Most successful cyberattacks don’t force a technical door. They go through someone who has clicked without checking.
An IT manager contacted us after discovering, during an audit, that several of his company’s employees had clicked on a suspicious link in an email whose subject line simply read: “Your March pay slip”.
No alarms were raised. No one had reported anything. The incident had gone unnoticed for weeks.
This is not an exceptional case: it’s a regular occurrence at SMEs in French-speaking Switzerland, even though they have invested in the right security tools. So it’s not a question of whether your employees are negligent. It’s about knowing what they’re really doing when a dubious e-mail arrives on a Tuesday morning, between two meetings.
Let’s find out together.
Phishing targets your employees, not your servers
Attackers have known this for a long time: it’s hard to bypass a well-configured firewall. Convincing a busy employee to click on a link, much less so.
According to the Verizon DBIR 2024 report, over 68% of compromises involve human error or social engineering. Phishing is the most widespread form, the easiest to deploy and the most difficult to block by technical means alone.
A spam filter blocks generic attempts. It won’t block a personalized email with the recipient’s first name, the name of their manager and a reference to a real internal project. This is precisely what targeted attacks do, and what phishing simulations learn to recognize.
What simulation reveals that training doesn’t
Traditional classroom or videoconference training has a structural limit: everyone knows it’s an exercise. Employees are attentive, cautious, a little too cautious. Then they return to their mailboxes with 70 unread messages.
The phishing simulation puts people in the real situation, without warning them. The email arrives in their inbox, when they’re busy, with a credible subject. Fake invoice, urgent request from the CEO, Microsoft security notification: the scenarios mimic real threats.
What we measure in concrete terms: the open rate, the click rate on the booby-trapped link, and the data entry rate on the fake landing page. These three levels correspond to three distinct levels of risk. An employee who opens the e-mail without clicking is in an acceptable zone. An employee who goes so far as to enter his or her credentials on a fake login page represents an active vulnerability, which can be exploited immediately.
At one of our customers, the deployment of Pistachio Practice, a simulation platform integrated with Microsoft 365, has raised the participation rate in awareness exercises from 60% to over 90%. The difference is not due to internal reminders or a communication campaign. It has to do with the format: a test email that arrives like a real email, can be processed in 30 seconds, and delivers an immediate explanation in the event of an error. No 5-minute video. No connection to an external platform.
The long-term effect: a reflex, not a score
The first test almost always produces disappointing results. That’s the point. It establishes an actual reference level, not a theoretical level measured under ideal conditions.
The value of a regular campaign lies elsewhere: it creates a permanent state of alert. When employees know that a test could happen at any moment, they look differently at emails asking them to “click here” or “validate their account”. This healthy doubt is exactly what simulation aims to produce. Not paralyzing distrust, but the verification reflex.
Departmental reports also enable us to identify profiles in need of specific attention, without the need for manual reminders. At our customer’s, this individual visibility was absent from the old solution. Today, it is what the IT manager uses to arbitrate his training actions.
What we do at Infologo
We offer phishing simulations in two contexts.
In one-off campaigns, to establish an initial benchmark or meet an nLPD compliance requirement.
In continuous deployment, with Riot or Pistachio Practice for Microsoft 365 environments, with personalized scenarios per profile, an automated dashboard and management that doesn’t mobilize IT teams on a daily basis.
The scenarios cover classic phishing, executive spoofing, malicious QR codes and password management. They incorporate real colleagues’ names, which radically changes the perception of the exercise.
One point on which we are firm: simulation results are never used to sanction individuals. They are used to guide training, document the approach for audits, and measure progress over time.
If you don’t know what percentage of your employees would click on a phishing email today, that’s precisely why we’re doing the test.
Contact us to discuss your cybersecurity awareness project and organize an initial, no-obligation campaign.
