CFR 164.308(a)(5)).
PCI-DSS 12.6A formal security awareness program with at least annual training for all personnel.
SOC 2 (CC1.4)Demonstrated security competence — auditors expect documented awareness training and simulations.
NIST SP 800-50Ongoing phishing simulations as part of a cybersecurity awareness program.
FTC Safeguards RuleEmployee training within a written information security program for covered financial firms.

PhishSkill supports your compliance evidence with documented testing and training records — it is not a certification or a guarantee of compliance.

Who we serve

Industries we serve in the US

Healthcare & health-tech

The most-breached US industry, where the HIPAA Security Rule makes a security awareness and training program a direct requirement.

Financial services & fintech

Firms under SOC 2, PCI-DSS and the FTC Safeguards Rule, with training targeting BEC and wire-transfer fraud.

Retail & e-commerce

Any business handling cardholder data is in PCI-DSS scope, where Requirement 12.6 calls for security awareness training.

Legal & professional services

Firms holding sensitive client data and moving funds — prime BEC and impersonation targets.

SaaS & technology

Companies pursuing SOC 2 whose auditors expect documented phishing simulation and awareness records.

Education & nonprofits

Often under-resourced and heavily targeted. The Starter plan gives them enterprise-grade simulation at accessible pricing.

Get started

Live in under 30 minutes

1

Start your free trial

30 days, no credit card, full platform access.

2

Add your employees

Upload via CSV — your first campaign is minutes away.

3

Pick a US template

A CEO wire-transfer BEC, an IRS W-2 request, or a Microsoft 365 prompt.

4

Launch your first simulation

Most teams go live in under 30 minutes.

5

Review results and reports

Per-employee evidence, ready for management, auditors and insurers.

Questions

Frequently asked questions

Yes. The HIPAA Security Rule (45 CFR 164.308(a)(5)) requires a security awareness and training program for all workforce members. PhishSkill's simulations and training modules, with per-employee completion and result records, give you documented evidence to support that requirement. It supports your compliance evidence; it is not a certification.
Yes. The US template library includes Business Email Compromise, IRS W-2 requests, ADP and Paylocity payroll-redirect lures, Microsoft 365 credential prompts, and CEO wire-transfer fraud — the scenarios that actually hit US finance and HR teams.
Yes. PhishSkill produces per-employee, timestamped records of training completion and simulation results that support evidence requirements for SOC 2 (CC1.4), PCI-DSS Requirement 12.6, and NIST SP 800-50 awareness programs.
Many cyber insurance underwriters now expect a documented security awareness and phishing simulation program, and some treat it as a factor in coverage or premiums. PhishSkill's reports give you the evidence to show underwriters a program is in place.
Yes. The Starter plan is priced per user per month with no minimum commitment and no long-term contract, and begins as a 30-day free trial — enterprise-grade simulation without enterprise pricing.
Frameworks like NIST SP 800-50 point to regular, ongoing simulations rather than a single annual exercise. Most teams run a monthly or quarterly cycle, with short follow-up training for anyone who clicks.

Explore the platform

PhishSkill brings phishing simulation, awareness training, WhatsApp coverage, and AI-generated templates together in one place.

Phishing Simulation

Run authorized phishing simulations on email and measure who clicks, who reports, and who needs training.

Explore phishing simulation

Security Awareness Training

Short video lessons and quizzes, assigned automatically based on each employee's risk score.

Explore awareness training

WhatsApp Phishing Awareness

Extend simulations to WhatsApp — the channel attackers shift to when your email gateway blocks them.

Explore the WhatsApp flow

AI-Powered Phishing Awareness

Generate realistic, context-aware phishing templates in seconds. Bring your own AI key or use ours.

Explore AI generation
Compare plans and pricing

Protect your US business

Run your first email and WhatsApp simulation in minutes. No credit card required.

Start Free Trial