Why phishing simulations?

In their latest reports about the threat situation in cyberspace, German Federal Criminal Police Office and Germany’s digital association Bitkom both report that cyberattacks, especially successful phishing attacks, have increased dramatically over the last years. According to Avanan´s Global Phish Report 2019, a quarter of all phishing mails got through Microsoft’s advanced filters and reached the users’ inboxes. Technical filters alone are not sufficient any longer to reliably protect yourself against cyber threats. Attackers work hard to avoid such filter solutions, e.g. by changing the used vectors. Many attacks deliberately target users and use psychological tricks to manipulate their victims through social engineering.

Spamfilter reichen nicht zum Schutz vor Phishing

Organizations are particularly at risk because criminals hope to get their hands on high amounts of money. Especially in times of crisis, when employees are insecure and organizations are already weakened, phishing attacks become more frequent. During the corona crisis, for example, new phishing tactics, in which cyber criminals used this insecurity, were constantly coming up. That is one of the reasons why you should act as early as possible and include the human factor in your IT security strategy – for example, by improving your employees’ cyber security awareness. Different compliance frameworks like the ISO 27001 or the GDPR demand continuous training of employees in IT security – in the case of ISO 27001 even a form of simulated social engineering attack.

From mere phishing tests to awareness building: tips for sustainable phishing simulations

Phishing simulations are reliable tools to increase the employees’ cyber security awareness in a modern way. When approaching a simulation correctly and systematically, click and interaction rates with phishing mails can be reduced sustainably which in case might protect your company from serious (financial) damage.

Phishing-Simulationen schulen Awareness

There are some steps you need to take for your simulation to have the desired effect. What is particularly important: do not design the simulation as a mere phishing test which tests employees and their knowledge and denounces wrong behavior. Instead, plan and communicate the simulation as a learning tool and awareness measure from the very beginning. The following methods have been tried and tested:

1. Technical preparation

Before you start with your phishing simulation, you should carefully prepare all technical aspects. You should create a whitelist and adjust the appropriate settings. Only then, the simulated phishing mails will actually reach the participants’ inboxes. It often makes sense to consult your provider to clarify all technical details.

2. Early announcement

Have you ever received a simulated phishing mail out of the blue and fell for it? This might be frustrating and demotivating for participants. That is why you should announce the phishing simulation to all employees in advance so they will not be taken by surprise by the measure.

3. Anonymity

In the past, phishing simulations were often used as testing tools to control which employees were not aware of security risks in the first place. In some cases, employees were even dismissed. A phishing simulation should, however, not test knowledge but build awareness. Carry out the phishing simulation anonymously so that participants do not feel controlled or have to be afraid of personal consequences.

4. Individualization

Even in everyday life, thoroughly personalized phishing mails, so-called spear phishing mails, which contain personal data of the victims are increasingly frequent. That is why in your phishing simulation components like the address, the design or even the content should be adjusted to your organization, as well. Participants will be sensitized for such attacks in a realistic way.

5. Providing educational content

Phishing simulations should primarily be a learning tool. Therefore, you should not send out isolated phishing mails but make sure that they are accompanied by explanatory content. Only then, the participants will know what to be aware of in the future after having clicked on a phishing mail.

6. Establishing a reporting chain

Who do I contact if I suspect a phishing attack? Every participant should be able to respond to this question at any time. Make sure that all participants know the relevant procedures before the simulation starts so they can react fast if necessary.

7. Continuity and randomization

Phishing mails should be send regularly and in randomized order for you to be able to measure your simulation’s success. This is how participants are continuously sensitized to IT security risks and the learning effect persists in the long term.

8. Feedback to the recipients

Give regular feedback to the participants and answer any upcoming questions. This will not only emphasize the simulation’s focus on learning but also gives employees the chance to share personal experiences while additionally encouraging and motivating them.

Build awareness with a learner-centered phishing simulation

In addition to information campaigns on cyber security and employee trainings in form of digital and interactive learning platforms, phishing simulations are particularly suited for building awareness in organizations. Employees are sensitized to cyber risks by being directly confronted with them. You can find detailed information on the mentioned best practices in our white paper “Best Practices Phishing Simulations”, which deals with planning and implementing successful phishing simulations and employee trainings. In addition to current studies and statistics, it also includes SoSafe´s experience with phishing simulations in various organizations and industries.



Download white paper to succeed with your phishing simulation


Über SoSafe

Die Awareness-Plattform von SoSafe sensibilisiert und schult Mitarbeitende kontinuierlich im Umgang mit den Themen IT-Sicherheit und Datenschutz. Phishing-Simulationen und interaktive E-Learnings bringen den Mitarbeitenden auf effektive und nachhaltige Art und Weise bei, worauf etwa bei der Nutzung von E-Mails, Passwörtern oder personenbezogenen Daten besonders zu achten ist. Das Unternehmen erhält ein anonymes, aber differenziertes Reporting und kann Awareness-Building so messbar machen – vollkommen DSGVO-konform.