Smart Phishing Simulation

Phishing and email attacks form the majority of attacks on small and medium business, and most businesses are exposed to these attacks. Because phishing is the dominant threat, it makes sense to strengthen our phishing defences as a priority. This is the definition of risk-led response to threats.

Having a policy and using powerpoint to train your users are good starting points, but hackers won’t read your documents. You need email security skills, and an active training system.

CyberSmart Technologies have partnered with SoSafe to offer industry-leading phishing simulation and training solutions. SoSafe phishing simulations are flexible, adaptive, and provide demonstrable improvements in your cyber security.

 In brief, ransomware groups don’t seem to care what size an organisation is; they are quite happy to breach smaller organisations and adjust their ransom demands accordingly. It is simply a bonus for the attacker that SMBs are less likely to have up-to-date and readily available backups than a large organisation.

Verizon DBIR 2025

Hackers Target Your Staff

Phishing remains the most effective initial attack method because attackers exploit human behaviour, not just technical vulnerabilities. Your staff are busy, and want to please. Hackers exploit these good intentions when they target your staff.

“Verizon’s 2025 DBIR found that about 60% of confirmed data breaches involved a human element, such as phishing, credential compromise, or simple mistakes.

Our phishing simulation uses the same psychological tactics that the hackers use – but we run it in a safe environment. You’ll train your staff to identify tactics like authority, helpfulness, urgency, curiosity, financial pressure, trust and anxiety. 

Active Training Works

Positive behaviour is reinforced to drive continuous learning and growth through ‘Phishing Feedback’. When a user clicks on a test email, she receives immediate, positive feedback that explains the psychological trigger behind her decision. Armed with the ‘why’ – your staff are better equipped and motivated to detect a wider range of attacks. 

A global benchmark report analysing 67.7 million phishing simulations across 14.5 million users found:

âś” Baseline phishing click rate was ~33.1% before training

âś” After just 3 months of training, click rates dropped by ~40%

âś” After 12 months, click rates dropped by 86%

As phishing and email are the primary attack method, any reduction in click rates over time from phishing simulation will significantly boost your overall cyber defences.

The Foundation Of Your Security Culture

Traditional security awareness initiatives were built to satisfy auditors, not to understand how people think and act. They often treat security training like a vaccination, one annual dose and you are protected. But human behaviour doesn’t work that way!

Active phishing simulation is different – It is engaging, measurable and successful. It gets your staff thinking and talking about cybersecurity. Your staff learn the security challenges your business faces. Over time this engagement becomes part of your security DNA. Employees share these phishing-defence skills with family and friends, further cementing their knowledge as they teach others. 

This engagement forms a foundation for your wider security training and awareness program. Reporting data can also help identify top-performers as internal security champions. 

Provable Risk Reduction

You need to reduce your business risk but you also need the data to prove it. Businesses  tend to overestimate the vigilance and skills of their staff. Phishing simulation training gets you the data you need to prove you are training your staff, and the knowledge of exactly how strong your staff awareness is. This data can be fed back to staff to demonstrate how their efforts help to keep your business secure. Knowledge is power.

Lower phishing susceptibility also means fewer compromised credentials, fewer phishing-driven breaches, and much lower risk of financial and reputational loss.

Most compliance frameworks, such as ISO 27001, NIST CSF, CIS & SOC2 require evidence that you are training your staff. SoSafe reporting data makes it simple to produce the evident the auditors need.

Your staff are your best defence

📆 Book a Call

How Phishing Simulation Works

Build Your Campaign

SoSafe Smart Phishing Simulation provides over one hundred choices of phishing emails. Each template is automatically customised to your business brand, domain and location. Each template targets specific psychological tactics, and has an associated micro-learning page to explain the ‘why’ each time a user clicks.

We will help you build a campaign of emails which suits your business. Together, we’ll choose a set of simulation emails known as a campaign, which carefully balance hyper realistic attacks and business realities. We often work with HR and Internal Communications teams to achieve the right tone for your business.

Although there’s a huge variety of templates available, you can also to create and craft your own phishing emails to match specific scenarios or the latest threats observed in your environment.

Set The Scene

Nobody likes surprises. Security awareness works best when your staff get advance notice of what the Phishing simulation campaign. CyberSmart Technologies will share templates for emails to your staff which set the scene and tell the story of ‘why’ you’ve taken this step.

Phishing simulations work on trust. Our goal is to recruit advocates who will embrace and engage fully in the simulation. We will create communications which show your staff how valuable their assistance and how they can make a significant contribution to your cyber security. We’ll communicate the goal of active training rather than testing, and that mistakes in simulation are expected as part of their learning journey.

We will let your staff know what’s in it for them too. They’ll acquire a set of cyber skills that they can apply to friends and family ones to help keep their loved ones safe.

Tools Of The Trade

SoSafe provides a Phishing reporting button which integrates into all email clients. We’ll deploy this button to your users so that they can report real and simulated phishing emails.

The Report Phish button is a tool you want your users to use at all times. If the reporting email isn’t a simulation, your Security team will receive a heads up. When your staff regularly use the Phish report button, so’ll know that Phishing detection has been embedded in the culture of your business.

CyberSmart Technologies also help you import your users from Entra ID using SCIM , or via CSV import. We’ll also user allow-listing and DMI to ensure the test emails reach the intended mailboxes.

Launch & Learn

It’s launch time! You can immediately use the metrics and analytics to verify your simulation messages are being successfully delivered. You’ll see detailed metrics on overall stats, per-template, per-tactic and per-difficulty level. If your privacy agreement allows, you can even get a breakdown of each action on a per-user basis.

Refine

Once you campaign is live you’ll build an idea of how your users are responding and what motivates them. You can use this data to tune and refine your campaign, changing the tactics, or swapping under performing or overly difficult templates.

Report

We’ll arrange a close-out call to walk through the campaign and ensure you understand the findings and recommended improvements. All of the data required to provide board-level or auditor level reports are easily downloaded from the portal in PDF, CSV & XLSX formats.

CyberSmart Technologies provides a managed service where we provide continuous support via a dedicated account manager. We’ll meet your security team every quarter and share our analysis and recommendations, tune your campaign and advise on how to maximise the SoSafe platform to deliver the best security outcomes.

We can also prepare targeted in person and remote training sessions with your staff. We’ll use the data your team has generated. The training will highlight where they’re doing well and give focussed training on the topics where which they find most challenging.

Get in touch with us to discuss

Book a call

How we deliver

SoSafe provides an interactive preflight and launch checklist – built right in to your SoSafe admin portal. CyberSmart Technologies follows this ‘path to launch’. If we hit any speed bumps, we can quickly adjust course and get your campaign launched on time.

Why choose CyberSmart Technologies?

Full Service Consultancy

We are certified cybersecurity experts with decades of industry experience who can deliver real and practicable guidance.
We’re also expert cyber-translators who know how to communicate in clear, business-friendly language. When you choose CyberSmart Phishing Simulation you’ll get a white-glove integration service from seasoned pros, rather than the license-alone approach of other vendors.

We get get you up an running rapidly

We are a small business ourselves so we respect your time and don’t faff about. Larger providers often deploy a team of junior folks as a ‘show of strength’ – forgetting that more people just drains more of your precious time. With us, you’ll deal with a single seasoned professional from start to finish. Our ‘Path to Launch’ approach is field-tested and we have the experience to plan any long-lead items and will work with SoSafe to ensure a smooth launch.

We get the bigger picture

Phishing simulation an important part of an overall email and general cybersecurity strategy. We can call out linkages to specific policy frameworks, and email security tools. We know the landscape and we can help you or your executive team put your Phishing Simulation investment into context and integrate it into your cyber security strategy.

Frequently Asked Questions

Is Phishing simulation the best start for Security Awareness Training?

Yes, we strongly recommend the strategy of “email first, then wider awareness”. Once your staff have cut their teeth on realistic phishing simulation challenges, they’ll be more receptive to follow on or general security training.

Can I see reports on phishing simulation results and prove risk reduction? 

Yes, SoSafe provides real-time analytics dashboards which tracks key metrics such as: click rates, report rates, false positives, and user risk scores. You can segment the results by department, region, or custom groups; and identify top performers and areas needing extra support.

Isn’t this ‘blaming the user’?

No – this is ‘recruiting the user’ to be an active defender for your business. This is about teaching a really useful life-skill to your staff whilst fostering a culture of security awareness and healthy scepticism.

Security awareness will bolster your overall security but training cannot be your only line of defence. You must have a secure network, MFA, healthy security practises etc. We can do a health check for you through the EI Cyber Review or our Cyber Essentials Assured service.

Do you offer Security Awareness Training?

Yes, we also offer sophisticated online Security Awareness Training(SAT) through our partner SoSafe

How do phishing simulations contribute to enterprise security? 

Phishing simulations contribute to enterprise security trough the following metrics:

  • Reduced SOC workload as false-positive reports fall and true-positive alerts rise
  • Lower breach likelihood & cost through reduced click rates and faster reporting
  • Actionable risk visibility at the user and department level, guiding targeted interventions
  • Zero training fatigue with adaptive frequency and real-time learning pages
  • Compliance evidence via detailed, time-stamped reports.

Can simulations be customised to different departments? 

Yes, the Premium plan enables targeted campaigns tailored to user’s role, location, and prior behaviour to realistic attack scenarios—finance teams receive invoice fraud, developers see code-repo lures, executives face CEO-emulation attempts. Targeted content boosts relevance, sharpens instincts, and surfaces genuine risk by department or region.

Are you ready to grow your Cybersecurity?

Contact us on [email protected] or

📆 Book a Call