Phishing is a cybercrime in which a target or targets are contacted under false pretenses, usually by email, where the sender poses as a person or to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.  Alternatively, the email itself might need no additional action from the user, as there are some exploits that require nothing more than the user opening the email.  

After that, the goal is usually to gain more information, or gain elevated user privileges, or a combination of both.  This makes phishing an important first step for a would-be cybercriminal, as it opens the door to more nefarious activity.

Simulated Phishing is a discovery exercise that is executed with the involvement and knowledge of a few key people within an organization.

We approach it the same way that a cybercriminal would do, complete with bespoke addresses, email content and even full websites for added legitimacy.  The difference between us and a would-be cybercriminal is that the end goal of conducting such a discovery exercise is added security for the organization, and there are often actionable takeaways even if no data ends up being compromised.  Sometimes, just even being aware of email read patterns is enough to tell a phishing attacker who to target with a 2nd round of phishing emails.