As part of a computer-based security awareness training system, it can be useful to perform simulated phishing attacks on a user or a set of users. A phishing attack involves an attempt to acquire sensitive information such as usernames, passwords, credit card details, etc., often for malicious reasons, possibly by masquerading as a trustworthy entity. For example, an email may be sent to a target, the email having an attachment that performs malicious actions when executed or containing a link to a webpage that either performs malicious actions when accessed or prompts the user to execute a malicious program. Malicious actions may be malicious data collection or actions harmful to the normal functioning of a device on which the email was activated, or any other malicious actions capable of being performed by a program or a set of programs. Using simulated phishing attacks as part of a computer-based security awareness training system allow an organization to determine the level of vulnerability to phishing attacks of a user or set of users. This knowledge can be used by organizations to reduce this level of vulnerability through tools or training.