FAQ regarding Phishing-Simulation, E-Learning & Co.

SoSafe’s training measures are aimed at all employees in order to train them in the area of IT security. As part of this so-called “awareness building” (i.e. the creation of awareness for IT security), we offer a comprehensive learning environment on behalf of your employer: By means of interactive learning modules, short videos, examples from everyday work and short quiz questions, you will learn the most important rules and hints for the safe use of computers, smartphones and data. Topics such as password use, malware or data misuse are also dealt with. Additionally, we send simulated phishing e-mails to all employees at irregular intervals. The aim of this simulation is for you to learn how phishing mails work and how to recognize them. Your employer does not receive any individual data about the phishing simulation, only a completely anonymous evaluation.

This IT security training is offered to you by your employer and provided by us – SoSafe GmbH from Cologne.

In consultation with your employer and the data protection officer of your company, we will receive a list with the e-mail address data of all employees. This list contains the correct salutation (Mr/Ms), first name and surname, e-mail address, language and an optional assignment to a group (e.g. department or location). This data is required by us in order to carry out the phishing simulation. Your employer receives an aggregated and anonymous evaluation of the handling of the e-mails. This evaluation does not allow any conclusions to be drawn about the behaviour of individual persons. All data is processed by us exclusively within the framework of the existing contractual agreements with your employer (data processing agreement). In the course of this, we take extensive measures to protect all data.

No, the mails are not dangerous, it is only a simulation. At no time are your personal/business data or end devices in danger. If you click on a link contained in one of our phishing emails, you will be taken to a learning page on the internet. There you will find more detailed information about the simulation and, above all, concrete hints on how you could have identified this particular e-mail as a phishing attempt.

Yes, these emails are accepted by our servers. However, they are immediately made completely anonymous in order not to be assignable to any person. It is only automatically evaluated whether an answer has taken place and whether it was a technical answer (automatically generated by your mail server), an automatic absence note or an actual answer mail. Your employer is notified how many of the phishing e-mails were answered in total. However, he does not get any insight into the content of the answers or which user replied to the e-mails.

Some of our phishing emails will take you to a specially prepared website where you will be asked for your Windows password, for example. No matter what you enter into the form fields, these data will not be stored by us. So you have nothing to worry about. Our server only registers that any kind of data has been entered. As part of the evaluation of the phishing simulation, your employer receives information as to how many of these input fields were filled during the simulation. However, it is not possible to trace which employee entered the data. A conclusion on the behaviour of individual persons is technically excluded. However, it is generally recommended that you change your password immediately if you suspect that any input mask has been manipulated.

If your company has guidelines for handling spam and phishing emails, please follow them. Typically, you will contact your IT department, helpdesk, or service representative. From there you will be informed about the further procedure. If your company uses our SoSafe Phishing notification button (button in Microsoft Outlook), all you have to do is click on it in Outlook and the email will be automatically forwarded to the right person/unit, depending on your organization’s settings. You will then also receive an immediate response in Outlook as to whether it was one of our phishing e-mails in the simulation or whether the e-mail first needs to be analysed by your company’s IT experts. Depending on your organization’s settings, the suspicious email will be deleted from your inbox or you can delete it manually. If you need the email again at a later time, you can contact your IT department, who can help you recover the email if necessary.

For example, in Germany alone, industrial espionage and cybercrime cause annual losses of 5.6 billion euros. In the majority of cases, such attacks start with a phishing mail. In targeted attacks, sometimes half of the recipients of a phishing mail click on phishing links or open dangerous file attachments and thus allow the attackers access to sensitive company data or private information, for example. In order to prevent such attacks, it is therefore important to school all employees about the risks and correct handling of phishing e-mails.

The simulation not only helps you to detect harmful phishing e-mails in your business inbox and thus to protect yourself and your company from potentially great damage. You can also use the knowledge gained to reduce the risk of cyber attacks for yourself and your family. The tactics shown are often used for phishing attacks on private individuals as well.

Real phishing mail attacks can be made at any time – even during working hours. Companies are targeted by cyber criminals and every year companies and private individuals suffer high financial losses due to phishing and fraud on the Internet. Our phishing simulation is designed in such a way that you will not experience any time-consuming disruptions during your daily work, but will nevertheless receive effective training on how to deal with phishing. In addition, with our e-learning platform, we offer you the opportunity to deepen your knowledge of topics related to IT security in short learning modules. With this knowledge you protect yourself and your company against phishing attacks from the Internet.

If you have any questions regarding the use of IT in your company, please contact your company’s IT department first. If you have any questions about our phishing emails or our e-learning offerings, please feel free to contact our support team.

If you use the e-learning via our web platform, you complete a short quiz at the end of each learning module, which always comprises four questions. Your individual answers in this quiz will not be reported back to the employer. As a rule, your employer only receives information about when you registered on our e-learning web platform and how many modules you have already completed and passed. In some cases, the employer does not receive any information about this either, but only sees what the progress of all employees is overall. Please refer to the terms of use displayed when registering for e-learning for the regulations applicable to your company. If the e-learning is played out via a Learning Management System (LMS) installed in your company, please ask the relevant department (usually IT or HR) for the data available to your employer.

The topics around IT security are dealt with in greater depth on our online e-learning platform. Access to it is provided by your employer.

Yes, as a registered user on our e-learning platform you can have your personal certificate issued. This allows you to record that you have completed the learning modules and passed the knowledge tests.