An example process of simulating phishing messages and responding to suspicious messages, as described above, are illustrated in FIG. 18 and FIG. 19. Turning first to FIG. 18, an example flow 600 for sending a simulated message is illustrated. In stage 602 (step S0), a phishing simulation module generates a message for a simulation/scenario. The message may be generated from a template, as well as contain an identifying characteristic, such as in a header. For example, the identifying characteristic may be X-PhishMessageTracking: header. The header may also be encrypted and/or encoded and may contain a tracking URL linking the message and the user to whom the message was sent to for a scenario. The message is then sent to a user. In stage 604 (step S1), the recipient of the message (e.g., the user) clicks on a reporter button. In stage 606 (step S2), code executing at the client device parses the message for the X-PhishMessageTracking header. In stage 608, if the header is found, the system ingests the encoded string associated with the header (step S3) and the string is decoded (step S4). In stage 610 (step S5), the system then attempts to decrypt the decoded string from stage 608. The header can be encrypted and/or decrypted using symmetric or asymmetric cryptographic techniques. If the header is encrypted using asymmetric cryptographic techniques, such as but not limited to Public Key Infrastructure (PKI), the header may be encrypted at the network server device using a public key and then decrypted at the client device using the corresponding private key. The system can be configured to generate multiple headers for multiple messages using the same public/private key pair or generate a unique public/private key pair corresponding to each message generated. In some cases, a single phishing campaign may be configured to use a single public/private key pair. The private keys may be distributed to the client devices either directly from the network server device or through an intermediary to which multiple client devices are communicating. Finally, in stage 612 (step S6), a user reputation score is updated using the tracking URL extracted from the simulated phishing attack message. For exemplary purposes, if the user correctly identifies the message as an attack message, the user's reputation score may be increased.
