CSA Releases Playbooks for the Conduct of Simulated Phishing Exercises to Encourage Organisations to Improve their Cyber Defences

Published on 22 Jan 2024

      The Cyber Security Agency of Singapore (CSA), in collaboration with Google and Microsoft, has released playbooks for the conduct of simulated phishing exercises within organisations. This is in support of Exercise SG Ready to commemorate 40 years of Total Defence (TD40)1 which is held from 15 February to 29 February 2024.  

2     As Singapore digitalises, the risks posed by cyber threats will continue to grow. In particular, phishing attacks where employees are tricked into revealing sensitive information can result in a loss of data or money or cause disruption to the operations of organisations. The need for cybersecurity has become more important than ever. 

3     The playbooks were developed to support and guide organisations’ conduct of the simulated phishing exercises using Google Workspace email management services and Microsoft 365 Defender within the office-controlled environment. The playbooks include step-by-step instructions that are specific to the type of office environment that the organisation is using. Through the email management systems, organisations have the options to customise the test phishing email by choosing social engineering techniques such as credential harvest, malware attachment, link in attachment, and payloads such as password reset or attractive sale offers. 

4     Simulated phishing exercises are a well-established cybersecurity best practice and are widely considered to be effective as a type of experiential learning. The objectives of a simulated phishing exercise2 are as follows:

  1.  At the individual-level: test and improve the cybersecurity awareness and readiness of employees through realistic training scenarios and equip them with the skills to spot phishing threats.
  2. At the organisation-level: identify potential gaps in their processes, enable targeted employee training and foster a sense of heightened cybersecurity awareness among employees with the aim to strengthen overall cybersecurity posture.

5     Organisations will be able to analyse the results collected during the simulated phishing exercise, which include metrics such as the click rates, conversion rates and reporting rates. By tracking employee responses to simulated phishing emails, companies can identify weak links in their security posture, pinpoint vulnerable employees, and take targeted measures for improvement.

6     As part of TD40, 21 organisations from participating public and private sectors will be referencing the playbooks to run simulated phishing exercises within their organisations’ networks to test the cybersecurity awareness and readiness of their employees.

7     Given the high damage potential that successful phishing attacks may cause, it is important for organisations and individuals to remain vigilant against phishing attacks.  Cybersecurity is a collective responsibility and a way of putting Digital Defence into action is to adopt good cyber hygiene practices.

1 2024 is the 40th year of Total Defence (TD40)
2 Simulated phishing exercises should be conducted in a controlled manner, should not cause distress to participants, and should avoid contravening any laws or giving rise to any causes of legal action.

- END -

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cybersecurity awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.


Download the Playbook for the Conduct of Phishing Simulation Exercises:



Report a Cybersecurity Incident

SingCERT encourages the reporting of cybersecurity incidents as it enables us to better understand the scope and nature of cyber incidents in Singapore. This will enable us to issue alerts or advisories on relevant threats, and assist a broader range of individuals and organisations.
Report Incident