FAQ regarding Phishing-Simulation, E-Learning & Co.

SoSafe’s training measures are aimed at all employees in order to train them in IT security. As part of this awareness building (i.e. the creation of awareness for IT security), we offer a comprehensive learning environment on behalf of your employer: By means of interactive learning modules, short videos, examples from everyday work and short quiz questions, you will learn the most important rules and hints for the safe use of computers, smartphones and data. Topics such as password use, malware or data misuse are also dealt with. Additionally, we send simulated phishing emails to all employees at irregular intervals. The aim of this simulation is for you to learn how phishing mails work and how to recognize them. Your employer does not receive any individual data about the phishing simulation, only a completely anonymous evaluation. This IT security training is offered to you by your employer and provided by us – SoSafe GmbH from Cologne.

In consultation with your employer and the data protection officer of your company, we will receive a list with the email address data of all employees. This list contains the correct salutation, first name and surname, email address, language and an optional assignment to a group (e.g. department or location). We need this data to carry out the phishing simulation. Your employer receives an aggregated and anonymous evaluation of the handling of the e-mails. This evaluation does not allow any conclusions about the behaviour of individual persons. We process all data exclusively within the framework of the existing contractual agreements with your employer (data processing agreement). Over the course of this, we take extensive measures to protect all data.

No, the emails are not dangerous, it is only a simulation. At no time are your personal/business data or end devices in danger. If you click on a link in one of our phishing emails, you will be taken to a learning page on the Internet. There you will find detailed information about the simulation and, above all, concrete hints on how you could have identified this particular email as a phishing attempt.

Yes, these emails are accepted by our servers. However, they are completely anonymized in order not to be assignable to a specific person. It is only automatically evaluated whether an answer was sent and whether it was a technical answer (automatically generated by your mail server), an automatic absence note or an actual answer mail. Your employer is notified about how many of the phishing emails were answered in total. However, he or she does not get any insight into the content of the answers or which user replied to the emails.

Some of our phishing emails will take you to a specially prepared website where you will be asked for your Windows password, for example. No matter what you enter, this data will, of course, not be stored by us. So you have nothing to worry about. Our server only registers that data has been entered. As part of the evaluation of the phishing simulation, your employer receives information on how many of the input fields were filled during the simulation. However, it is not possible to trace which employee entered the data. Tracing individual behavior is technically excluded. However, it is generally recommended that you change your password immediately if you suspect that any input mask has been manipulated.

If your company has guidelines for handling spam and phishing emails, please follow them. Typically, you will contact your IT department, helpdesk, or service representative. They will inform you about the further procedure. If your company uses our SoSafe phishing notification button (button in Microsoft Outlook), all you have to do is click on it in Outlook and the email will be automatically forwarded to the right person/unit, depending on your organization’s settings. You will then receive an immediate response in Outlook as to whether it was one of our phishing emails in the simulation or whether the email first needs to be analyzed by your company’s IT experts. Depending on your organization’s settings, the suspicious email will be deleted from your inbox or you can delete it manually. If you need the email again at a later time, you can contact your IT department, who can help you recover the email if necessary.

In Germany alone, industrial espionage and cyber crime cause annual losses of 5.6 billion euros. In the majority of cases, such attacks start with a phishing mail. In targeted attacks, sometimes half of the recipients of a phishing mail click on phishing links or open dangerous file attachments and thus allow attackers to access sensitive company data or private information. In order to prevent such attacks, it is therefore important to train all employees on the risks and correct handling of phishing emails.

The simulation not only helps you to detect harmful phishing emails in your business inbox and thus to protect yourself and your company from potentially great damage. You can also use the knowledge gained to reduce the risk of cyber attacks for yourself and your family. The tactics shown are often used for phishing attacks on private individuals as well.

Real phishing mail attacks occur any time – even during working hours. Companies are targeted by cyber criminals and every year companies and private individuals suffer high financial losses due to phishing and fraud on the Internet. Our phishing simulation is designed in such a way that you will not experience any time-consuming disruptions during your daily work, but will nevertheless receive effective training on how to deal with phishing. In addition, our e-learning platform gives you the opportunity to deepen your knowledge of topics related to IT security in short learning modules. With this knowledge you protect yourself and your company against phishing attacks from the Internet.

If you have any questions regarding the use of IT in your company, please contact your company’s IT department first. If you have any questions about our phishing emails or our e-learning offerings, please feel free to contact our support team.

If you use the e-learning via our web platform, you complete a short quiz at the end of each learning module, which always comprises four questions. Your individual answers in this quiz will not be reported to your employer. Your employer will only receive information about when you registered on our e-learning web platform and how many modules you have already completed and passed. In some cases, the employer does not receive any information about this either, but only sees what the progress of all employees is overall. Please refer to the terms of use displayed when registering for the e-learning for the regulations applicable to your company. If the e-learning is played out via a learning management system (LMS) installed in your company, please ask the relevant department (usually IT or HR) for the data available to your employer.

The topics around IT security are dealt with in greater depth on our online e-learning platform. Access to it is provided by your employer.

Yes, as a registered user on our e-learning platform you can have your personal certificate issued. This allows you to record that you have completed the learning modules and passed the knowledge tests.