Phishing Protection

Phishing remains one of the most common and damaging cyber threats faced by organisations of all sizes. Attackers use emails that appear to be genuine in order to trick recipients into clicking malicious links, providing login credentials, or disclosing sensitive information. While most businesses have technical safeguards in place, such as spam filters and antivirus tools, the reality is that many successful phishing attempts bypass these defenses because they exploit the human factor. Employees, however well-meaning and experienced, can sometimes be fooled into taking actions that compromise security. You can read more about the importance of phishing protection in this report from the National Cyber Security Centre.

To address this challenge, we provide controlled phishing protection tests. Our phishing protection tests are carefully designed simulations that allow you to assess how your users would respond to real-world phishing emails—but in a completely safe and secure way. We have developed a phishing protection tool that enables these assessments without any risk to user privacy or actual compromise of passwords. Instead of exposing your systems to danger, the tool mimics a phishing attempt and measures employee reactions. The data generated helps you identify individuals or groups who may need further awareness training in order to better recognise and resist phishing scams.

The first phishing simulation we created is built around a very common tactic: a Microsoft 365–themed email that appears to require the recipient to reset their password. This type of phish is frequently used by attackers because so many organisations rely on Microsoft 365 for email, collaboration and productivity tools. The email looks authentic enough that many employees may not question its legitimacy. However, in our controlled version, no actual passwords are changed.

The system does not store any real login details that users might type in. Instead, the tool analyses whether a user attempted to enter their current password, whether they created a “new” password, and whether they correctly retyped that new password in confirmation fields. This allows us to see who fell for the bait while ensuring that sensitive information remains fully protected.

The reason this matters is that many employees underestimate the danger of engaging with phishing messages. Even something as simple as opening a suspicious email can have consequences, as it confirms to attackers that the address is active and monitored. This confirmation often results in the user being targeted for more personalised and dangerous attacks, such as spear phishing. When employees go a step further and actually provide login credentials, the risks multiply significantly.

Consider the case where a user enters both their current password and a proposed new one into a phishing form. An attacker would then have access not only to a valid username and password combination for the company’s systems but also to a preferred alternative password. Since many people reuse similar passwords across different platforms, the attacker could potentially leverage this knowledge to gain access to other accounts and services. The scale of the risk is much greater than most employees appreciate, which is why practical training through simulation is so valuable.

Based on our experience, these controlled phishing simulations provide eye-opening results. On average, we see a capture rate of around 12%, meaning that approximately one in eight users engage with the phishing attempt in a way that could compromise security. In some organisations, the numbers have been significantly higher. In the worst case we have observed, fully 25% of staff members fell victim to the simulated phish. Such results often trigger the immediate rollout of internal cybersecurity awareness training, which is exactly the purpose of running these tests: to identify vulnerabilities and strengthen defenses before real attackers can take advantage.

At the conclusion of each phishing protection test, we provide you with a detailed report. This includes a compiled spreadsheet listing all users who were targeted in the simulation. The report clearly shows the level of interaction each user had with the phishing email, ranging from opening the message to attempting to enter credentials. It also records the time taken for users to respond, giving you additional insight into behavior patterns. This data allows you to make informed decisions about training, policy updates, and follow-up phishing protection simulations.

Ultimately, controlled phishing protection tests are not about catching employees out or punishing them. Instead, they are a proactive way to build a culture of cybersecurity awareness within your organisation. By safely replicating the kinds of attacks that are most likely to occur in the real world, you can ensure that your staff are better prepared to recognise and resist them. The result is a stronger, more resilient security posture that protects both your people and your business.