This post explains the **risks and theory** behind **SPF**, **DKIM**, and **DMARC**, and why **domain permutations (look-alike domains)** are the silent amplifier that turns “one spoofed email” into a brand, finance, and credential-theft disaster.

## The core problem: email was built for delivery, not identity

SMTP (the protocol that moves email around) was designed in an era where *trust* was implicit. By default:

- The **“From:”** header is just text.
- Anyone can attempt to send mail claiming to be `ceo@yourcompany.com`.
- Many mail systems historically accepted messages as long as they could be delivered.

Modern defenses add **domain-level authentication** on top of SMTP. That’s what SPF, DKIM, and DMARC do.

---

## SPF: “Which servers are allowed to send mail for my domain?”

**SPF (Sender Policy Framework)** is a DNS record that lists the mail servers (or sending services) allowed to send email *using your domain in the envelope-from / return-path*.

### How SPF works (theory)
When a receiving mail server gets a message, it checks:

1. What domain is used in the **envelope sender** (Return-Path).
2. Does that domain publish an SPF record in DNS?
3. Is the **connecting IP** allowed by that SPF record?

If yes → SPF passes. If not → SPF fails (or softfails/neutral depending on policy).

### Example SPF record
```txt
example.com. TXT "v=spf1 ip4:203.0.113.10 include:spf.protection.outlook.com -all"
```

### Common SPF failure modes (where attackers win)
- **Too permissive**: `v=spf1 +all` (basically “anyone can send”).
- **Softfail forever**: `~all` without DMARC enforcement, leading to “shrug” handling.
- **Missing includes**: your CRM, ticketing system, newsletter tool not listed → legitimate mail fails.
- **DNS lookup limit**: SPF has a **10 DNS-lookup limit**; complex `include:` chains can break delivery.
- **SPF only protects the envelope domain**: attackers can still make the *visible* From look like you unless DMARC is enforcing alignment.

**Bottom line:** SPF is necessary, but **not sufficient** for stopping spoofing.

---

## DKIM: “Was this email really sent by someone with the domain’s private key?”

**DKIM (DomainKeys Identified Mail)** adds a cryptographic signature to outgoing messages. The sender signs selected headers (and sometimes body) with a **private key**. The receiver fetches the **public key** from DNS and verifies the signature.

### How DKIM works (theory)
- Outbound mail server adds a header like:
  - `DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; ...`
- Receiver queries DNS:
  - `selector1._domainkey.example.com` → public key
- If signature matches → DKIM passes.

### Example DKIM DNS record
```txt
selector1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."
```

### DKIM failure modes (where attackers win)
- **No DKIM at all**: lots of domains still don’t sign mail consistently.
- **Selective signing**: only some systems sign (e.g., Microsoft 365 does, your marketing tool doesn’t).
- **Broken signatures**: forwarders/mailing lists can modify content/headers and break DKIM.
- **Weak/old keys**: short keys or long-lived keys increase risk (if compromised, impersonation becomes trivial).
- **Misaligned domain**: DKIM passes for a different domain than what users see in “From”.

**Bottom line:** DKIM is powerful because it’s cryptographic, but it needs **alignment and policy**—that’s DMARC’s job.

---

## DMARC: “What should receivers do if SPF/DKIM fails—and does it match my visible From?”

**DMARC (Domain-based Message Authentication, Reporting & Conformance)** ties everything together:

1. It requires that **SPF and/or DKIM pass**, and
2. They must be **aligned** with the **From:** domain users actually see.

Then it tells receivers what to do if authentication fails:  
- `p=none` (monitor only)  
- `p=quarantine` (send suspicious mail to spam/junk)  
- `p=reject` (block outright)

### DMARC alignment (the key concept)
Attackers love this gap:

- SPF passes for `random-sender.com`
- “From:” shows `ceo@yourcompany.com`

Without DMARC alignment, a message can look like it’s from you even if the authenticated domain is unrelated.

DMARC says: **the authenticated identity must match the visible From**, not just “something passed somewhere”.

### Example DMARC record (monitoring)
```txt
_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s"
```

### Example DMARC record (enforced)
```txt
_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-fail@example.com; fo=1; adkim=s; aspf=s"
```

### DMARC failure modes (where attackers win)
- **Stuck at `p=none` forever**: you get reports, but spoofing still lands.
- **No reporting address / ignored reports**: you’re blind to who’s abusing your domain.
- **Misconfigured alignment**: legitimate services fail and you roll back enforcement.
- **Subdomain gaps**: without a subdomain policy, attackers spoof `anything.yourcompany.com`.
- **No external monitoring**: DMARC is not “set and forget” when tooling changes.

**Bottom line:** DMARC is the enforcement layer that turns SPF/DKIM from “signals” into “protection.”

---

## What attackers actually do with weak email authentication

Here are the high-impact abuse paths SPF/DKIM/DMARC help prevent:

### 1) CEO fraud / invoice redirection (BEC)
Attackers send emails that appear to be from leadership or finance to change IBANs, approve payments, or request gift cards. Even one successful spoof can cost more than a year of security tooling.

### 2) Credential harvesting
A perfect-looking email “from IT” pushes a fake Microsoft 365 login page. The moment credentials are captured, the attacker can pivot to real internal mailboxes and send *legitimate* phishing from inside your tenant.

### 3) Brand impersonation against customers/partners
Even if your internal team is trained, your customers aren’t. Spoofed messages can damage your reputation, trigger fraud, and create support nightmares.

---

## Domain permutations: the “look-alike domain” multiplier

Even with perfect DMARC enforcement, attackers can simply register **a different domain that looks like yours** and send from that.

Examples:
- `examp1e.com` (1 instead of l)
- `exarnple.com` (rn instead of m)
- `example-support.com`
- `example.com-security.net`
- `exämple.com` (IDN / homograph tricks)
- Different TLD: `example.co`, `example.net`, `example.io`

This is called **domain permutation / typosquatting** (and includes homograph attacks, combo-squatting, bitsquatting, and more).

### Why permutations are dangerous
- **Users read “shapes,” not strings**: a quick glance at a sender address is unreliable.
- **Mobile clients hide details**: many interfaces collapse or truncate sender info.
- **SPF/DKIM/DMARC won’t help**: those protect *your domain*, not look-alikes.
- **Attackers can build “legit-looking” infrastructure**: TLS certs, branded landing pages, realistic reply flows.

### Typical attack flow with a look-alike domain
1. Register a domain close to yours.
2. Set up SPF/DKIM/DMARC correctly (yes, attackers do this).
3. Send “urgent” messages to finance, HR, customers, or vendors.
4. Harvest credentials or redirect payments.
5. If a reply happens, keep the conversation going (thread hijacking style).

**Takeaway:** you need **both** authentication monitoring **and** look-alike detection.

---

## What “good” looks like: a practical baseline

If you want a clean, modern posture:

### SPF
- Exactly **one** SPF TXT record per domain.
- Only include the senders you actually use.
- End with `-all` once you’ve validated all sources.

### DKIM
- Ensure **every** sending platform signs mail.
- Rotate keys periodically.
- Use sufficiently strong keys (and don’t reuse keys forever).

### DMARC
- Start with `p=none` briefly to observe legitimate senders.
- Move to `p=quarantine`, then `p=reject`.
- Use strict alignment where possible (`aspf=s; adkim=s`).
- Consider subdomain policy (`sp=`) so subdomains aren’t a loophole.

### Domain permutations
- Monitor for look-alikes across common TLDs and obvious typo patterns.
- Prioritize ones that:
  - have MX records (can send/receive email),
  - host phishing pages,
  - are newly registered,
  - resemble brand + “billing / login / support”.

---

## Why continuous monitoring matters (even if you “set it up once”)

DNS changes for boring reasons—migrations, vendor switches, “quick fixes,” expired domains—and those boring changes can quietly break authentication.

Continuous monitoring catches:
- SPF lookup blowups after someone adds a new tool
- DKIM selectors removed or rotated incorrectly
- DMARC downgraded to `p=none`
- A suddenly-appearing look-alike domain that starts emailing your staff

That’s why AutoPhish now includes an **Email Security / DNS Scanner** for quick checks, and **continuous monitoring with alerts** for logged-in orgs.

---

## Quick checklist you can copy into your internal runbook

- [ ] SPF exists, is unique, and ends in `-all` (after validation)
- [ ] All mail sources are accounted for (M365/Google + marketing + support + transactional)
- [ ] DKIM enabled across all sources, keys not stale
- [ ] DMARC exists with reporting enabled
- [ ] DMARC enforced (`quarantine` or `reject`) with alignment configured
- [ ] Subdomains covered (`sp=` or explicit DMARC on subdomains)
- [ ] Look-alike domain monitoring enabled (typos + TLD swaps + combos)
- [ ] Alerting hooked to a real channel (email/Slack/Teams/ticketing)

---

## Check your domain in seconds (free)

Want a quick sanity check right now? Use the **AutoPhish DNS Checker** to instantly analyze your **SPF, DKIM, and DMARC** records:

- AutoPhish DNS Checker: https://autophish.io/dns-check

If you want ongoing protection, you can also set up **continuous monitoring** with an AutoPhish subscription—so you’ll get alerts when DNS records change or when look-alike domains are detected.


## Final thoughts

Email authentication (SPF/DKIM/DMARC) is one of the rare security moves that improves **both** protection **and** deliverability. Add look-alike monitoring, and you cover the two biggest impersonation vectors: **spoofing your domain** and **spoofing your brand**.


**Why mobile phishing matters in 2025**

*   **Smishing (SMS phishing) surged** and is a top vector for fraud in Europe; QR-based “quishing” is **rising fast**. [ENISA](https://www.enisa.europa.eu/sites/default/files/2025-02/Finance%20TL%202024_Final.pdf)
*   **WhatsApp/linked-device abuse:** state-aligned actors have shifted from email to messenger takeovers, often by tricking targets into scanning **WhatsApp Web QR codes**. Treat scans like passwords. [Microsoft+1](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)
*   **MFA fatigue** forced a rethink of push approvals; Microsoft moved tenants to **number-matching** to blunt push-spam approvals. [Microsoft Learn+1](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement)
*   **FBI/IC3** warn of QR-based fraud—including scams where unsolicited packages contain a QR that leads to credential theft or malware. [Internet Crime Complaint Center+1](https://www.ic3.gov/PSA/2025/PSA250731)

For incident color and “what went wrong”, skim our **[10 Wild Phishing Stories (2024–2025)](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned)**—we highlight QR-assisted account takeovers and messaging-app pivots with concrete guardrails.

* * *

**The mobile-first phishing playbook (how attacks work)**

1.  **Smishing & messaging lures**  
    Short messages spoof delivery firms, toll fees, or IT resets. Links open credential pages, payment forms, or drive users to install rogue apps.
2.  **QR codes as login tokens**  
    WhatsApp/other apps use **QR to link devices**. A coerced scan = session takeover—even without a password. Policy should treat **“Scan to link” = sensitive auth step**.
3.  **MFA push abuse**  
    Attackers spam prompts until a tired user taps “Approve”. **Number-matching** (enter the on-screen code) and **geolocation/tenant context** reduce these approvals.
4.  **Malware on mobile**  
    Links typically **steal credentials**, but can also push malicious installs—more feasible on Android via sideloaded APKs; iOS is harder (App Store gate) but **risky profiles/0-click vulns** exist. Mobile protections like **Play Protect** reduce but don’t erase risk.

* * *

**What policies SMEs actually need (ready to adapt)**

Below are concise clauses you can drop into your **Acceptable Use**, **BYOD**, and **Messaging** policies. Each includes a control and a short “why”.

**1) BYOD: minimum security baseline**

*   **OS & patch level:** Personal devices used for work must run a **vendor-supported OS** and auto-update enabled. (Android, iOS, iPadOS).
*   **Device security controls:** Screen lock, encrypted storage, and the ability to **remote wipe work data** via MDM/Work Profile (COPE/COSU or Android Work Profile/iOS User Enrollment).
*   **App sources:** **No sideloaded apps** for work use; business apps must come from managed stores. (Android unknown-sources increase risk; Play Protect mitigates but isn’t a policy substitute.) [NCSC+2NCSC+2](https://www.ncsc.gov.uk/collection/device-security-guidance)

**Why:** NCSC’s device guidance stresses balancing usability with controls in BYOD; you want managed data separation and revocation. [NCSC+1](https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device)

**2) Messaging & social apps (WhatsApp, Signal, iMessage, etc.)**

*   **Business use boundaries:** If messaging apps are used for business, restrict to **managed devices**; **no linking via QR** on unmanaged desktops.
*   **Linked devices monitoring:** Alert on **new linked devices**; require re-verification every 30 days.
*   **No sensitive approvals over chat:** Payments, bank detail changes, or SSO resets **must use ticket + callback** to a number from the directory.

**Why:** Threat actors are actively abusing messenger **linking** and QR. Treat a QR scan like an SSO login. [Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)

**3) QR code handling**

*   **Treat QR as credentials:** Scanning QR for login or device-linking equals entering a password; only scan **from trusted sources** on **managed devices**.
*   **Preview before open:** Staff must **preview the URL** (mobile browser/app supports this) and verify domain before opening.
*   **Block risky shorteners:** Filter common shorteners (except allowlisted business uses).

**Why:** FBI/IC3 documented QR fraud; attackers hide destinations and piggyback trust. [Internet Crime Complaint Center](https://www.ic3.gov/PSA/2025/PSA250731)

**4) MFA hardening (stop push fatigue)**

*   **Enforce number-matching** for push approvals across the tenant.
*   **Prefer phishing-resistant methods** (FIDO2/passkeys) and **disable SMS fallback** after enrollment. [Microsoft Learn+1](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement)

**Why:** Push spam works; number-matching and passkeys meaningfully reduce abuse.

**5) Mobile browser & app controls**

*   **Safe browsing & app vetting:** Keep **Play Protect** on; block app installs from unknown sources; require managed app stores. [Google Help](https://support.google.com/android/answer/2812853?hl=en&utm_source=chatgpt.com)
*   **Profiles/configs:** Ban installation of **unapproved configuration profiles** on iOS; profiles can alter trust roots, VPN/DNS, or MDM—serious risk. [TechTarget](https://www.techtarget.com/searchmobilecomputing/tip/How-to-ensure-iPhone-configuration-profiles-are-safe)

**6) Payments & approvals over mobile**

*   **Dual-control + callback:** Any payment, supplier bank change, or gift card purchase requires **two approvers + callback** using a **known** number (not from the message).
*   **No “approve via link in SMS”** for finance/HR workflows.

**Why:** Classic BEC remains costly; process guardrails beat human judgment under time pressure.

**7) Reporting & response (fast lane)**

*   **Single tap to report:** Add a **Report SMS/Message** action in MDM help app; route to SecOps + vendor for takedown.
*   **Preserve evidence:** Staff should keep the message, screenshot the **full URL**, and note the time before deleting.
*   **Automated blocks:** Add sender and destination domains/hosts to mobile and email gateways; watch for newly linked devices.

* * *

**Rollout checklist**

1.  **Turn on number-matching** (Microsoft Entra ID) and review MFA methods; **prefer passkeys/FIDO2**.
2.  **Update BYOD policy** with the clauses above; require **managed app stores** & **no QR-linking on unmanaged desktops**.
3.  **Set MDM rules**: block unknown sources on Android, block unapproved **iOS profiles**, alert on new WhatsApp/Signal **linked devices**.
4.  **Run a bite-size training** using AutoPhish. For a Works-Council-friendly approach, use anonymized metrics—our [guide](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials) explains how.

* * *

**FAQ**

**Q1) Can phishing be done by phone?**

Yes. **Smishing** (SMS) and **messenger DMs** are common phishing channels. Messages link to fake login pages, payment sites, or app installs; they may also attempt **voice phishing (vishing)** callbacks. CISA defines smishing as SMS-based social engineering and details how links can trigger actions on mobile. [CISA](https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks)

**Q2) Can phishing be used for identity theft?**

Absolutely. The goal is often **credential theft** (email, bank, cloud apps) or collection of personal data that enables account takeover and financial fraud. FBI/IC3 PSAs have repeatedly warned that QR/smishing campaigns harvest personal and financial data for fraud. [Internet Crime Complaint Center](https://www.ic3.gov/PSA/2025/PSA250731)

**Q3) Can a phishing link install malware on my phone?**  


Sometimes—**but** it usually needs extra steps.

*   On **Android**, a site might try to get you to **sideload an APK**; Play Protect reduces risk but allowlisting sources in policy is key. [Google Help](https://support.google.com/android/answer/2812853?hl=en&utm_source=chatgpt.com)
*   On **iOS**, direct installs are restricted; attackers may push **malicious configuration profiles** or exploit rare **zero-click** vulnerabilities. (Recent WhatsApp advisories highlight targeted zero-click issues that were patched; keep apps updated.) [TechTarget+1](https://www.techtarget.com/searchmobilecomputing/tip/How-to-ensure-iPhone-configuration-profiles-are-safe)Most of the time, the **bigger risk is credential harvesting and session theft**—which leads to identity fraud even without malware. [CISA](https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks)

**Q4) Are QR codes safe to scan?**

Treat QR codes like a **link**: only scan from trusted sources, prefer managed devices, and **preview the URL** before opening. FBI/IC3 specifically warned about QR-based schemes (including unsolicited items with embedded QR). [Internet Crime Complaint Center](https://www.ic3.gov/PSA/2025/PSA250731)

**Q5) Is WhatsApp phishing real if I have 2FA?**


Yes. Attackers can trick users into **linking a new device via QR**, bypassing passwords by stealing **session access**. Enable WhatsApp’s **two-step verification PIN**, monitor **linked devices**, and never link from an untrusted desktop. [Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)

**Q6) What should finance/HR do differently on mobile?**  


No approvals or bank changes via links or chat. Use **ticket + dual-control + callback** to a known number, every time. Our [incident recap](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned) explains why this stops even slick deepfake/DM stunts.

* * *

**Further reading & resources**

*   **CISA mobile best practices** and why **FIDO/phishing-resistant MFA** beats SMS/app codes. [CISA](https://www.cisa.gov/sites/default/files/2024-12/joint-guidance-mobile-communications-best-practices_v2.pdf)
*   **NCSC BYOD guidance** to structure a sane, workable personal-device policy. [NCSC+1](https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device)
*   **Microsoft on evolving identity attacks** (push fatigue → number-matching → passkeys). [Microsoft Learn+1](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement)
*   **IC3 PSA on QR fraud** (current scams, reporting). [Internet Crime Complaint Center](https://www.ic3.gov/PSA)

* * *

**How AutoPhish can help**

*   **Mobile-aware simulations:** Safe **smishing**, **QR**, and **messenger-style** scenarios with instant coaching (coming soon)
*   **Policy-driven training:** Our [privacy-friendly training approach](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials) keeps Works Councils onside while changing behavior.

## Why Role-Based Training Matters

Phishing is still the number one entry point for cyberattacks. According to [Verizon’s 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/), over 68% of breaches involve the human element, with phishing and stolen credentials leading the charge.  

The problem? Not all employees face the same risks. A finance controller has very different exposure compared to an HR manager or an IT helpdesk agent. This is why **role-based phishing simulations** are now considered best practice for any serious security awareness program.  

Instead of sending the same generic “password reset” email to everyone, role-based simulations:  

- Target specific job functions with realistic but safe scenarios.  
- Train employees on the threats they’re most likely to face.  
- Provide actionable metrics to improve defenses where they matter most.  

This blog post will walk you through **scenarios, guardrails, and KPIs** for the four most at-risk groups: Finance, HR, IT, and Executives. 

---

## Finance: Wire Transfers and Invoice Fraud

If you’re in finance, you’re on the front line of **Business Email Compromise (BEC)** attacks. Criminals impersonate suppliers, executives, or even regulators to trick employees into approving fraudulent payments. Losses from BEC scams exceeded [55 billion over the last 10 years](https://www.tripwire.com/state-of-security/bec-cost-citizens-worldwide-over-55bn-last-10-years).  

### Example Scenarios
- **Invoice Fraud:** Fake invoice request from a “supplier.”  
- **CEO Wire Request:** Spoofed executive email asking for urgent payment.  
- **Bank Verification:** Request to “confirm account details” via a link.  

### Guardrails for Simulations
- Don’t use personal/emotional triggers (“bonus payment” or “layoff list”).  
- Keep simulations clearly professional and finance-related.  

### Metrics to Track
- % of users who click the link.  
- % who attempt to initiate payment.  
- % who report the email via the phishing button.  

---

## HR: Payroll & Sensitive Data

HR departments are gold mines for attackers: payroll data, PII, and access to employee portals. Attackers often pose as staff requesting urgent changes.  

### Example Scenarios
- **Payroll Diversion:** Request to change direct deposit details.  
- **Resume Malware:** “Candidate” attaches a poisoned CV.  
- **Policy Update:** Fake HR portal login for compliance documents.  

### Guardrails for Simulations
- Never simulate life events like pregnancies, medical issues, or layoffs.  
- Avoid emotional manipulation — focus on administrative risks.  

### Metrics to Track
- % who download attachments.  
- % who enter credentials.  
- % who report the email via the phishing button.  

---

## IT: MFA Fatigue & Account Resets

IT staff are bombarded with requests — a perfect target for attackers abusing MFA fatigue or password reset flows.  

### Example Scenarios
- **MFA Push Flood:** Repeated login requests from “new device.”  
- **System Update:** Spoofed IT alert with a login link.  
- **Ticket Escalation:** Fake service desk message with embedded URL.  

### Guardrails for Simulations
- Make it clear this is *not* a test of job performance.  
- Avoid highly technical jargon that could confuse non-IT staff if simulations spill over.  

### Metrics to Track
- % of MFA prompts accepted without verification.  
- % who click malicious IT links.  

---

## Executives: High-Value Targets

Executives are prime targets for **whaling** (CEO fraud) and **contract scams**. Attackers know they’re busy, trust assistants, and often bypass standard processes.  

### Example Scenarios
- **Contract Signature:** Urgent DocuSign link for a new deal.  
- **M&A Leak:** Confidential acquisition “details” requiring login.  
- **Board Communication:** Fake message from a board member.  

### Guardrails for Simulations
- Don’t embarrass executives with trivial lures.  
- Keep tone professional; focus on decision-making risks.  

### Metrics to Track
- % of executives who click without verification.  
- Response time to report suspicious emails.  
- Cross-check with assistants/EA reporting behavior.  

---

## Cross-Department Simulation Guardrails

While each department has its nuances, there are common rules that keep simulations safe and constructive:  

1. **No “gotcha” emails.** Training should build trust, not resentment.  
2. **Stay professional.** Avoid personal or sensitive themes.  
3. **Be transparent.** Communicate to staff that simulations are ongoing and for their protection.  
4. **Respect works councils and privacy.** Tools like [AutoPhish](https://autophish.io/anonymization) anonymize results and support GDPR compliance.  

---

## Building a Simulation Roadmap

Here’s how to scale role-based training:  

1. **Phase 1:** Start broad — generic phishing for all staff.  
2. **Phase 2:** Introduce role-based simulations by department. This can easily be done by using AutoPhish's campaign feature, setting up role-based campaigns.
3. **Phase 3:** Cross-department scenarios (e.g., fake invoice sent to both Finance and Execs).  
4. **Phase 4:** Adaptive campaigns.  

This phased approach avoids overwhelming staff and shows measurable improvement.  

---

## Final Thoughts

Role-based phishing simulations are no longer a “nice to have.” They’re the difference between a generic awareness program and one that actually reduces risk where it matters most.  

By focusing on **scenarios, guardrails, and metrics**, you can train Finance, HR, IT, and Executives in the threats that target them directly — and build a culture of resilience.  

Ready to see it in action? Try [AutoPhish](https://autophish.io/) today and make your next simulation smarter, safer, and role-aware.  



## TL;DR

- **Lure** → **Capture** → **Session/Token theft** → **Lateral movement** → **Impact**  
- Identity + **session** protection is everything—and the fastest path to durable resilience is frequent, realistic practice that builds instinct.

## Intro

If you’re wondering **how phishing works** in 2025, here’s the honest answer: attackers rarely stop at passwords — they want your **session**. And if they can’t get you by email, they’ll try a QR code on your phone, a slick SaaS consent screen, or even a deepfaked video call with your “CFO.” Fun (for them).

Below is the modern kill chain most incidents follow—plus where **AutoPhish** makes you much harder to fool.

## 1) The Lure: email, QR, and scarily convincing “humans”

Phishing still arrives by **email**, but URLs are the star. Proofpoint’s latest **Human Factor 2025** research shows URLs are used _around four times_ more than attachments in malicious emails—and **4.2 million QR-code (quishing) threats** were flagged in just the first half of 2025 ([blog overview](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing), [Vol. 2 report page](https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishing)).

Then there’s the human layer: **deepfake video/voice**. The Arup case—~$25M lost after a deepfaked group call—shows how social engineering now looks like a perfectly normal meeting invite ([Guardian](https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video), [World Economic Forum](https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/)). Policies that require secondary verification beat “vibes” every time.

Want a field guide to spot the tricks inside a single message? Start with **[The Anatomy of a Modern Phishing Email](https://autophish.io/blog/the-anatomy-of-a-modern-phishing-email-what-your-employees-miss-every-day)** on our blog.

---

## 2) Capture: credentials _or_ consent—both open the door

Attackers don’t always ask for your password. Increasingly, they present a legit-looking **SaaS/OAuth consent screen** (“Allow this app to read your mail?”). If you click **Allow**, they gain durable API access—**no password needed**. Microsoft’s guidance on **illicit consent grants** explains detection and remediation ([Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent) [Microsoft Learn 2](https://microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants); also see the [app-consent incident response playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)).

Old-school **credential harvesters** still work, often hosted behind reputable services (forms/storage/view-only files) to dodge filters. Proofpoint’s *Human Factor* series and Microsoft’s threat posts highlight the shift toward URL-centric delivery ([Proofpoint](https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishingng), [Microsoft](https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/)).

---

## 3) Session/Token theft: bypassing MFA with a tiny man-in-the-middle

Here’s the 2025 twist: **Adversary-in-the-Middle (AiTM)** toolkits sit between you and Microsoft/Google, **proxy the login**, and **steal your session cookie** after you successfully pass MFA. The attacker then **replays** that cookie and walks right in—**no password, no second factor**. See Microsoft’s analyses and playbooks, plus Proofpoint and Talos reporting ([MSFT Security Blog](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/); see also:
- [Cisco Talos IR:](https://blog.talosintelligence.com/ir-trends-q2-2025/)ry-point-to-further-financial-fraud/), 
- [Multi‑stage AiTM](https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/), 
- [Session‑cookie theft alert playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)
- [Proofpoint on AiTM](https://www.proofpoint.com/us/blog/email-and-cloud-threats/aitm-phishing-attacks-evolving-threat-microsoft-365)
- [Talos IR Q2 2025](https://blog.talosintelligence.com/ir-trends-q2-2025/).

---

## 4) Lateral movement: once inside, attackers get comfy

With mailbox or token access, attackers set **inbox rules**, register **malicious OAuth apps**, and pivot to perform **BEC**—sometimes for weeks before anyone notices (see Microsoft’s guidance on session-cookie theft alerts: [learn.microsoft.com](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)). For real-world color (and quick guardrails), see **[10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned from-2024-2025-including-important-lessons-learned)**.

---

## 5) What actually stops this? (Practical controls)

- **Phishing-resistant MFA (passkeys/FIDO2)** and limiting weak fallbacks (SMS/voice codes). CISA and NIST‑aligned guidance: [CISA success story (USDA)](https://www.cisa.gov/news-events/alerts/2024/11/20/usda-releases-success-story-detailing-implementation-phishing-resistant-multifactor-authentication), [CISA HISG on passkeys](https://www.cisa.gov/resources-tools/services/hybrid-identity-solutions-guidance-hisg), and the **Phishing‑Resistant Authenticator Playbook** ([IDManagement.gov](https://www.idmanagement.gov/playbooks/altauthn/)). For a plain‑English explainer, see WIRED’s overview of [how passkeys work](https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/).
- **Consent governance:** block risky OAuth app consent, require admin approval, and educate users about **what an app is asking for** ([Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent).
- **Anti‑AiTM controls:** conditional access with **token binding** where possible, vigilant revocation of sessions, and alerts on unusual inbox rules ([MSFT Token Theft Playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)icrosoft.com/en-us/security/operations/token-theft-playbook)).
- **User behavior:** treat **QR codes** like links; don’t scan from unsolicited messages. Proofpoint’s 2025 data shows quishing is mainstream now ([Proofpoint blog](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing)).

---

## Where AutoPhish makes a measurable difference

AutoPhish is designed around those exact failure points (and it’s EU/GDPR‑friendly by design):

- **Role‑aware realism.** We generate **ever‑fresh lures** per role and industry (finance, HR, execs)—covering **emails**, **QR campaigns**, and **SaaS‑consent** prompts. That builds instinct against the attacks people actually face. Learn how we do it in **[Phishing Simulations‑as‑a‑Service Explained](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)**.
- **Kill‑chain‑aware simulations.** We don’t stop at a click—we teach what a **consent screen** looks like, why it’s risky, and how to respond (see also our **[Anatomy of a Modern Phishing Email](https://autophish.io/blog/the-anatomy-of-a-modern-phishing-email-what-your-employees-miss-every-day)** guide).
- **Just‑in‑time training + clear reports** you can take to audits (NIS2/ISO‑friendly). If you’re weighing formats, compare **[Automated vs. Manual Campaigns](https://autophish.io/blog/automated-phishing-testing-vs-manual-campaigns-which-is-best-for-your-business)**.
- **Employee‑friendly & GDPR‑smart.** Options for **anonymization/pseudonymization**, short retention, and works‑council‑compatible guardrails—because culture and compliance matter. Details: **[Privacy‑Friendly Phishing Training](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials)**.

Curious about open-source vs. SaaS trade‑offs? We’ve compared them in **[Open‑Source Tools vs. Managed Solutions](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison)**.


## FAQ: How phishing works

**Can a phishing link install malware?**  
Yes. A link can trigger a **drive‑by download** or lead to a site that drops malware—or it can simply steal your credentials. Keep software patched, use reputable endpoint protection, and avoid opening links/attachments from unknowns ([Emsisoft explainer](https://www.emsisoft.com/en/blog/38301/drive-by-downloads-can-you-get-malware-just-from-visiting-a-website/), [Kaspersky](https://usa.kaspersky.com/resource-center/definitions/drive-by-download)).

**Can phishing be done by phone?**  
Absolutely. **Vishing** (voice) and **smishing** (SMS) are mainstream—often augmented with AI voice cloning. Verify through a known channel before acting (definitions from the [FBI](https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing) and [FCC](https://www.fcc.gov/avoid-temptation-smishing-scams)).

**What is “quishing”?**  
**QR‑code phishing**: a message/poster contains a QR code that sends you to a malicious site—often on your **phone**, away from enterprise protections. Treat QR codes like links; don’t scan from unsolicited messages (see Proofpoint’s 2025 data on QR threats: [overview](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing)).

**Does MFA stop all phishing?**  
MFA is essential, but **AiTM** can steal the **session cookie after MFA**. Prefer **phishing‑resistant MFA (passkeys/FIDO2)** and disable weak fallbacks (SMS/voice) where you can ([MSFT on AiTM](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/; see also https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/; Cisco Talos IR: https://blog.talosintelligence.com/ir-trends-q2-2025/)); [CISA playbooks](https://www.idmanagement.gov/playbooks/altauthn/).

**What’s OAuth consent phishing, in one sentence?**  
A malicious app asks for permission to your data; if you click **Allow**, it keeps API access **until consent is revoked**—even without your password ([Microsoft Learn](https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants)).


> Want this explained to your whole team—with hands‑on practice? Launch a monthly, role‑aware program in minutes with **AutoPhish**. Make your people the firewall.

QR codes turned into logins. AI impersonated your CFO on Zoom. “Internal” emails arrived from the great beyond. The past two years were a nonstop parade of inventive cons – equal parts brazen and brilliant. Below, we tour ten real incidents that defined the era and, more importantly, translate each one into plain-English guardrails you can put in place. Sources are linked throughout so you can go deeper whenever you like.

**1) Change Healthcare: one portal, no MFA, and a very expensive lesson (Feb 2024)**

In February 2024, attackers walked through the digital front door at Change Healthcare using **stolen credentials**—no alarms, no second factor, just a remote portal without MFA. The breach eventually spiraled into ALPHV/BlackCat ransomware and nationwide disruption in healthcare billing. Executives later testified that the compromised entry point **did not** have MFA enabled—an omission that reads like a plot twist you can see coming a mile away ([Reuters](https://www.reuters.com/world/us/unitedhealth-ceo-testifies-before-us-senate-house-hack-2024-05-01/); context via [Cybersecurity Dive](https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/); sector wrap-ups from the [AHA](https://www.aha.org/system/files/media/file/2025/02/Change-Healthcare-Cyberattack-Underscores-Urgent-Need-to-Strengthen-Cyber-Preparedness.pdf) and [HHS OCR](https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html)).

Why did it work? Because one non-MFA’d app is a skeleton key in a world drenched in infostealer logs and password reuse. The countermeasure is gloriously unsexy: **phishing-resistant MFA (FIDO2)** everywhere the public can see you, ideally behind **SSO + conditional access**, with legacy protocols turned off. Add basic anomaly alerts—impossible travel, odd ASNs, strange hours—and you at least get a fighting chance to catch the first footsteps.

**2) Pepco Group: classic BEC, polished like a diamond (Feb 2024)**

Pepco’s Hungarian business lost about **€15.5 million** to what reads like a textbook—but extremely well executed—**business email compromise**. No malware extravaganza; just convincing messages, authority, urgency, and a payment process that trusted the inbox too much ([company notice](https://www.pepcogroup.eu/media-news/pepco-group-n-v-notice-regarding-hungarian-business/) / [PDF](https://www.pepcogroup.eu/wp-content/uploads/2024/02/Pepco-Group-Notice-regarding-Hungarian-business-vF.pdf); coverage via [Reuters](https://www.reuters.com/technology/cybersecurity/retailer-pepco-loses-about-15-mln-euros-hungarian-phishing-attack-2024-02-27/) and [Help Net Security](https://www.helpnetsecurity.com/2024/02/28/pepco-phishing-bec-attack/)).

The fix is cultural as much as technical: treat money movement like a cockpit checklist. **Dual approvals**, **callback verification to known numbers**, supplier portals with **2FA**, and a **hold period** for first-time bank-detail changes transform “please pay this urgently” into “sure—after we follow the process.”

**3) The Arup deepfake boardroom: when faces lie (Jan–May 2024)**

A finance employee at **Arup** joined a video call with the “CFO” and colleagues. They looked right, sounded right, moved right—and were **AI deepfakes**. Roughly **$25 million** left the building before reality caught up ([Financial Times](https://www.ft.com/content/b977e8d4-664c-4ae4-8a8e-eb93bdf785ea); [CFO Dive](https://www.cfodive.com/news/scammers-siphon-25m-engineering-firm-arup-deepfake-cfo-ai/716501/); background via [CNN/Yahoo](https://finance.yahoo.com/news/british-engineering-giant-arup-revealed-030558740.html)).

We’ve trained people to “trust the face.” Deepfakes torch that instinct. The pragmatic fix is policy, not paranoia: **no funds released on live calls alone**. Require a **ticketed approval** plus a **verbal callback** to a number pulled from an internal directory—never from the email or the meeting invite. Teach teams to spot telltales (lip-sync drift, odd latencies) and to use backchannels when something feels off.

**4) Paris 2024: the Olympics of fake ticketing (mid-2024)**

Hype, scarcity, and immaculate branding make for superb phishing weather. Heading into Paris 2024, law enforcement and researchers flagged **hundreds of fraudulent sites** hawking tickets, hospitality, and “priority access.” At one point the French gendarmerie counted **338** suspect domains. The playbook was simple: SEO-poisoning, cloned logos, and urgency that makes even savvy buyers forget their rules ([Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites); consumer warnings via [CBS News](https://www.cbsnews.com/news/paris-olympics-ticket-scams/); official notices at [Olympics.com](https://www.olympics.com/en/news/free-ticket-scam-for-the-opening-ceremony-of-the-paris-2024-paralympic-games)).

If your staff travel or buy event access, front-load the safety briefing: **type, don’t click**, and only on **official URLs**. On the backend, watch for **typosquats** and block **brand-new domains** in high-risk categories for a cooling-off period. A little friction beats expensive FOMO.

**5) Snowflake-linked breaches: one password to rule them all (spring–summer 2024)**

Ticketmaster, Santander, and others reported data accessed via **customer Snowflake environments**, with a familiar villain: **stolen credentials** and **missing MFA**. Snowflake itself said its platform wasn’t breached; rather, attackers rode in on real keys to customer instances and got to querying ([Dark Reading](https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials); [The Verge](https://www.theverge.com/2024/6/11/24176080/snowflake-cloud-storage-data-breach-ticketmaster-santander); [Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion); [Push Security](https://pushsecurity.com/blog/2024-identity-breaches/)).

If your data lives in SaaS, treat identity like your new network perimeter. Put **SSO/SAML + MFA** in front, add **IP allowlists/VPN**, and instrument for **unusual query volumes** or sudden **role changes**. Keys and tokens should rotate the way you change the batteries in a smoke alarm: regularly, before the fire.

**6) Star Blizzard’s WhatsApp pivot: your QR code is a session token (late 2024–Jan 2025)**

FSB-linked **Star Blizzard** started corralling diplomats and policy folks into scanning **WhatsApp QR codes**, turning a simple handoff into account takeover. The move cleverly sidestepped email controls and shifted the conversation to a compromised app where trust is high and scrutiny is low ([Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/); [BleepingComputer](https://www.bleepingcomputer.com/news/security/star-blizzard-hackers-abuse-whatsapp-to-target-high-value-diplomats/); [The Guardian](https://www.theguardian.com/technology/2025/jan/17/russian-hackers-star-blizzard-whatsapp-accounts-ministers-officials)).

The mindset shift is crucial: **QR codes often _are_ authentication**. Train people to treat scans like passwords, restrict linking on unmanaged devices via MDM, and require **number-matching MFA** where available. Also, watch for **new linked devices** and suspicious location jumps—both are early smoke.

**7) Quishing at scale: Microsoft Sway as a lure factory (Aug 2024)**

Attackers leaned on **Microsoft Sway** to host slick, **QR-code phishing** pages that slipped past filters thanks to first-party halo effects. The QR image concealed the true destination, and scanners not built to decode images saw only a nice, clean file hosted by a trusted brand ([BleepingComputer](https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-massive-qr-code-phishing-campaign/"%20\t%20"_new); original research from [Netskope](https://www.netskope.com/blog/phishing-in-style-microsoft-sway-abused-to-deliver-quishing-attacks)).

Defenders can answer in kind: add **QR decoding** to email/web security, scrutinize **new Sway/Forms/Sites** links, and lock identity down with **passwordless MFA**, **conditional access**, and **continuous access evaluation**. On mobile, teach people how to preview URLs before opening them—tiny skill, huge payoff.

**8) Trezor: when your support desk becomes the social engineer (Jan 2024 & Jun 2025)**

In **January 2024**, a **third-party support portal** tied to **Trezor** exposed contact details for ~66,000 users—jet fuel for follow-on phishing. By **June 2025**, adversaries went a step further, **abusing Trezor’s support form** to send convincing auto-replies that looked official enough to make even veterans blink ([BleepingComputer](https://www.bleepingcomputer.com/news/security/trezor-support-site-breach-exposes-personal-data-of-66-000-customers/"%20\t%20"_new); [BleepingComputer](https://www.bleepingcomputer.com/news/security/trezors-support-platform-abused-in-crypto-theft-phishing-attacks/)).

Your support stack is part of your security perimeter. Treat it accordingly: **rate-limit auto-replies**, enforce strict **DKIM/DMARC alignment**, scan templated responses for risky language (especially around “recovery” and crypto), and publish **clear safety PSAs** so customers know what you’ll never ask them to do.

**9) “Internal” without compromise: M365 Direct Send gets cheeky (Jun–Aug 2025)**

Campaigns abusing **Microsoft 365’s Direct Send** made it possible to **spoof internal users** without actually taking over an account. That little detail matters, because “from IT@yourcompany” still carries psychological weight—even when the authentication story is mushy ([Varonis](https://www.varonis.com/blog/direct-send-exploit); summaries via [Dark Reading](https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users) and [Arctic Wolf](https://arcticwolf.com/resources/blog/arctic-wolf-observes-microsoft-direct-send-abuse/)).

Tighten your **connector rules**, limit the scope of Direct Send, and prefer **authenticated SMTP** where you can. Teach people that “internal” isn’t a magic word; if an email tries to move money or credentials, the verification should happen in a portal or via a known backchannel—not a convenient blue link.

**10) AI site builders drafted into the phish factory: Lovable at scale (2025)**

Finally, a very 2025 plot line: attackers using AI website builders—**Lovable** in particular—to crank out **tens of thousands** of phishing and malware pages with on-brand design and near-instant turnaround. Fresh domains plus pretty templates equals a steady drip of clicks before reputation systems catch up ([Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/cybercriminals-abuse-ai-website-creation-app-phishing); coverage via [BleepingComputer](https://www.bleepingcomputer.com/news/security/ai-website-builder-lovable-increasingly-abused-for-malicious-activity/) and [TechRadar](https://www.techradar.com/pro/security/top-ai-website-builder-lovable-hit-in-worrying-cyberattack-heres-what-we-know)).

Defensively, expand your URL intelligence to include **time-since-registration** and **builder/hosting reputation**, and don’t reflexively whitelist shiny new domains just because they look professional. Criminals can look professional now, too—it’s kind of their thing.

**The pattern you can’t ignore**

Across all ten stories, the same threads keep showing up. **Credentials and session tokens are gold.** **MFA gaps are fatal.** **“Internal” is a feeling, not a control.** And **AI is both accelerant and firehose**—it speeds up attackers and overwhelms defenders, but it also gives us better training and detection if we choose to use it.

If you only do a few things this quarter, make them these: roll out **phishing-resistant MFA** and retire legacy auth; add **QR decoding** to your email/web stack; stage realistic **BEC and deepfake drills** for finance and execs (with mandatory callbacks); and put **support, marketing, and event workflows** squarely in your threat model with rate limits, DMARC alignment, and pre-emptive warnings.

And if you want to practice safely, that’s our jam. AutoPhish can recreate the trends you’ve just read about—**quishing**, **AI-style lures**, **“internal” spoofing**, and meticulous **BEC**—then follow up with bite-sized training that actually sticks. Because seeing the trick once, in a safe environment, is how you stop it when it really counts.

> ⚖️ This article is general information - for specific decisions about your organisation, consult a qualified lawyer in your jurisdiction.

---

## TL;DR
You can run impactful phishing simulations in the EU without alienating staff or risking non-compliance by: 
1. using **legitimate interests** (not consent) as your primary legal basis and documenting a balancing test; 
2. engaging **works councils** early and codifying guardrails in a works agreement where required; 
3. prioritising **anonymization/pseudonymization**, **short retention**, and **transparent notices**; and 
4. running a DPIA if your context points to **high risk** (e.g., systematic monitoring).

---

## 1) Lawful basis: why **legitimate interests** usually beats consent
In the employment context, consent is **rarely freely given** because of the employer–employee power imbalance. The European Data Protection Board’s *Guidelines 05/2020 on Consent* underline that employee consent is valid only in **exceptional** circumstances without adverse consequences for refusal. For phishing simulations, a better fit is **Article 6(1)(f) legitimate interests**, documented with a **Legitimate Interests Assessment (LIA)** that weighs your security needs against employees’ rights and expectations.

**Good practice for the LIA**  
- Define the interest (security awareness; fraud prevention).  
- Map reasonable employee expectations (training is normal; covert profiling is not).  
- List mitigations (see Sections 3–5).  
- Record why consent would be inappropriate in your context.

References: EDPB *Guidelines 05/2020 on Consent*; GDPR Recital 47 (reasonable expectations).

---

## 2) Works councils: Germany & Austria in focus
If you operate in countries with strong co-determination, involve the works council before rollout.

- **Germany (BetrVG §87(1) No. 6):** the works council co-determines the *“introduction and use of technical devices designed to monitor employee behaviour or performance.”* Even simple dashboards can trigger this, so a **Betriebsvereinbarung** (works agreement) that sets scope, data handling, and safeguards is common practice.  
- **Austria (ArbVG §96(1) No. 3):** monitoring measures and technical systems that may affect human dignity require **works council consent** (or **individual consent** if no works council).

**What to include in the agreement/works policy**  
Purpose & scope, lawful basis, minimal data collected, **no disciplinary use** of metrics alone, who sees what, retention & anonymization schedule, vendor list (processors/sub-processors), employee rights, and an annual review clause.

Sources: Germany—BetrVG §87(1) no. 6 (official English text); analysis by Luther Law. Austria—Eurofound summary of ArbVG §96(1) no. 3; Schoenherr explainer.

---

## 3) Anonymization vs. Pseudonymization (and what it means for reports)
- **Anonymization** (GDPR Recital 26): once data is truly anonymous, GDPR no longer applies.  
- **Pseudonymization** (GDPR Art. 4(5)): data is still personal if it can be re-linked via separate keys; treat it accordingly.

**Privacy-centric reporting model**  
- Default to **aggregates by team/location**.  
- Use **stable random IDs** for trend analysis instead of names; keep the key separate with strict access control.  
- Show **individual results only to a small, need-to-know group** (e.g., security awareness lead + HR) and only when necessary for targeted coaching.  
- Never collect real passwords; if a user attempts to submit credentials, show a training page and **discard any entry**.

For a practical example of how a platform implements these concepts, see **AutoPhish’s anonymization** overview: https://autophish.io/anonymization

---

## 4) Retention: shorter is safer (and required by principle)
GDPR’s **storage limitation** principle requires keeping personal data in identifiable form **no longer than necessary** for the stated purpose. For phishing programs, many SMEs adopt a two-tier window:  
- **Operational window (e.g., 30–90 days):** identifiable data available for coaching and remediation.  
- **Post-campaign analytics:** thereafter **aggregate/anonymize**, keeping only non-identifiable trends for long-term KPI tracking.

Document this in your **Article 30 records of processing** and in your employee privacy notice.

---

## 5) Notices: be transparent and plain-language (Art. 13)
Before your first campaign, provide a short internal notice (or update your employee privacy policy) that explains: the **purpose** (security awareness), **lawful basis** (legitimate interests), what data you collect (e.g., email, department, click/report events), **retention**, who can access individual-level data (limited roles), **no disciplinary use** of single events, **employee rights** (access/objection), and a **contact** (DPO or privacy lead).

**Copy-paste starter (adapt to your context)**  
> We run periodic phishing simulations to build security awareness and reduce fraud risk. We process your name, work email, department, and simulation interactions (e.g., opened/reported/submitted). Our lawful basis is legitimate interests (GDPR Art. 6(1)(f)). Individual-level data is visible only to the security awareness team (and HR where necessary for targeted coaching). We keep identifiable data for **[X days]** and then aggregate/anonymize. We never store real passwords. You can exercise your data rights (access/objection, etc.) via **[contact]**. See **[link to your full employee privacy notice]**.

---

## 6) Do you need a DPIA?
A **Data Protection Impact Assessment (DPIA)** is required when processing is **likely to result in high risk** to individuals (Art. 35). Regulators and the EDPB note that **employee monitoring** may trigger a DPIA—especially where processing is systematic or involves vulnerable data subjects. If your programme introduces new tooling, large-scale metrics, or cross-border transfers, err on the side of conducting a DPIA.

**What to cover**: purpose/necessity, alternatives (less intrusive options), data flows, risks, mitigations (anonymization, minimization, role-based access, short retention, no-blame coaching), and a plan for periodic review.

---

## 7) Vendors & international transfers
If you use a platform provider, you’re the **controller** and they’re a **processor**; sign a **Data Processing Agreement** that meets **Article 28** requirements (security, sub-processor controls, assistance with data rights, deletion at end of service). If the provider or its sub-processors are outside the EEA, implement the **Standard Contractual Clauses** and perform a transfer risk assessment.

---

## 8) NIS2: if you’re in scope, training is no longer optional
For entities covered by the **NIS2 Directive**, management must oversee cybersecurity risk-management measures (Art. 20) and ensure appropriate training and incident processes (Art. 21). Even if you’re not in scope, the bar NIS2 sets is a useful benchmark for SMEs.

---

## 9) A practical, privacy-first architecture (that still works)
- **Data in:** name, email, team, and manager (optional). No personal emails; no special categories.  
- **During campaign:** collect only **event data** (delivered, clicked, reported, submitted). If a user tries to enter credentials, show training and capture **no secrets**.  
- **Access control:** the awareness team can see cohorts and anonymized IDs
- **Retention:** 30–90 days for identified data → auto-anonymize; keep aggregates for year-over-year trends.  
- **Outputs:** exec report shows **rates and trends**, not names.  
- **Governance:** LIA + (if needed) DPIA on file; Article 30 register updated; works agreement approved.

---

## Final thoughts
Privacy-friendly phishing training is not a contradiction. With the right lawful basis, genuine worker representation, and technical guardrails like anonymization and short retention, your programme can **protect people and their data** while measurably reducing risk. When in doubt, get legal advice tailored to your facts.

## Legal references (Germany & Austria)

*   **Germany — Works Constitution Act (BetrVG) §87(1) no. 6 (official English text)**  
    [Gesetze im Internet – Works Constitution Act (Betriebsverfassungsgesetz – BetrVG), English translation](https://www.gesetze-im-internet.de/englisch_betrvg/englisch_betrvg.html)
    
*   **Analysis by Luther Law**  
    [“Perennial issue: software vs. co-determination (Section 87 (1) No. 6 BetrVG)” — Luther Law](https://www.luther-lawfirm.com/en/newsroom/blog/detail/dauerbrenner-software-vs-mitbestimmung-87-abs-1-nr-6-betrvg)
    
*   **Austria — Eurofound summary of ArbVG §96(1) no. 3**  
    [Eurofound: Employee monitoring and surveillance — Austria](https://apps.eurofound.europa.eu/legislationdb/employee-monitoring-and-surveillance/austria)
    
*   **Schoenherr explainer (ArbVG §96(1) no. 3)**  
    [“Whistleblowing Hotline – Implementation Only with Employee Consent?” — Schoenherr](https://www.schoenherr.eu/content/whistleblowing-hotline-implementation-only-with-employee-consent)
    

---

## Further reading

*   **EDPB _Guidelines 05/2020 on Consent_**  
    [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb\_guidelines\_202005\_consent\_en.pdf](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf)
    
*   **GDPR Recital 26 (anonymous data)**  
    [https://gdpr-info.eu/recitals/no-26/](https://gdpr-info.eu/recitals/no-26/)
    
*   **GDPR Article 4(5) (pseudonymization)**  
    [https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)
    
*   **GDPR Article 5 (principles)**  
    https://gdpr-info.eu/art-5-gdpr/
    
*   **GDPR Article 13 (information to be provided)**  
    https://gdpr-info.eu/art-13-gdpr/
    
*   **GDPR Article 28 (processors)**  
    https://gdpr-info.eu/art-28-gdpr/
    
*   **GDPR Article 30 (records of processing activities)**  
    https://gdpr-info.eu/art-30-gdpr/
    
*   **GDPR Article 35 (Data Protection Impact Assessment)**  
    https://gdpr-info.eu/art-35-gdpr/
    
*   **NIS2 Directive (Articles 20–21)**  
    EUR-Lex — Directive (EU) 2022/2555 (NIS2)
    
*   **AutoPhish — Anonymization overview (product-side controls)**  
    [https://autophish.io/anonymization](https://autophish.io/anonymization)

Phishing emails might not be glamorous, but they’re the sneaky tricksters of the cyber world. They show up in inboxes pretending to be important messages — an invoice, a password reset, maybe even a fake LinkedIn invite. And unfortunately, they still work all too often. In fact, **74% of security breaches involve the human element**, with phishing being one of the top ways attackers break in [[1]](https://www.phishingbox.com/resources/phishing-facts)[[2]](https://www.phishingbox.com/resources/phishing-facts).

That’s why businesses of all sizes are turning to **phishing simulations** — basically “practice phishing attacks” that train employees to spot suspicious messages in a safe environment. Think of it like a fire drill, but for your inbox. The goal is to help employees build instincts and transform them into a “human firewall.”

But here’s the question: when it comes to running phishing simulations, should you **do them manually** (crafting fake phishing emails yourself or with the help of consultants) or rely on an **automated platform** (a service that does the heavy lifting for you)? Each approach has its perks and pitfalls. Let’s explore both in a way that’s insightful, practical, and just a bit more fun.

---

## Why Phishing Simulations Matter (Beyond Scaring Your Staff)

The idea is simple. Your company sends out a fake phishing email. If an employee clicks or submits their login details, it’s not a disaster — it’s a teaching moment. And unlike boring PowerPoint slides about security, these simulations stick. People remember what fooled them, and they get better at spotting the real thing next time [[3]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)[[4]](https://www.cynet.com/cybersecurity/phishing-simulation-how-it-works-and-5-tools-to-get-you-started/).

On top of that, regulators are watching. Standards like the EU’s **NIS2 Directive** don’t just want firewalls and antivirus software — they expect proof that your staff are trained and tested regularly [[6]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish). A solid phishing simulation program means you can check both boxes: better security and compliance.

---

## Manual Phishing Campaigns: Handcrafted, With Love (and Effort)

So what happens if you go the manual route?

- **What it is:** Your IT/security team (or hired consultants) brainstorm phishing scenarios, design emails, send them out, and later track who clicked. Maybe it’s a fake invoice. Maybe it’s a spoofed “CEO request.” Creativity is the name of the game.
- **The good:** Manual campaigns can be incredibly realistic. A consultant who knows your business can craft spear-phishing emails that reference actual projects or internal lingo. These hyper-tailored simulations feel *uncomfortably real* — which is exactly the point.
- **The bad:** They’re expensive and time-consuming. Niche providers often charge **$3–$6 per employee per month** [[8]](https://caniphish.com/phishing-simulation), which adds up fast. Doing it in-house? It may seem “free,” but your team still spends hours designing lures, setting up domains, and crunching results. Open-source tools like GoPhish are powerful, but they require ongoing maintenance [[10]](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison).

Scalability is another headache. Most companies that go manual manage only a couple of campaigns a year — often tied to Cybersecurity Awareness Month. That’s better than nothing, but far from the continuous reinforcement employees really need.

And let’s be honest: creativity runs dry. After a few tries, the “fake Amazon receipt” or “password reset” gets old. Without fresh ideas, employees start recognizing the pattern, which defeats the purpose.

**Bottom line:** Manual campaigns are great for highly targeted, one-off exercises. But for regular training across the whole company, they can drain resources and don’t scale well.

---

## Automated Phishing Platforms: Set It, Forget It, Train Continuously

Now let’s talk about automation.

**Automated phishing platforms** (think KnowBe4, Hoxhunt, Cofense, or newer players like **AutoPhish**) are SaaS tools built to make phishing simulations easy, scalable, and consistent. Instead of your team manually drafting emails and logging clicks, the platform handles:

- Crafting realistic phishing emails (often from a large template library, updated with the latest scam trends [[16]](https://caniphish.com/phishing-simulation)).
- Sending them out at scale, on a schedule you set.
- Tracking exactly who clicked, reported, or ignored.
- Delivering instant feedback or training to employees who fall for it.

Some platforms even use **AI** to generate unique phishing lures that evolve over time, so employees can’t just memorize a fixed set of templates [[18]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

### The Big Advantages
- **Efficiency & scale:** Send thousands of emails with a few clicks. Whether you’ve got 50 or 5,000 employees, the platform can handle it without extra work.
- **Affordability:** Pricing is usually **$0.45–$1.25 per employee per month** [[22]](https://caniphish.com/phishing-simulation). Compare that to the millions a real breach might cost (average global cost: $4.45M in 2024 [[23]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)) — it’s a bargain.
- **Consistency:** You can schedule monthly or even weekly tests. Some platforms randomize delivery so employees don’t learn to expect them at a certain time.
- **Data & insights:** Automated platforms provide dashboards, trend analysis, and compliance-ready reports. Want to know if your finance department is click-prone or if your awareness is improving quarter over quarter? Easy [[26]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Low burden:** Instead of your team writing fake emails, they just review results. It’s a massive time-saver.

### A Nice Bonus: Just-in-Time Training
If an employee clicks, the platform can instantly show them a quick educational page: “Oops! Here’s what you missed.” That immediate feedback turns mistakes into teachable moments. Manual follow-ups can’t always deliver that consistency.

---

## Side-by-Side: Manual vs. Automated

| Factor              | Manual Campaigns (In-House/Consultants) | Automated Platforms |
|---------------------|------------------------------------------|----------------------|
| **Cost**            | High ($3–$6/user/month or staff time)   | Lower ($0.45–$1.25/user/month) |
| **Scalability**     | Hard to scale beyond occasional tests   | Scales easily to thousands |
| **Frequency**       | Infrequent (annual or quarterly)        | Continuous (monthly, weekly, randomized) |
| **Realism**         | Can be highly tailored, spear-phishy    | Broad range of realistic, evolving templates |
| **Customization**   | Unlimited but resource-heavy            | Flexible, with plenty of built-in options |
| **Team Burden**     | Heavy (time, creativity, reporting)     | Light (review dashboards, tweak settings) |
| **Reporting**       | Basic, often static                     | Detailed dashboards, compliance-ready data |

---

## Which Should You Choose?

It depends on your goals and resources:

- **Manual** makes sense if:
  - You want one-off, highly targeted tests (like spear-phishing execs).
  - You already have a skilled red team that enjoys this work.
- **Automated** makes sense if:
  - You want continuous, scalable training for your whole staff.
  - You’re an SME without endless budget or staff hours.
  - You need compliance-friendly reports at the click of a button.

Most companies use automation for their **day-to-day training**, and occasionally sprinkle in manual campaigns for special cases. That’s often the sweet spot.

---

## Why SMEs in Particular Should Care

Small and mid-sized businesses are juicy targets for attackers but often lack security staff. Hiring consultants is pricey. Running manual campaigns internally eats up scarce time. That’s why automated phishing testing — especially from platforms designed with SMEs in mind, like **AutoPhish** — is so appealing [[24]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

AutoPhish, for instance, offers:
- **AI-powered, ever-fresh phishing emails** [[19]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Automated scheduling** (monthly, quarterly, or custom) [[25]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Quick setup** (under 30 minutes) [[28]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **GDPR-friendly design** with no sensitive data stored [[35]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

It’s basically enterprise-grade security awareness made accessible for businesses without enterprise budgets.

---

## Wrapping It Up

Phishing is going to keep evolving — attackers aren’t taking a holiday. The best way to stay ahead is to keep your people trained, sharp, and a little skeptical of unexpected emails.

- Manual campaigns are like gourmet, handcrafted training. Impressive, but pricey and limited.
- Automated platforms are like meal kits: reliable, affordable, and scalable. You get variety and consistency without slaving away in the kitchen.

For most businesses, especially SMEs, **automation wins hands down**. It keeps the program running, delivers continuous learning, and doesn’t overload your team. And if you ever want to spice things up with a bespoke spear-phishing test, you can always add a manual one on top.

In the end, what matters most is that you’re testing, training, and turning your employees into your first line of defense. After all, in cybersecurity, a well-trained workforce might just be the cheapest (and smartest) insurance you’ll ever buy.



## Introduction

Cybersecurity budgets are often tight—especially for small and mid-sized enterprises (SMEs). Executives want to know: *Is our investment in security awareness training actually paying off?*  
While phishing simulations and staff education seem like obvious choices, proving their **return on investment (ROI)** can be tricky.

In this article, we break down **how to measure ROI** for security awareness programs, the metrics that matter, and why **AI-driven phishing simulations** can deliver better long-term value.

> 💡 *This article is for informational purposes and does not constitute financial or legal advice.*

---

## Why Measuring ROI in Cybersecurity Is Difficult

Unlike marketing campaigns or sales initiatives, cybersecurity investments aim to prevent bad things from happening. That means ROI is often measured by **losses avoided**—which can be hard to quantify until a breach occurs.

According to the [2024 IBM Cost of a Data Breach Report](https://www.ibm.com/reports/data-breach), the global average cost of a data breach is **$4.45 million**, with phishing as the second-most common cause. For SMEs, even a fraction of that cost can be devastating.

The challenge is to **translate risk reduction into measurable savings**.

---

## The ROI Formula for Security Awareness Training

A common approach to calculating ROI in cybersecurity awareness programs is:

```
ROI (%) = [(Estimated Losses Avoided – Program Costs) / Program Costs] × 100
```

### Step 1: Estimate Potential Losses
- **Data breach costs**: Legal fees, regulatory fines (e.g., GDPR penalties), recovery costs, lost business
- **Operational disruption**: Downtime, lost productivity
- **Reputational damage**: Lost customers, decreased trust

Example: If your estimated potential loss from a phishing attack is €200,000 and effective training can reduce that risk by 70%, your *losses avoided* figure is €140,000.

### Step 2: Calculate Program Costs
- Vendor/platform subscription (e.g., AutoPhish license)
- Internal training time
- Administrative overhead

### Step 3: Run the Formula
If your annual training program costs €20,000 and avoids €140,000 in losses, the ROI is:

```
ROI = [(140,000 – 20,000) / 20,000] × 100 = 600%
```

---

## Metrics That Matter

To make ROI reporting credible, track **both leading and lagging indicators**:

### Leading Indicators (Preventive)
- Phishing simulation click rates
- Reported suspicious email rates
- Training completion rates

### Lagging Indicators (After Incidents)
- Number of phishing incidents per quarter
- Mean time to detect (MTTD) and respond (MTTR)
- Regulatory fines or customer churn after incidents

**Why it matters:** Regulators like the [UK ICO](https://ico.org.uk/) and [ENISA](https://www.enisa.europa.eu/) increasingly expect organizations to show evidence of employee training and proactive risk management.

---

## Case Studies and Industry Evidence

- [**KnowBe4’s 2024 Benchmarking Report**](https://www.knowbe4.com/resource-center/phishing): found that after initial training and simulated phishing, users’ “phish‑prone percentage” dropped from a higher baseline to just 18.9% within 90 days, and further to 4.6% after 12 months.
- [**UK ICO vs. Interserve (2022)**](https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information): A £4.4M fine was issued after a phishing attack. Lack of training and poor patching were cited as key failings. Demonstrating a history of phishing simulations could have reduced liability.
- **US FTC Guidance**: The [FTC](https://www.ftc.gov/business-guidance/small-businesses/cybersecurity) emphasizes training as a baseline security measure—failure to do so can result in enforcement action.


---

## Manual Training vs. AI-Driven Simulations

| Feature                          | Manual/Consultant-Led | AI-Driven (e.g., AutoPhish) |
|----------------------------------|-----------------------|-----------------------------|
| Cost per Campaign                | High                  | Low (subscription)          |
| Frequency                        | Usually Yearly        | Monthly or Continuous       |
| Customization                    | Limited               | High (industry & role-based)|
| Realism                          | Moderate              | High (AI-generated emails)  |
| Reporting & Analytics            | Manual                | Automated                   |
| Scalability                      | Low                   | High                        |

**Why it matters:** With AI-driven phishing simulations, you can run **more frequent, more realistic** campaigns at a fraction of the consultant cost—while collecting data that directly supports your ROI calculation.

---

## Making the Business Case

When presenting ROI to leadership, emphasize:

1. **Risk Reduction**: Quantify the drop in phishing success rates after training.
2. **Regulatory Compliance**: Demonstrate how training supports GDPR/NIS2/FTC expectations.
3. **Cost Efficiency**: Compare the program cost to potential breach costs.
4. **Operational Continuity**: Highlight reduced downtime from security incidents.


---

## Final Thoughts

Measuring ROI for security awareness training isn’t just an accounting exercise—it’s a way to prove that your investment is **reducing real-world risk** and **protecting your bottom line**.

**Key Takeaways**:
- Use a clear ROI formula that includes avoided losses
- Track both leading and lagging security metrics
- Run frequent, realistic phishing simulations for maximum impact
- Document results for compliance and executive reporting

With platforms like **AutoPhish**, SMEs can **maximize training impact**, **minimize costs**, and **generate clear ROI evidence**—turning security awareness from a “nice to have” into a proven business asset.


Blog

SPF, DKIM, DMARC & Domain Permutations: The Email Security Basics Attackers Exploit

Phishing Trends in 2026: What’s Really Changing (and What Isn’t)

Phishing on Mobile: SMS, WhatsApp & QR - What Policies SMEs Actually Need

Role-Based Phishing Simulations: Finance, HR, IT & Execs — Scenarios, Guardrails, and Metrics

How Phishing Works in 2025: The Modern Kill Chain (Email, QR, Deepfakes, and SaaS)

10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025 – including important Lessons Learned

Privacy-Friendly Phishing Training: Works Councils, Consent, and GDPR Essentials

Automated Phishing Testing vs. Manual Campaigns: Which Is Best for Your Business?

Open-Source Phishing Simulation Tools vs. Managed Solutions: A Technical and Business Comparison

Measuring the ROI of Security Awareness Training

Ready to Fortify Your Defenses?