01
Classic spear phishing, BEC, supplier impersonation, fake contract documents. From a simple template all the way to a multi-stage conversation across several days.
PHISHING CAMPAIGNS
Real pretexts.Real reactions.No templates.
Generic phishing templates train nobody. We research your company the way an attacker would – public information, ongoing projects, internal language patterns – and craft scenarios your employees recognize from their actual working day.
01 / WORKFLOW
From recon to debrief.
- PHASE · 01
OSINT & Pretext Design
Research on company, departments, active projects, suppliers, tools, naming conventions. Out of that grow two to five scenarios per target group – tiered by difficulty and plausibility.
- PHASE · 02
Infrastructure & Sign-off
Registering matching domains, building hardened landing pages, mail routing with SPF/DKIM-compliant delivery. Alignment with IT, works council, and data protection – written sign-off before the first message goes out.
- PHASE · 03
Delivery & Monitoring
Staggered delivery across several days, live monitoring of opens, clicks, credential submits, and reports. A safe-harbor page after credential entry with an immediate learning message – no humiliation, no wall of shame.
- PHASE · 04
Analysis & Debrief
Executive summary for leadership, technical deep dive for security and IT, talking-points document for line managers. A wrap-up webinar for staff where we show the scenarios honestly and explain them.
02 / CHANNELS
Phishing is not just email.
Attackers pick the channel on which your people are least prepared. We test where it hurts – always in alignment with you.
02
SMS & Messenger
Smishing by SMS, WhatsApp-business pretexts, Teams messages from alleged colleagues. Particularly effective against mobile workforce and field staff.
03
Vishing
Phone attacks by native German-speaking operators, often combined with prior email contact. On request with a controlled voice-cloning variant for executive targets.
03 / PRINCIPLES
No shaming. Clear rules.
Anyone who clicks a simulated link is not reported to their manager by name. The safe-harbor page explains calmly what just happened, why it matters, and how to react next time. Reporting happens at group and department level, never person by person. That isn't only the ethical choice – it is the only way to build a reporting culture where people actually report early, including when they feel uncertain themselves.
Every campaign is backed by a written framework with IT, security, HR, and the works council. GDPR-compliant data storage in Germany, deletion deadlines contractually fixed, no transfers to third countries. We deliver the analysis, you keep the raw data – or we delete it right after the debrief on request.
04 / KPIs
Four numbers that count.
- KPI 01
- Share of recipients who click the link. Baseline commonly 15–30%, down to a realistic 3–6% after twelve months of program work.
- KPI 02
- Share of clickers who actually enter credentials. The truly dangerous number – this is where initial access is born.
- KPI 03
- Share of recipients who forward the mail via the official reporting path. Mid-term target: well above the click rate.
- KPI 04
- Minutes from first delivery to first report. Shows whether your early warning system actually works.
Click Rate
Submit Rate
Report Rate
Time-to-First-Report
NEXT STEP
A campaign in four weeks.
Scoping call, OSINT round, agreed scenario, controlled delivery, honest debrief. Including executive report and material for your next all-hands.