The Confederation has just launched a new nationwide phishing awareness campaign, dubbed S.U.P.E.R.
The initiative is co-funded by a number of public and private players, and targets high-risk behavior in the face of phishing attempts: fake bank e-mails, false invoices, identity theft via message. That’s all well and good. But an awareness campaign, no matter how well done, won’t protect an SME if no one on the team knows how to recognize a fraudulent e-mail in the heat of the moment.
What S.U.P.E.R. offers and why it’s useful
The campaign is based on five reflexes summarized by the acronym: Stop , Usecommon sense, Protectaccess, Examinelinks, Reportattempts.
According to ICT Journal, which relayed the launch on April 13, 2026, the initiative involves partners such as FINMA and several major Swiss banks.
This is a solid framework for raising awareness among the general public. It provides a common vocabulary, simple gestures and a logical reflex. For an SME that has never tackled the subject internally, it’s a useful starting point.
But there’s an obvious limit: reading a campaign and changing your behavior in the face of a real phishing e-mail are two very different things.
The problem that awareness-raising doesn’t solve
We regularly receive calls from companies after an incident. Most of the time, the employee who clicked on the fraudulent link was not ignorant. They’d already heard of phishing. He knew it existed. But the email was well constructed, the context was stressful, and he clicked anyway.
This is exactly the problem that theoretical awareness doesn’t solve. Knowledge is not enough. What changes behavior is practice. Receive real fake e-mails, constructed to deceive, sent without warning, and observe your own reaction. Fail the exercise. Learn a concrete lesson.
In a phishing simulation test carried out for an 18-strong law firm in Vaud, 7 employees clicked on the link within the first 20 minutes. All had taken part in a theoretical training course six months earlier. The gap between declared knowledge and actual behavior is systematically greater than imagined.
Phishing simulation, not as a substitute but as a complement
The S.U.P.E.R. campaign has the merit of existing and giving public legitimacy to the subject. It can facilitate internal conversation: “Did you see the Federal Council’s campaign? Here’s what we’re going to do on our side.
At Infologo, we use Pistachio Practice, a phishing simulation platform integrated with Microsoft 365, to go beyond awareness-raising. Employees receive personalized phishing e-mails, at a pace defined by the company. Those who click are taken straight to a contextual micro-training session. Not a reprimand, an immediate explanation of what they should have noticed. The results are measurable: initial click rate, evolution over several waves, identification of at-risk profiles.
It’s not a miracle solution. Some people remain vulnerable even after several cycles. But the progression curve is real and documented.
What we recommend at Infologo
Take advantage of the S.U.P.E.R. campaign to put the subject back on the table with your management. Not to tick a compliance box, but to ask a real question: if one of your employees receives an email tomorrow that perfectly imitates a notification from your cantonal bank, what happens?
Depending on the size of your team and your IT environment, there are two possible approaches.
For SMEs that want to start with training, we offer Riota micro-learning platform for cybersecurity. Employees receive short, targeted content, accessible without any technical skills. It’s a practical, cost-effective way of getting started, suitable for organizations of 5 to 50 people who don’t yet have a formal security policy.
For Microsoft 365 companies who want to go one step further, Pistachio Practice adds an active simulation layer: real fake phishing emails sent to your team, without warning, with immediate micro-training for those who click.
The two tools are complementary. Riot builds reflexes, Pistachio tests them.
Contact us to arrange an initial test campaign or demonstration of Riot, without obligation.
