January 8, 2026
Phishing emails are one of the biggest security threats to Mass General Brigham. To help protect our organization, Information Security regularly sends simulated phishing emails to all workforce members. These practice emails teach you how to spot and report messages that could be harmful.
How the phishing simulations work
The simulations are based on real phishing attacks that target organizations like ours. They are also personalized for your role, so the messages feel realistic. Just like real phishing attempts, these emails are sent at random times, so you never know when one might appear. This helps you stay alert and build the habit of checking every email carefully.
If you ever get an email that seems suspicious — whether you think it’s a test or not — click the Report Phishing button in Outlook to alert the Information Security team. By reporting suspicious emails, you help keep our organization safe.
What happens if I fall (click on) for a simulated phishing email?
If you click a link or submit login credentials in the simulated phishing email, you will immediately be directed to a MGB branded, pop up training page that explains:
- How the simulated attack targeted your role
- Suspicious elements in the email or “red flags”
- Practical advice on how to avoid phishing attempts in the future (e.g., look out for offers that are too good to be true, verify sender domains, hover over links to check destinations, when in doubt report it, etc.).
At the bottom of the training page is a short multiple-choice quiz with four questions related to the simulation training material. You must correctly answer all questions in order to click the Acknowledge Training button and complete the training exercise. You have unlimited retry attempts to select the four correct answers. Below is a sample completed quiz and acknowledgement confirmation.
What happens if I don’t complete the training?
If you do not complete the training, you will get reminder emails from sender, AI Phishing Coach <@email>. You must correctly answer the quiz questions and click “Acknowledge Training” in the pop-up window to be marked complete (see below).
What happens if I report a simulated phishing email with the Report Phishing button?
When you report a simulated phishing email using the Report Phishing button in Outlook, you will receive a kudos email from sender: AI Phishing Coach <@email> acknowledging and thanking you for your report. Your interactions with phishing simulations are tracked automatically by the system for training purposes. For more information, on the Report Phishing button see KB0040754.
Who can I contact for more information?
For questions on the MGB phishing training program, contact your site’s Information Security Officer or @email.