An Empirical Analysis of Phishing Simulation to Mitigate Social Engineering Attacks

Phishing remains one of the most prevalent and damaging forms of cyberattacks, exploiting human behavior rather than technical vulnerabilities. Despite technological advancements in email filtering, anomaly detection, and two-factor authentication, phishing continues to succeed by manipulating trust, authority, and urgency cues in unsuspecting users [1,5,14]. This study presents an empirical analysis of a phishing simulation conducted in a university setting to assess user susceptibility and promote security awareness. A simulated phishing email was sent to 35 staff members, with 80% opening the message and 40% clicking the embedded link. Behavioral responses—such as fear of reprimand and avoidance—indicated cultural and psychological barriers to effective awareness [4,9,18]. In addition to field experimentation, a technical comparison of open-source phishing tools—GoPhish, King Phisher, Phishery, and Evilginx2 — was conducted to evaluate their practicality, usability, and deployment complexity [7,11,13]. Drawing on recent literature in cybersecurity education and behavioral science, this paper highlights the need for psychologically safe, culturally sensitive, and role-specific training to reduce long-term phishing risk [3,6,8,12,17]. Our findings support the integration of simulated phishing campaigns with structured, non-punitive feedback and adaptive educational interventions to foster more resilient digital behavior.