Phishing simulations · Employee awareness
Find out who would fall for a phishing attack — safely.
We run realistic phishing simulations against your staff, then show you exactly who opened, clicked or tried to submit details. You get a clear picture of human risk without any real-world damage.
- Realistic but completely safe phishing campaigns.
- Detailed metrics on opens, clicks and submissions by team or department.
- Follow-up awareness training and Cyber Security Talks available.
- Respectful, no-blame approach for staff and leaders.
Share your company size, locations and email platform. We'll come back with a proposed campaign design, schedule and quote.
Opened
78% of staff
Clicked
24% clicked link
Trend
40% fewer clicks vs last run
What a phishing simulation actually does.
A phishing simulation is a safe test. We send fake phishing emails that look and feel like the real thing — delivery notices, password resets, urgent requests and more. Staff interact with them as they normally would.
Behind the scenes we track who opens the email, who clicks the link, and who goes as far as entering details or trying to comply with the request.
No real credentials or data are exposed. The pages are simulated, and results are stored securely so you can learn where people need more support — not catch them out.
- How likely staff are to fall for typical phishing attacks.
- Which teams, roles or locations are most at risk.
- A baseline you can measure against as awareness improves over time.
Why phishing simulations matter.
Most real breaches start the same way: a convincing email that lands in someone's inbox at the wrong moment. Technical controls help, but attackers only need one person to click “the wrong thing”.
Phishing simulations let you measure that people risk directly. Instead of hoping awareness training worked, you see how staff behave when a realistic email shows up among everything else they deal with.
Customers, insurers and auditors increasingly expect this kind of testing. Being able to show regular, structured simulations — and improvement over time — sends a strong signal that you take human-risk seriously.
What this means for you.
- Stronger defence against real-world phishing attacks.
- Evidence for boards, customers and insurers that staff awareness is being measured and improved.
- Input into risk registers, training plans and vCISO programmes.
How it works with us.
We coordinate with IT, HR and leadership so simulations feel fair, well-managed and focused on learning. A typical engagement looks like this:
Scope
Agree who is in scope, which locations to include and what kinds of phishing emails to simulate.
Design
Create realistic emails and landing pages based on current threats and your organisation’s context.
Launch
Send test campaigns during agreed windows, avoiding key blackout periods and busy events.
Measure
Track opens, clicks and submissions, with options to trigger just-in-time awareness pages.
Debrief
Walk through results, agree key messages and plan follow-up training or process changes.
Throughout the process we keep the tone constructive and respectful. Results are there to support people, not embarrass them.
What you actually receive.
At the end of each campaign you get clear, board-ready outputs — not just a CSV file.
- Overall summary of opens, clicks and submissions across the campaign.
- Breakdown by department, location or role (where data is available and appropriate).
- Example screenshots of the phishing emails and landing pages used.
- Key findings, trends over time and recommended next steps.
- Optional follow-up awareness plan and Cyber Security Talk sessions tailored to your results.
How phishing simulation fits into your wider security.
Phishing simulations are one part of a wider programme. They show how people respond in the moment, but they work best alongside good awareness, sensible governance and solid technical controls.
We can plug simulation results into Cyber Security Talks, Cyber Security Audits, vCISO programmes and technical testing like penetration tests and vulnerability scans. That way, your human risk picture sits alongside everything else in one joined-up plan.
Common questions.
Will staff be named and shamed?
No. The aim is learning, not punishment. We can report by team or department for most audiences, and only share named results with a small, agreed group (for example HR and a senior sponsor).
Do we need staff consent?
Most organisations cover security testing in their acceptable use or employment policies. We can work with HR and legal to check the position and help you communicate the programme clearly.
Is this compatible with our email system?
Yes. We commonly work with Microsoft 365 and Google Workspace. We’ll confirm the technical details up front and coordinate with IT so emails arrive as intended.
Can we exclude certain people or teams?
Absolutely. We can exclude specific addresses, departments or senior leaders where needed, and we can run different campaigns for different groups if that’s more appropriate.
How often should we run phishing simulations?
Most organisations benefit from 2–4 campaigns per year. That’s enough to see patterns and improvement without overwhelming staff.
Will this disrupt normal work?
Campaigns are designed to blend into normal email traffic. We avoid peak periods you flag in advance, and there’s no impact on systems or performance.
How do we communicate this to staff?
We can provide draft comms for HR and leadership, from ‘full transparency’ approaches through to softer messaging after the first run. The tone is always supportive and focused on improvement.
Ready to see how your people would handle a real attack?
Run a safe phishing simulation and find out where to focus your training and support.
Share a few details about your organisation and goals. We'll suggest a campaign design, confirm feasibility with IT and send a clear quote.