**Why mobile phishing matters in 2025**

*   **Smishing (SMS phishing) surged** and is a top vector for fraud in Europe; QR-based “quishing” is **rising fast**. [ENISA](https://www.enisa.europa.eu/sites/default/files/2025-02/Finance%20TL%202024_Final.pdf)
*   **WhatsApp/linked-device abuse:** state-aligned actors have shifted from email to messenger takeovers, often by tricking targets into scanning **WhatsApp Web QR codes**. Treat scans like passwords. [Microsoft+1](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)
*   **MFA fatigue** forced a rethink of push approvals; Microsoft moved tenants to **number-matching** to blunt push-spam approvals. [Microsoft Learn+1](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement)
*   **FBI/IC3** warn of QR-based fraud—including scams where unsolicited packages contain a QR that leads to credential theft or malware. [Internet Crime Complaint Center+1](https://www.ic3.gov/PSA/2025/PSA250731)

For incident color and “what went wrong”, skim our **[10 Wild Phishing Stories (2024–2025)](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned)**—we highlight QR-assisted account takeovers and messaging-app pivots with concrete guardrails.

* * *

**The mobile-first phishing playbook (how attacks work)**

1.  **Smishing & messaging lures**  
    Short messages spoof delivery firms, toll fees, or IT resets. Links open credential pages, payment forms, or drive users to install rogue apps.
2.  **QR codes as login tokens**  
    WhatsApp/other apps use **QR to link devices**. A coerced scan = session takeover—even without a password. Policy should treat **“Scan to link” = sensitive auth step**.
3.  **MFA push abuse**  
    Attackers spam prompts until a tired user taps “Approve”. **Number-matching** (enter the on-screen code) and **geolocation/tenant context** reduce these approvals.
4.  **Malware on mobile**  
    Links typically **steal credentials**, but can also push malicious installs—more feasible on Android via sideloaded APKs; iOS is harder (App Store gate) but **risky profiles/0-click vulns** exist. Mobile protections like **Play Protect** reduce but don’t erase risk.

* * *

**What policies SMEs actually need (ready to adapt)**

Below are concise clauses you can drop into your **Acceptable Use**, **BYOD**, and **Messaging** policies. Each includes a control and a short “why”.

**1) BYOD: minimum security baseline**

*   **OS & patch level:** Personal devices used for work must run a **vendor-supported OS** and auto-update enabled. (Android, iOS, iPadOS).
*   **Device security controls:** Screen lock, encrypted storage, and the ability to **remote wipe work data** via MDM/Work Profile (COPE/COSU or Android Work Profile/iOS User Enrollment).
*   **App sources:** **No sideloaded apps** for work use; business apps must come from managed stores. (Android unknown-sources increase risk; Play Protect mitigates but isn’t a policy substitute.) [NCSC+2NCSC+2](https://www.ncsc.gov.uk/collection/device-security-guidance)

**Why:** NCSC’s device guidance stresses balancing usability with controls in BYOD; you want managed data separation and revocation. [NCSC+1](https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device)

**2) Messaging & social apps (WhatsApp, Signal, iMessage, etc.)**

*   **Business use boundaries:** If messaging apps are used for business, restrict to **managed devices**; **no linking via QR** on unmanaged desktops.
*   **Linked devices monitoring:** Alert on **new linked devices**; require re-verification every 30 days.
*   **No sensitive approvals over chat:** Payments, bank detail changes, or SSO resets **must use ticket + callback** to a number from the directory.

**Why:** Threat actors are actively abusing messenger **linking** and QR. Treat a QR scan like an SSO login. [Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)

**3) QR code handling**

*   **Treat QR as credentials:** Scanning QR for login or device-linking equals entering a password; only scan **from trusted sources** on **managed devices**.
*   **Preview before open:** Staff must **preview the URL** (mobile browser/app supports this) and verify domain before opening.
*   **Block risky shorteners:** Filter common shorteners (except allowlisted business uses).

**Why:** FBI/IC3 documented QR fraud; attackers hide destinations and piggyback trust. [Internet Crime Complaint Center](https://www.ic3.gov/PSA/2025/PSA250731)

**4) MFA hardening (stop push fatigue)**

*   **Enforce number-matching** for push approvals across the tenant.
*   **Prefer phishing-resistant methods** (FIDO2/passkeys) and **disable SMS fallback** after enrollment. [Microsoft Learn+1](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement)

**Why:** Push spam works; number-matching and passkeys meaningfully reduce abuse.

**5) Mobile browser & app controls**

*   **Safe browsing & app vetting:** Keep **Play Protect** on; block app installs from unknown sources; require managed app stores. [Google Help](https://support.google.com/android/answer/2812853?hl=en&utm_source=chatgpt.com)
*   **Profiles/configs:** Ban installation of **unapproved configuration profiles** on iOS; profiles can alter trust roots, VPN/DNS, or MDM—serious risk. [TechTarget](https://www.techtarget.com/searchmobilecomputing/tip/How-to-ensure-iPhone-configuration-profiles-are-safe)

**6) Payments & approvals over mobile**

*   **Dual-control + callback:** Any payment, supplier bank change, or gift card purchase requires **two approvers + callback** using a **known** number (not from the message).
*   **No “approve via link in SMS”** for finance/HR workflows.

**Why:** Classic BEC remains costly; process guardrails beat human judgment under time pressure.

**7) Reporting & response (fast lane)**

*   **Single tap to report:** Add a **Report SMS/Message** action in MDM help app; route to SecOps + vendor for takedown.
*   **Preserve evidence:** Staff should keep the message, screenshot the **full URL**, and note the time before deleting.
*   **Automated blocks:** Add sender and destination domains/hosts to mobile and email gateways; watch for newly linked devices.

* * *

**Rollout checklist**

1.  **Turn on number-matching** (Microsoft Entra ID) and review MFA methods; **prefer passkeys/FIDO2**.
2.  **Update BYOD policy** with the clauses above; require **managed app stores** & **no QR-linking on unmanaged desktops**.
3.  **Set MDM rules**: block unknown sources on Android, block unapproved **iOS profiles**, alert on new WhatsApp/Signal **linked devices**.
4.  **Run a bite-size training** using AutoPhish. For a Works-Council-friendly approach, use anonymized metrics—our [guide](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials) explains how.

* * *

**FAQ**

**Q1) Can phishing be done by phone?**

Yes. **Smishing** (SMS) and **messenger DMs** are common phishing channels. Messages link to fake login pages, payment sites, or app installs; they may also attempt **voice phishing (vishing)** callbacks. CISA defines smishing as SMS-based social engineering and details how links can trigger actions on mobile. [CISA](https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks)

**Q2) Can phishing be used for identity theft?**

Absolutely. The goal is often **credential theft** (email, bank, cloud apps) or collection of personal data that enables account takeover and financial fraud. FBI/IC3 PSAs have repeatedly warned that QR/smishing campaigns harvest personal and financial data for fraud. [Internet Crime Complaint Center](https://www.ic3.gov/PSA/2025/PSA250731)

**Q3) Can a phishing link install malware on my phone?**  


Sometimes—**but** it usually needs extra steps.

*   On **Android**, a site might try to get you to **sideload an APK**; Play Protect reduces risk but allowlisting sources in policy is key. [Google Help](https://support.google.com/android/answer/2812853?hl=en&utm_source=chatgpt.com)
*   On **iOS**, direct installs are restricted; attackers may push **malicious configuration profiles** or exploit rare **zero-click** vulnerabilities. (Recent WhatsApp advisories highlight targeted zero-click issues that were patched; keep apps updated.) [TechTarget+1](https://www.techtarget.com/searchmobilecomputing/tip/How-to-ensure-iPhone-configuration-profiles-are-safe)Most of the time, the **bigger risk is credential harvesting and session theft**—which leads to identity fraud even without malware. [CISA](https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks)

**Q4) Are QR codes safe to scan?**

Treat QR codes like a **link**: only scan from trusted sources, prefer managed devices, and **preview the URL** before opening. FBI/IC3 specifically warned about QR-based schemes (including unsolicited items with embedded QR). [Internet Crime Complaint Center](https://www.ic3.gov/PSA/2025/PSA250731)

**Q5) Is WhatsApp phishing real if I have 2FA?**


Yes. Attackers can trick users into **linking a new device via QR**, bypassing passwords by stealing **session access**. Enable WhatsApp’s **two-step verification PIN**, monitor **linked devices**, and never link from an untrusted desktop. [Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/)

**Q6) What should finance/HR do differently on mobile?**  


No approvals or bank changes via links or chat. Use **ticket + dual-control + callback** to a known number, every time. Our [incident recap](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned) explains why this stops even slick deepfake/DM stunts.

* * *

**Further reading & resources**

*   **CISA mobile best practices** and why **FIDO/phishing-resistant MFA** beats SMS/app codes. [CISA](https://www.cisa.gov/sites/default/files/2024-12/joint-guidance-mobile-communications-best-practices_v2.pdf)
*   **NCSC BYOD guidance** to structure a sane, workable personal-device policy. [NCSC+1](https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device)
*   **Microsoft on evolving identity attacks** (push fatigue → number-matching → passkeys). [Microsoft Learn+1](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement)
*   **IC3 PSA on QR fraud** (current scams, reporting). [Internet Crime Complaint Center](https://www.ic3.gov/PSA)

* * *

**How AutoPhish can help**

*   **Mobile-aware simulations:** Safe **smishing**, **QR**, and **messenger-style** scenarios with instant coaching (coming soon)
*   **Policy-driven training:** Our [privacy-friendly training approach](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials) keeps Works Councils onside while changing behavior.

## Why Role-Based Training Matters

Phishing is still the number one entry point for cyberattacks. According to [Verizon’s 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/), over 68% of breaches involve the human element, with phishing and stolen credentials leading the charge.  

The problem? Not all employees face the same risks. A finance controller has very different exposure compared to an HR manager or an IT helpdesk agent. This is why **role-based phishing simulations** are now considered best practice for any serious security awareness program.  

Instead of sending the same generic “password reset” email to everyone, role-based simulations:  

- Target specific job functions with realistic but safe scenarios.  
- Train employees on the threats they’re most likely to face.  
- Provide actionable metrics to improve defenses where they matter most.  

This blog post will walk you through **scenarios, guardrails, and KPIs** for the four most at-risk groups: Finance, HR, IT, and Executives. 

---

## Finance: Wire Transfers and Invoice Fraud

If you’re in finance, you’re on the front line of **Business Email Compromise (BEC)** attacks. Criminals impersonate suppliers, executives, or even regulators to trick employees into approving fraudulent payments. Losses from BEC scams exceeded [55 billion over the last 10 years](https://www.tripwire.com/state-of-security/bec-cost-citizens-worldwide-over-55bn-last-10-years).  

### Example Scenarios
- **Invoice Fraud:** Fake invoice request from a “supplier.”  
- **CEO Wire Request:** Spoofed executive email asking for urgent payment.  
- **Bank Verification:** Request to “confirm account details” via a link.  

### Guardrails for Simulations
- Don’t use personal/emotional triggers (“bonus payment” or “layoff list”).  
- Keep simulations clearly professional and finance-related.  

### Metrics to Track
- % of users who click the link.  
- % who attempt to initiate payment.  
- % who report the email via the phishing button.  

---

## HR: Payroll & Sensitive Data

HR departments are gold mines for attackers: payroll data, PII, and access to employee portals. Attackers often pose as staff requesting urgent changes.  

### Example Scenarios
- **Payroll Diversion:** Request to change direct deposit details.  
- **Resume Malware:** “Candidate” attaches a poisoned CV.  
- **Policy Update:** Fake HR portal login for compliance documents.  

### Guardrails for Simulations
- Never simulate life events like pregnancies, medical issues, or layoffs.  
- Avoid emotional manipulation — focus on administrative risks.  

### Metrics to Track
- % who download attachments.  
- % who enter credentials.  
- % who report the email via the phishing button.  

---

## IT: MFA Fatigue & Account Resets

IT staff are bombarded with requests — a perfect target for attackers abusing MFA fatigue or password reset flows.  

### Example Scenarios
- **MFA Push Flood:** Repeated login requests from “new device.”  
- **System Update:** Spoofed IT alert with a login link.  
- **Ticket Escalation:** Fake service desk message with embedded URL.  

### Guardrails for Simulations
- Make it clear this is *not* a test of job performance.  
- Avoid highly technical jargon that could confuse non-IT staff if simulations spill over.  

### Metrics to Track
- % of MFA prompts accepted without verification.  
- % who click malicious IT links.  

---

## Executives: High-Value Targets

Executives are prime targets for **whaling** (CEO fraud) and **contract scams**. Attackers know they’re busy, trust assistants, and often bypass standard processes.  

### Example Scenarios
- **Contract Signature:** Urgent DocuSign link for a new deal.  
- **M&A Leak:** Confidential acquisition “details” requiring login.  
- **Board Communication:** Fake message from a board member.  

### Guardrails for Simulations
- Don’t embarrass executives with trivial lures.  
- Keep tone professional; focus on decision-making risks.  

### Metrics to Track
- % of executives who click without verification.  
- Response time to report suspicious emails.  
- Cross-check with assistants/EA reporting behavior.  

---

## Cross-Department Simulation Guardrails

While each department has its nuances, there are common rules that keep simulations safe and constructive:  

1. **No “gotcha” emails.** Training should build trust, not resentment.  
2. **Stay professional.** Avoid personal or sensitive themes.  
3. **Be transparent.** Communicate to staff that simulations are ongoing and for their protection.  
4. **Respect works councils and privacy.** Tools like [AutoPhish](https://autophish.io/anonymization) anonymize results and support GDPR compliance.  

---

## Building a Simulation Roadmap

Here’s how to scale role-based training:  

1. **Phase 1:** Start broad — generic phishing for all staff.  
2. **Phase 2:** Introduce role-based simulations by department. This can easily be done by using AutoPhish's campaign feature, setting up role-based campaigns.
3. **Phase 3:** Cross-department scenarios (e.g., fake invoice sent to both Finance and Execs).  
4. **Phase 4:** Adaptive campaigns.  

This phased approach avoids overwhelming staff and shows measurable improvement.  

---

## Final Thoughts

Role-based phishing simulations are no longer a “nice to have.” They’re the difference between a generic awareness program and one that actually reduces risk where it matters most.  

By focusing on **scenarios, guardrails, and metrics**, you can train Finance, HR, IT, and Executives in the threats that target them directly — and build a culture of resilience.  

Ready to see it in action? Try [AutoPhish](https://autophish.io/) today and make your next simulation smarter, safer, and role-aware.  



## TL;DR

- **Lure** → **Capture** → **Session/Token theft** → **Lateral movement** → **Impact**  
- Identity + **session** protection is everything—and the fastest path to durable resilience is frequent, realistic practice that builds instinct.

## Intro

If you’re wondering **how phishing works** in 2025, here’s the honest answer: attackers rarely stop at passwords — they want your **session**. And if they can’t get you by email, they’ll try a QR code on your phone, a slick SaaS consent screen, or even a deepfaked video call with your “CFO.” Fun (for them).

Below is the modern kill chain most incidents follow—plus where **AutoPhish** makes you much harder to fool.

## 1) The Lure: email, QR, and scarily convincing “humans”

Phishing still arrives by **email**, but URLs are the star. Proofpoint’s latest **Human Factor 2025** research shows URLs are used _around four times_ more than attachments in malicious emails—and **4.2 million QR-code (quishing) threats** were flagged in just the first half of 2025 ([blog overview](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing), [Vol. 2 report page](https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishing)).

Then there’s the human layer: **deepfake video/voice**. The Arup case—~$25M lost after a deepfaked group call—shows how social engineering now looks like a perfectly normal meeting invite ([Guardian](https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video), [World Economic Forum](https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/)). Policies that require secondary verification beat “vibes” every time.

Want a field guide to spot the tricks inside a single message? Start with **[The Anatomy of a Modern Phishing Email](https://autophish.io/blog/the-anatomy-of-a-modern-phishing-email-what-your-employees-miss-every-day)** on our blog.

---

## 2) Capture: credentials _or_ consent—both open the door

Attackers don’t always ask for your password. Increasingly, they present a legit-looking **SaaS/OAuth consent screen** (“Allow this app to read your mail?”). If you click **Allow**, they gain durable API access—**no password needed**. Microsoft’s guidance on **illicit consent grants** explains detection and remediation ([Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent) [Microsoft Learn 2](https://microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants); also see the [app-consent incident response playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)).

Old-school **credential harvesters** still work, often hosted behind reputable services (forms/storage/view-only files) to dodge filters. Proofpoint’s *Human Factor* series and Microsoft’s threat posts highlight the shift toward URL-centric delivery ([Proofpoint](https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishingng), [Microsoft](https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/)).

---

## 3) Session/Token theft: bypassing MFA with a tiny man-in-the-middle

Here’s the 2025 twist: **Adversary-in-the-Middle (AiTM)** toolkits sit between you and Microsoft/Google, **proxy the login**, and **steal your session cookie** after you successfully pass MFA. The attacker then **replays** that cookie and walks right in—**no password, no second factor**. See Microsoft’s analyses and playbooks, plus Proofpoint and Talos reporting ([MSFT Security Blog](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/); see also:
- [Cisco Talos IR:](https://blog.talosintelligence.com/ir-trends-q2-2025/)ry-point-to-further-financial-fraud/), 
- [Multi‑stage AiTM](https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/), 
- [Session‑cookie theft alert playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)
- [Proofpoint on AiTM](https://www.proofpoint.com/us/blog/email-and-cloud-threats/aitm-phishing-attacks-evolving-threat-microsoft-365)
- [Talos IR Q2 2025](https://blog.talosintelligence.com/ir-trends-q2-2025/).

---

## 4) Lateral movement: once inside, attackers get comfy

With mailbox or token access, attackers set **inbox rules**, register **malicious OAuth apps**, and pivot to perform **BEC**—sometimes for weeks before anyone notices (see Microsoft’s guidance on session-cookie theft alerts: [learn.microsoft.com](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)). For real-world color (and quick guardrails), see **[10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned from-2024-2025-including-important-lessons-learned)**.

---

## 5) What actually stops this? (Practical controls)

- **Phishing-resistant MFA (passkeys/FIDO2)** and limiting weak fallbacks (SMS/voice codes). CISA and NIST‑aligned guidance: [CISA success story (USDA)](https://www.cisa.gov/news-events/alerts/2024/11/20/usda-releases-success-story-detailing-implementation-phishing-resistant-multifactor-authentication), [CISA HISG on passkeys](https://www.cisa.gov/resources-tools/services/hybrid-identity-solutions-guidance-hisg), and the **Phishing‑Resistant Authenticator Playbook** ([IDManagement.gov](https://www.idmanagement.gov/playbooks/altauthn/)). For a plain‑English explainer, see WIRED’s overview of [how passkeys work](https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/).
- **Consent governance:** block risky OAuth app consent, require admin approval, and educate users about **what an app is asking for** ([Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent).
- **Anti‑AiTM controls:** conditional access with **token binding** where possible, vigilant revocation of sessions, and alerts on unusual inbox rules ([MSFT Token Theft Playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)icrosoft.com/en-us/security/operations/token-theft-playbook)).
- **User behavior:** treat **QR codes** like links; don’t scan from unsolicited messages. Proofpoint’s 2025 data shows quishing is mainstream now ([Proofpoint blog](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing)).

---

## Where AutoPhish makes a measurable difference

AutoPhish is designed around those exact failure points (and it’s EU/GDPR‑friendly by design):

- **Role‑aware realism.** We generate **ever‑fresh lures** per role and industry (finance, HR, execs)—covering **emails**, **QR campaigns**, and **SaaS‑consent** prompts. That builds instinct against the attacks people actually face. Learn how we do it in **[Phishing Simulations‑as‑a‑Service Explained](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)**.
- **Kill‑chain‑aware simulations.** We don’t stop at a click—we teach what a **consent screen** looks like, why it’s risky, and how to respond (see also our **[Anatomy of a Modern Phishing Email](https://autophish.io/blog/the-anatomy-of-a-modern-phishing-email-what-your-employees-miss-every-day)** guide).
- **Just‑in‑time training + clear reports** you can take to audits (NIS2/ISO‑friendly). If you’re weighing formats, compare **[Automated vs. Manual Campaigns](https://autophish.io/blog/automated-phishing-testing-vs-manual-campaigns-which-is-best-for-your-business)**.
- **Employee‑friendly & GDPR‑smart.** Options for **anonymization/pseudonymization**, short retention, and works‑council‑compatible guardrails—because culture and compliance matter. Details: **[Privacy‑Friendly Phishing Training](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials)**.

Curious about open-source vs. SaaS trade‑offs? We’ve compared them in **[Open‑Source Tools vs. Managed Solutions](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison)**.


## FAQ: How phishing works

**Can a phishing link install malware?**  
Yes. A link can trigger a **drive‑by download** or lead to a site that drops malware—or it can simply steal your credentials. Keep software patched, use reputable endpoint protection, and avoid opening links/attachments from unknowns ([Emsisoft explainer](https://www.emsisoft.com/en/blog/38301/drive-by-downloads-can-you-get-malware-just-from-visiting-a-website/), [Kaspersky](https://usa.kaspersky.com/resource-center/definitions/drive-by-download)).

**Can phishing be done by phone?**  
Absolutely. **Vishing** (voice) and **smishing** (SMS) are mainstream—often augmented with AI voice cloning. Verify through a known channel before acting (definitions from the [FBI](https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing) and [FCC](https://www.fcc.gov/avoid-temptation-smishing-scams)).

**What is “quishing”?**  
**QR‑code phishing**: a message/poster contains a QR code that sends you to a malicious site—often on your **phone**, away from enterprise protections. Treat QR codes like links; don’t scan from unsolicited messages (see Proofpoint’s 2025 data on QR threats: [overview](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing)).

**Does MFA stop all phishing?**  
MFA is essential, but **AiTM** can steal the **session cookie after MFA**. Prefer **phishing‑resistant MFA (passkeys/FIDO2)** and disable weak fallbacks (SMS/voice) where you can ([MSFT on AiTM](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/; see also https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/; Cisco Talos IR: https://blog.talosintelligence.com/ir-trends-q2-2025/)); [CISA playbooks](https://www.idmanagement.gov/playbooks/altauthn/).

**What’s OAuth consent phishing, in one sentence?**  
A malicious app asks for permission to your data; if you click **Allow**, it keeps API access **until consent is revoked**—even without your password ([Microsoft Learn](https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants)).


> Want this explained to your whole team—with hands‑on practice? Launch a monthly, role‑aware program in minutes with **AutoPhish**. Make your people the firewall.

QR codes turned into logins. AI impersonated your CFO on Zoom. “Internal” emails arrived from the great beyond. The past two years were a nonstop parade of inventive cons – equal parts brazen and brilliant. Below, we tour ten real incidents that defined the era and, more importantly, translate each one into plain-English guardrails you can put in place. Sources are linked throughout so you can go deeper whenever you like.

**1) Change Healthcare: one portal, no MFA, and a very expensive lesson (Feb 2024)**

In February 2024, attackers walked through the digital front door at Change Healthcare using **stolen credentials**—no alarms, no second factor, just a remote portal without MFA. The breach eventually spiraled into ALPHV/BlackCat ransomware and nationwide disruption in healthcare billing. Executives later testified that the compromised entry point **did not** have MFA enabled—an omission that reads like a plot twist you can see coming a mile away ([Reuters](https://www.reuters.com/world/us/unitedhealth-ceo-testifies-before-us-senate-house-hack-2024-05-01/); context via [Cybersecurity Dive](https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/); sector wrap-ups from the [AHA](https://www.aha.org/system/files/media/file/2025/02/Change-Healthcare-Cyberattack-Underscores-Urgent-Need-to-Strengthen-Cyber-Preparedness.pdf) and [HHS OCR](https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html)).

Why did it work? Because one non-MFA’d app is a skeleton key in a world drenched in infostealer logs and password reuse. The countermeasure is gloriously unsexy: **phishing-resistant MFA (FIDO2)** everywhere the public can see you, ideally behind **SSO + conditional access**, with legacy protocols turned off. Add basic anomaly alerts—impossible travel, odd ASNs, strange hours—and you at least get a fighting chance to catch the first footsteps.

**2) Pepco Group: classic BEC, polished like a diamond (Feb 2024)**

Pepco’s Hungarian business lost about **€15.5 million** to what reads like a textbook—but extremely well executed—**business email compromise**. No malware extravaganza; just convincing messages, authority, urgency, and a payment process that trusted the inbox too much ([company notice](https://www.pepcogroup.eu/media-news/pepco-group-n-v-notice-regarding-hungarian-business/) / [PDF](https://www.pepcogroup.eu/wp-content/uploads/2024/02/Pepco-Group-Notice-regarding-Hungarian-business-vF.pdf); coverage via [Reuters](https://www.reuters.com/technology/cybersecurity/retailer-pepco-loses-about-15-mln-euros-hungarian-phishing-attack-2024-02-27/) and [Help Net Security](https://www.helpnetsecurity.com/2024/02/28/pepco-phishing-bec-attack/)).

The fix is cultural as much as technical: treat money movement like a cockpit checklist. **Dual approvals**, **callback verification to known numbers**, supplier portals with **2FA**, and a **hold period** for first-time bank-detail changes transform “please pay this urgently” into “sure—after we follow the process.”

**3) The Arup deepfake boardroom: when faces lie (Jan–May 2024)**

A finance employee at **Arup** joined a video call with the “CFO” and colleagues. They looked right, sounded right, moved right—and were **AI deepfakes**. Roughly **$25 million** left the building before reality caught up ([Financial Times](https://www.ft.com/content/b977e8d4-664c-4ae4-8a8e-eb93bdf785ea); [CFO Dive](https://www.cfodive.com/news/scammers-siphon-25m-engineering-firm-arup-deepfake-cfo-ai/716501/); background via [CNN/Yahoo](https://finance.yahoo.com/news/british-engineering-giant-arup-revealed-030558740.html)).

We’ve trained people to “trust the face.” Deepfakes torch that instinct. The pragmatic fix is policy, not paranoia: **no funds released on live calls alone**. Require a **ticketed approval** plus a **verbal callback** to a number pulled from an internal directory—never from the email or the meeting invite. Teach teams to spot telltales (lip-sync drift, odd latencies) and to use backchannels when something feels off.

**4) Paris 2024: the Olympics of fake ticketing (mid-2024)**

Hype, scarcity, and immaculate branding make for superb phishing weather. Heading into Paris 2024, law enforcement and researchers flagged **hundreds of fraudulent sites** hawking tickets, hospitality, and “priority access.” At one point the French gendarmerie counted **338** suspect domains. The playbook was simple: SEO-poisoning, cloned logos, and urgency that makes even savvy buyers forget their rules ([Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites); consumer warnings via [CBS News](https://www.cbsnews.com/news/paris-olympics-ticket-scams/); official notices at [Olympics.com](https://www.olympics.com/en/news/free-ticket-scam-for-the-opening-ceremony-of-the-paris-2024-paralympic-games)).

If your staff travel or buy event access, front-load the safety briefing: **type, don’t click**, and only on **official URLs**. On the backend, watch for **typosquats** and block **brand-new domains** in high-risk categories for a cooling-off period. A little friction beats expensive FOMO.

**5) Snowflake-linked breaches: one password to rule them all (spring–summer 2024)**

Ticketmaster, Santander, and others reported data accessed via **customer Snowflake environments**, with a familiar villain: **stolen credentials** and **missing MFA**. Snowflake itself said its platform wasn’t breached; rather, attackers rode in on real keys to customer instances and got to querying ([Dark Reading](https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials); [The Verge](https://www.theverge.com/2024/6/11/24176080/snowflake-cloud-storage-data-breach-ticketmaster-santander); [Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion); [Push Security](https://pushsecurity.com/blog/2024-identity-breaches/)).

If your data lives in SaaS, treat identity like your new network perimeter. Put **SSO/SAML + MFA** in front, add **IP allowlists/VPN**, and instrument for **unusual query volumes** or sudden **role changes**. Keys and tokens should rotate the way you change the batteries in a smoke alarm: regularly, before the fire.

**6) Star Blizzard’s WhatsApp pivot: your QR code is a session token (late 2024–Jan 2025)**

FSB-linked **Star Blizzard** started corralling diplomats and policy folks into scanning **WhatsApp QR codes**, turning a simple handoff into account takeover. The move cleverly sidestepped email controls and shifted the conversation to a compromised app where trust is high and scrutiny is low ([Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/); [BleepingComputer](https://www.bleepingcomputer.com/news/security/star-blizzard-hackers-abuse-whatsapp-to-target-high-value-diplomats/); [The Guardian](https://www.theguardian.com/technology/2025/jan/17/russian-hackers-star-blizzard-whatsapp-accounts-ministers-officials)).

The mindset shift is crucial: **QR codes often _are_ authentication**. Train people to treat scans like passwords, restrict linking on unmanaged devices via MDM, and require **number-matching MFA** where available. Also, watch for **new linked devices** and suspicious location jumps—both are early smoke.

**7) Quishing at scale: Microsoft Sway as a lure factory (Aug 2024)**

Attackers leaned on **Microsoft Sway** to host slick, **QR-code phishing** pages that slipped past filters thanks to first-party halo effects. The QR image concealed the true destination, and scanners not built to decode images saw only a nice, clean file hosted by a trusted brand ([BleepingComputer](https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-massive-qr-code-phishing-campaign/"%20\t%20"_new); original research from [Netskope](https://www.netskope.com/blog/phishing-in-style-microsoft-sway-abused-to-deliver-quishing-attacks)).

Defenders can answer in kind: add **QR decoding** to email/web security, scrutinize **new Sway/Forms/Sites** links, and lock identity down with **passwordless MFA**, **conditional access**, and **continuous access evaluation**. On mobile, teach people how to preview URLs before opening them—tiny skill, huge payoff.

**8) Trezor: when your support desk becomes the social engineer (Jan 2024 & Jun 2025)**

In **January 2024**, a **third-party support portal** tied to **Trezor** exposed contact details for ~66,000 users—jet fuel for follow-on phishing. By **June 2025**, adversaries went a step further, **abusing Trezor’s support form** to send convincing auto-replies that looked official enough to make even veterans blink ([BleepingComputer](https://www.bleepingcomputer.com/news/security/trezor-support-site-breach-exposes-personal-data-of-66-000-customers/"%20\t%20"_new); [BleepingComputer](https://www.bleepingcomputer.com/news/security/trezors-support-platform-abused-in-crypto-theft-phishing-attacks/)).

Your support stack is part of your security perimeter. Treat it accordingly: **rate-limit auto-replies**, enforce strict **DKIM/DMARC alignment**, scan templated responses for risky language (especially around “recovery” and crypto), and publish **clear safety PSAs** so customers know what you’ll never ask them to do.

**9) “Internal” without compromise: M365 Direct Send gets cheeky (Jun–Aug 2025)**

Campaigns abusing **Microsoft 365’s Direct Send** made it possible to **spoof internal users** without actually taking over an account. That little detail matters, because “from IT@yourcompany” still carries psychological weight—even when the authentication story is mushy ([Varonis](https://www.varonis.com/blog/direct-send-exploit); summaries via [Dark Reading](https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users) and [Arctic Wolf](https://arcticwolf.com/resources/blog/arctic-wolf-observes-microsoft-direct-send-abuse/)).

Tighten your **connector rules**, limit the scope of Direct Send, and prefer **authenticated SMTP** where you can. Teach people that “internal” isn’t a magic word; if an email tries to move money or credentials, the verification should happen in a portal or via a known backchannel—not a convenient blue link.

**10) AI site builders drafted into the phish factory: Lovable at scale (2025)**

Finally, a very 2025 plot line: attackers using AI website builders—**Lovable** in particular—to crank out **tens of thousands** of phishing and malware pages with on-brand design and near-instant turnaround. Fresh domains plus pretty templates equals a steady drip of clicks before reputation systems catch up ([Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/cybercriminals-abuse-ai-website-creation-app-phishing); coverage via [BleepingComputer](https://www.bleepingcomputer.com/news/security/ai-website-builder-lovable-increasingly-abused-for-malicious-activity/) and [TechRadar](https://www.techradar.com/pro/security/top-ai-website-builder-lovable-hit-in-worrying-cyberattack-heres-what-we-know)).

Defensively, expand your URL intelligence to include **time-since-registration** and **builder/hosting reputation**, and don’t reflexively whitelist shiny new domains just because they look professional. Criminals can look professional now, too—it’s kind of their thing.

**The pattern you can’t ignore**

Across all ten stories, the same threads keep showing up. **Credentials and session tokens are gold.** **MFA gaps are fatal.** **“Internal” is a feeling, not a control.** And **AI is both accelerant and firehose**—it speeds up attackers and overwhelms defenders, but it also gives us better training and detection if we choose to use it.

If you only do a few things this quarter, make them these: roll out **phishing-resistant MFA** and retire legacy auth; add **QR decoding** to your email/web stack; stage realistic **BEC and deepfake drills** for finance and execs (with mandatory callbacks); and put **support, marketing, and event workflows** squarely in your threat model with rate limits, DMARC alignment, and pre-emptive warnings.

And if you want to practice safely, that’s our jam. AutoPhish can recreate the trends you’ve just read about—**quishing**, **AI-style lures**, **“internal” spoofing**, and meticulous **BEC**—then follow up with bite-sized training that actually sticks. Because seeing the trick once, in a safe environment, is how you stop it when it really counts.

> ⚖️ This article is general information - for specific decisions about your organisation, consult a qualified lawyer in your jurisdiction.

---

## TL;DR
You can run impactful phishing simulations in the EU without alienating staff or risking non-compliance by: 
1. using **legitimate interests** (not consent) as your primary legal basis and documenting a balancing test; 
2. engaging **works councils** early and codifying guardrails in a works agreement where required; 
3. prioritising **anonymization/pseudonymization**, **short retention**, and **transparent notices**; and 
4. running a DPIA if your context points to **high risk** (e.g., systematic monitoring).

---

## 1) Lawful basis: why **legitimate interests** usually beats consent
In the employment context, consent is **rarely freely given** because of the employer–employee power imbalance. The European Data Protection Board’s *Guidelines 05/2020 on Consent* underline that employee consent is valid only in **exceptional** circumstances without adverse consequences for refusal. For phishing simulations, a better fit is **Article 6(1)(f) legitimate interests**, documented with a **Legitimate Interests Assessment (LIA)** that weighs your security needs against employees’ rights and expectations.

**Good practice for the LIA**  
- Define the interest (security awareness; fraud prevention).  
- Map reasonable employee expectations (training is normal; covert profiling is not).  
- List mitigations (see Sections 3–5).  
- Record why consent would be inappropriate in your context.

References: EDPB *Guidelines 05/2020 on Consent*; GDPR Recital 47 (reasonable expectations).

---

## 2) Works councils: Germany & Austria in focus
If you operate in countries with strong co-determination, involve the works council before rollout.

- **Germany (BetrVG §87(1) No. 6):** the works council co-determines the *“introduction and use of technical devices designed to monitor employee behaviour or performance.”* Even simple dashboards can trigger this, so a **Betriebsvereinbarung** (works agreement) that sets scope, data handling, and safeguards is common practice.  
- **Austria (ArbVG §96(1) No. 3):** monitoring measures and technical systems that may affect human dignity require **works council consent** (or **individual consent** if no works council).

**What to include in the agreement/works policy**  
Purpose & scope, lawful basis, minimal data collected, **no disciplinary use** of metrics alone, who sees what, retention & anonymization schedule, vendor list (processors/sub-processors), employee rights, and an annual review clause.

Sources: Germany—BetrVG §87(1) no. 6 (official English text); analysis by Luther Law. Austria—Eurofound summary of ArbVG §96(1) no. 3; Schoenherr explainer.

---

## 3) Anonymization vs. Pseudonymization (and what it means for reports)
- **Anonymization** (GDPR Recital 26): once data is truly anonymous, GDPR no longer applies.  
- **Pseudonymization** (GDPR Art. 4(5)): data is still personal if it can be re-linked via separate keys; treat it accordingly.

**Privacy-centric reporting model**  
- Default to **aggregates by team/location**.  
- Use **stable random IDs** for trend analysis instead of names; keep the key separate with strict access control.  
- Show **individual results only to a small, need-to-know group** (e.g., security awareness lead + HR) and only when necessary for targeted coaching.  
- Never collect real passwords; if a user attempts to submit credentials, show a training page and **discard any entry**.

For a practical example of how a platform implements these concepts, see **AutoPhish’s anonymization** overview: https://autophish.io/anonymization

---

## 4) Retention: shorter is safer (and required by principle)
GDPR’s **storage limitation** principle requires keeping personal data in identifiable form **no longer than necessary** for the stated purpose. For phishing programs, many SMEs adopt a two-tier window:  
- **Operational window (e.g., 30–90 days):** identifiable data available for coaching and remediation.  
- **Post-campaign analytics:** thereafter **aggregate/anonymize**, keeping only non-identifiable trends for long-term KPI tracking.

Document this in your **Article 30 records of processing** and in your employee privacy notice.

---

## 5) Notices: be transparent and plain-language (Art. 13)
Before your first campaign, provide a short internal notice (or update your employee privacy policy) that explains: the **purpose** (security awareness), **lawful basis** (legitimate interests), what data you collect (e.g., email, department, click/report events), **retention**, who can access individual-level data (limited roles), **no disciplinary use** of single events, **employee rights** (access/objection), and a **contact** (DPO or privacy lead).

**Copy-paste starter (adapt to your context)**  
> We run periodic phishing simulations to build security awareness and reduce fraud risk. We process your name, work email, department, and simulation interactions (e.g., opened/reported/submitted). Our lawful basis is legitimate interests (GDPR Art. 6(1)(f)). Individual-level data is visible only to the security awareness team (and HR where necessary for targeted coaching). We keep identifiable data for **[X days]** and then aggregate/anonymize. We never store real passwords. You can exercise your data rights (access/objection, etc.) via **[contact]**. See **[link to your full employee privacy notice]**.

---

## 6) Do you need a DPIA?
A **Data Protection Impact Assessment (DPIA)** is required when processing is **likely to result in high risk** to individuals (Art. 35). Regulators and the EDPB note that **employee monitoring** may trigger a DPIA—especially where processing is systematic or involves vulnerable data subjects. If your programme introduces new tooling, large-scale metrics, or cross-border transfers, err on the side of conducting a DPIA.

**What to cover**: purpose/necessity, alternatives (less intrusive options), data flows, risks, mitigations (anonymization, minimization, role-based access, short retention, no-blame coaching), and a plan for periodic review.

---

## 7) Vendors & international transfers
If you use a platform provider, you’re the **controller** and they’re a **processor**; sign a **Data Processing Agreement** that meets **Article 28** requirements (security, sub-processor controls, assistance with data rights, deletion at end of service). If the provider or its sub-processors are outside the EEA, implement the **Standard Contractual Clauses** and perform a transfer risk assessment.

---

## 8) NIS2: if you’re in scope, training is no longer optional
For entities covered by the **NIS2 Directive**, management must oversee cybersecurity risk-management measures (Art. 20) and ensure appropriate training and incident processes (Art. 21). Even if you’re not in scope, the bar NIS2 sets is a useful benchmark for SMEs.

---

## 9) A practical, privacy-first architecture (that still works)
- **Data in:** name, email, team, and manager (optional). No personal emails; no special categories.  
- **During campaign:** collect only **event data** (delivered, clicked, reported, submitted). If a user tries to enter credentials, show training and capture **no secrets**.  
- **Access control:** the awareness team can see cohorts and anonymized IDs
- **Retention:** 30–90 days for identified data → auto-anonymize; keep aggregates for year-over-year trends.  
- **Outputs:** exec report shows **rates and trends**, not names.  
- **Governance:** LIA + (if needed) DPIA on file; Article 30 register updated; works agreement approved.

---

## Final thoughts
Privacy-friendly phishing training is not a contradiction. With the right lawful basis, genuine worker representation, and technical guardrails like anonymization and short retention, your programme can **protect people and their data** while measurably reducing risk. When in doubt, get legal advice tailored to your facts.

## Legal references (Germany & Austria)

*   **Germany — Works Constitution Act (BetrVG) §87(1) no. 6 (official English text)**  
    [Gesetze im Internet – Works Constitution Act (Betriebsverfassungsgesetz – BetrVG), English translation](https://www.gesetze-im-internet.de/englisch_betrvg/englisch_betrvg.html)
    
*   **Analysis by Luther Law**  
    [“Perennial issue: software vs. co-determination (Section 87 (1) No. 6 BetrVG)” — Luther Law](https://www.luther-lawfirm.com/en/newsroom/blog/detail/dauerbrenner-software-vs-mitbestimmung-87-abs-1-nr-6-betrvg)
    
*   **Austria — Eurofound summary of ArbVG §96(1) no. 3**  
    [Eurofound: Employee monitoring and surveillance — Austria](https://apps.eurofound.europa.eu/legislationdb/employee-monitoring-and-surveillance/austria)
    
*   **Schoenherr explainer (ArbVG §96(1) no. 3)**  
    [“Whistleblowing Hotline – Implementation Only with Employee Consent?” — Schoenherr](https://www.schoenherr.eu/content/whistleblowing-hotline-implementation-only-with-employee-consent)
    

---

## Further reading

*   **EDPB _Guidelines 05/2020 on Consent_**  
    [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb\_guidelines\_202005\_consent\_en.pdf](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf)
    
*   **GDPR Recital 26 (anonymous data)**  
    [https://gdpr-info.eu/recitals/no-26/](https://gdpr-info.eu/recitals/no-26/)
    
*   **GDPR Article 4(5) (pseudonymization)**  
    [https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)
    
*   **GDPR Article 5 (principles)**  
    https://gdpr-info.eu/art-5-gdpr/
    
*   **GDPR Article 13 (information to be provided)**  
    https://gdpr-info.eu/art-13-gdpr/
    
*   **GDPR Article 28 (processors)**  
    https://gdpr-info.eu/art-28-gdpr/
    
*   **GDPR Article 30 (records of processing activities)**  
    https://gdpr-info.eu/art-30-gdpr/
    
*   **GDPR Article 35 (Data Protection Impact Assessment)**  
    https://gdpr-info.eu/art-35-gdpr/
    
*   **NIS2 Directive (Articles 20–21)**  
    EUR-Lex — Directive (EU) 2022/2555 (NIS2)
    
*   **AutoPhish — Anonymization overview (product-side controls)**  
    [https://autophish.io/anonymization](https://autophish.io/anonymization)

Phishing emails might not be glamorous, but they’re the sneaky tricksters of the cyber world. They show up in inboxes pretending to be important messages — an invoice, a password reset, maybe even a fake LinkedIn invite. And unfortunately, they still work all too often. In fact, **74% of security breaches involve the human element**, with phishing being one of the top ways attackers break in [[1]](https://www.phishingbox.com/resources/phishing-facts)[[2]](https://www.phishingbox.com/resources/phishing-facts).

That’s why businesses of all sizes are turning to **phishing simulations** — basically “practice phishing attacks” that train employees to spot suspicious messages in a safe environment. Think of it like a fire drill, but for your inbox. The goal is to help employees build instincts and transform them into a “human firewall.”

But here’s the question: when it comes to running phishing simulations, should you **do them manually** (crafting fake phishing emails yourself or with the help of consultants) or rely on an **automated platform** (a service that does the heavy lifting for you)? Each approach has its perks and pitfalls. Let’s explore both in a way that’s insightful, practical, and just a bit more fun.

---

## Why Phishing Simulations Matter (Beyond Scaring Your Staff)

The idea is simple. Your company sends out a fake phishing email. If an employee clicks or submits their login details, it’s not a disaster — it’s a teaching moment. And unlike boring PowerPoint slides about security, these simulations stick. People remember what fooled them, and they get better at spotting the real thing next time [[3]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)[[4]](https://www.cynet.com/cybersecurity/phishing-simulation-how-it-works-and-5-tools-to-get-you-started/).

On top of that, regulators are watching. Standards like the EU’s **NIS2 Directive** don’t just want firewalls and antivirus software — they expect proof that your staff are trained and tested regularly [[6]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish). A solid phishing simulation program means you can check both boxes: better security and compliance.

---

## Manual Phishing Campaigns: Handcrafted, With Love (and Effort)

So what happens if you go the manual route?

- **What it is:** Your IT/security team (or hired consultants) brainstorm phishing scenarios, design emails, send them out, and later track who clicked. Maybe it’s a fake invoice. Maybe it’s a spoofed “CEO request.” Creativity is the name of the game.
- **The good:** Manual campaigns can be incredibly realistic. A consultant who knows your business can craft spear-phishing emails that reference actual projects or internal lingo. These hyper-tailored simulations feel *uncomfortably real* — which is exactly the point.
- **The bad:** They’re expensive and time-consuming. Niche providers often charge **$3–$6 per employee per month** [[8]](https://caniphish.com/phishing-simulation), which adds up fast. Doing it in-house? It may seem “free,” but your team still spends hours designing lures, setting up domains, and crunching results. Open-source tools like GoPhish are powerful, but they require ongoing maintenance [[10]](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison).

Scalability is another headache. Most companies that go manual manage only a couple of campaigns a year — often tied to Cybersecurity Awareness Month. That’s better than nothing, but far from the continuous reinforcement employees really need.

And let’s be honest: creativity runs dry. After a few tries, the “fake Amazon receipt” or “password reset” gets old. Without fresh ideas, employees start recognizing the pattern, which defeats the purpose.

**Bottom line:** Manual campaigns are great for highly targeted, one-off exercises. But for regular training across the whole company, they can drain resources and don’t scale well.

---

## Automated Phishing Platforms: Set It, Forget It, Train Continuously

Now let’s talk about automation.

**Automated phishing platforms** (think KnowBe4, Hoxhunt, Cofense, or newer players like **AutoPhish**) are SaaS tools built to make phishing simulations easy, scalable, and consistent. Instead of your team manually drafting emails and logging clicks, the platform handles:

- Crafting realistic phishing emails (often from a large template library, updated with the latest scam trends [[16]](https://caniphish.com/phishing-simulation)).
- Sending them out at scale, on a schedule you set.
- Tracking exactly who clicked, reported, or ignored.
- Delivering instant feedback or training to employees who fall for it.

Some platforms even use **AI** to generate unique phishing lures that evolve over time, so employees can’t just memorize a fixed set of templates [[18]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

### The Big Advantages
- **Efficiency & scale:** Send thousands of emails with a few clicks. Whether you’ve got 50 or 5,000 employees, the platform can handle it without extra work.
- **Affordability:** Pricing is usually **$0.45–$1.25 per employee per month** [[22]](https://caniphish.com/phishing-simulation). Compare that to the millions a real breach might cost (average global cost: $4.45M in 2024 [[23]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)) — it’s a bargain.
- **Consistency:** You can schedule monthly or even weekly tests. Some platforms randomize delivery so employees don’t learn to expect them at a certain time.
- **Data & insights:** Automated platforms provide dashboards, trend analysis, and compliance-ready reports. Want to know if your finance department is click-prone or if your awareness is improving quarter over quarter? Easy [[26]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Low burden:** Instead of your team writing fake emails, they just review results. It’s a massive time-saver.

### A Nice Bonus: Just-in-Time Training
If an employee clicks, the platform can instantly show them a quick educational page: “Oops! Here’s what you missed.” That immediate feedback turns mistakes into teachable moments. Manual follow-ups can’t always deliver that consistency.

---

## Side-by-Side: Manual vs. Automated

| Factor              | Manual Campaigns (In-House/Consultants) | Automated Platforms |
|---------------------|------------------------------------------|----------------------|
| **Cost**            | High ($3–$6/user/month or staff time)   | Lower ($0.45–$1.25/user/month) |
| **Scalability**     | Hard to scale beyond occasional tests   | Scales easily to thousands |
| **Frequency**       | Infrequent (annual or quarterly)        | Continuous (monthly, weekly, randomized) |
| **Realism**         | Can be highly tailored, spear-phishy    | Broad range of realistic, evolving templates |
| **Customization**   | Unlimited but resource-heavy            | Flexible, with plenty of built-in options |
| **Team Burden**     | Heavy (time, creativity, reporting)     | Light (review dashboards, tweak settings) |
| **Reporting**       | Basic, often static                     | Detailed dashboards, compliance-ready data |

---

## Which Should You Choose?

It depends on your goals and resources:

- **Manual** makes sense if:
  - You want one-off, highly targeted tests (like spear-phishing execs).
  - You already have a skilled red team that enjoys this work.
- **Automated** makes sense if:
  - You want continuous, scalable training for your whole staff.
  - You’re an SME without endless budget or staff hours.
  - You need compliance-friendly reports at the click of a button.

Most companies use automation for their **day-to-day training**, and occasionally sprinkle in manual campaigns for special cases. That’s often the sweet spot.

---

## Why SMEs in Particular Should Care

Small and mid-sized businesses are juicy targets for attackers but often lack security staff. Hiring consultants is pricey. Running manual campaigns internally eats up scarce time. That’s why automated phishing testing — especially from platforms designed with SMEs in mind, like **AutoPhish** — is so appealing [[24]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

AutoPhish, for instance, offers:
- **AI-powered, ever-fresh phishing emails** [[19]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Automated scheduling** (monthly, quarterly, or custom) [[25]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Quick setup** (under 30 minutes) [[28]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **GDPR-friendly design** with no sensitive data stored [[35]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

It’s basically enterprise-grade security awareness made accessible for businesses without enterprise budgets.

---

## Wrapping It Up

Phishing is going to keep evolving — attackers aren’t taking a holiday. The best way to stay ahead is to keep your people trained, sharp, and a little skeptical of unexpected emails.

- Manual campaigns are like gourmet, handcrafted training. Impressive, but pricey and limited.
- Automated platforms are like meal kits: reliable, affordable, and scalable. You get variety and consistency without slaving away in the kitchen.

For most businesses, especially SMEs, **automation wins hands down**. It keeps the program running, delivers continuous learning, and doesn’t overload your team. And if you ever want to spice things up with a bespoke spear-phishing test, you can always add a manual one on top.

In the end, what matters most is that you’re testing, training, and turning your employees into your first line of defense. After all, in cybersecurity, a well-trained workforce might just be the cheapest (and smartest) insurance you’ll ever buy.



## Introduction

Cybersecurity budgets are often tight—especially for small and mid-sized enterprises (SMEs). Executives want to know: *Is our investment in security awareness training actually paying off?*  
While phishing simulations and staff education seem like obvious choices, proving their **return on investment (ROI)** can be tricky.

In this article, we break down **how to measure ROI** for security awareness programs, the metrics that matter, and why **AI-driven phishing simulations** can deliver better long-term value.

> 💡 *This article is for informational purposes and does not constitute financial or legal advice.*

---

## Why Measuring ROI in Cybersecurity Is Difficult

Unlike marketing campaigns or sales initiatives, cybersecurity investments aim to prevent bad things from happening. That means ROI is often measured by **losses avoided**—which can be hard to quantify until a breach occurs.

According to the [2024 IBM Cost of a Data Breach Report](https://www.ibm.com/reports/data-breach), the global average cost of a data breach is **$4.45 million**, with phishing as the second-most common cause. For SMEs, even a fraction of that cost can be devastating.

The challenge is to **translate risk reduction into measurable savings**.

---

## The ROI Formula for Security Awareness Training

A common approach to calculating ROI in cybersecurity awareness programs is:

```
ROI (%) = [(Estimated Losses Avoided – Program Costs) / Program Costs] × 100
```

### Step 1: Estimate Potential Losses
- **Data breach costs**: Legal fees, regulatory fines (e.g., GDPR penalties), recovery costs, lost business
- **Operational disruption**: Downtime, lost productivity
- **Reputational damage**: Lost customers, decreased trust

Example: If your estimated potential loss from a phishing attack is €200,000 and effective training can reduce that risk by 70%, your *losses avoided* figure is €140,000.

### Step 2: Calculate Program Costs
- Vendor/platform subscription (e.g., AutoPhish license)
- Internal training time
- Administrative overhead

### Step 3: Run the Formula
If your annual training program costs €20,000 and avoids €140,000 in losses, the ROI is:

```
ROI = [(140,000 – 20,000) / 20,000] × 100 = 600%
```

---

## Metrics That Matter

To make ROI reporting credible, track **both leading and lagging indicators**:

### Leading Indicators (Preventive)
- Phishing simulation click rates
- Reported suspicious email rates
- Training completion rates

### Lagging Indicators (After Incidents)
- Number of phishing incidents per quarter
- Mean time to detect (MTTD) and respond (MTTR)
- Regulatory fines or customer churn after incidents

**Why it matters:** Regulators like the [UK ICO](https://ico.org.uk/) and [ENISA](https://www.enisa.europa.eu/) increasingly expect organizations to show evidence of employee training and proactive risk management.

---

## Case Studies and Industry Evidence

- [**KnowBe4’s 2024 Benchmarking Report**](https://www.knowbe4.com/resource-center/phishing): found that after initial training and simulated phishing, users’ “phish‑prone percentage” dropped from a higher baseline to just 18.9% within 90 days, and further to 4.6% after 12 months.
- [**UK ICO vs. Interserve (2022)**](https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information): A £4.4M fine was issued after a phishing attack. Lack of training and poor patching were cited as key failings. Demonstrating a history of phishing simulations could have reduced liability.
- **US FTC Guidance**: The [FTC](https://www.ftc.gov/business-guidance/small-businesses/cybersecurity) emphasizes training as a baseline security measure—failure to do so can result in enforcement action.


---

## Manual Training vs. AI-Driven Simulations

| Feature                          | Manual/Consultant-Led | AI-Driven (e.g., AutoPhish) |
|----------------------------------|-----------------------|-----------------------------|
| Cost per Campaign                | High                  | Low (subscription)          |
| Frequency                        | Usually Yearly        | Monthly or Continuous       |
| Customization                    | Limited               | High (industry & role-based)|
| Realism                          | Moderate              | High (AI-generated emails)  |
| Reporting & Analytics            | Manual                | Automated                   |
| Scalability                      | Low                   | High                        |

**Why it matters:** With AI-driven phishing simulations, you can run **more frequent, more realistic** campaigns at a fraction of the consultant cost—while collecting data that directly supports your ROI calculation.

---

## Making the Business Case

When presenting ROI to leadership, emphasize:

1. **Risk Reduction**: Quantify the drop in phishing success rates after training.
2. **Regulatory Compliance**: Demonstrate how training supports GDPR/NIS2/FTC expectations.
3. **Cost Efficiency**: Compare the program cost to potential breach costs.
4. **Operational Continuity**: Highlight reduced downtime from security incidents.


---

## Final Thoughts

Measuring ROI for security awareness training isn’t just an accounting exercise—it’s a way to prove that your investment is **reducing real-world risk** and **protecting your bottom line**.

**Key Takeaways**:
- Use a clear ROI formula that includes avoided losses
- Track both leading and lagging security metrics
- Run frequent, realistic phishing simulations for maximum impact
- Document results for compliance and executive reporting

With platforms like **AutoPhish**, SMEs can **maximize training impact**, **minimize costs**, and **generate clear ROI evidence**—turning security awareness from a “nice to have” into a proven business asset.


For small and mid-sized businesses (SMEs), a single phishing email can trigger a cascade of serious consequences: stolen credentials, data loss, reputational damage—and legal action. But is your company legally responsible if an employee falls for a phishing scam?

The answer depends on where you operate and what kind of data is at stake. Across the **European Union (EU)**, the **United Kingdom (UK)**, and the **United States (US)**, laws and expectations vary—but one theme is consistent: **preventative measures matter**.

In this article, we’ll explore:

- What the law says in different jurisdictions
- When companies are held accountable for employee mistakes
- How training and phishing simulations reduce risk

> ⚖️ **This is not legal advice. Always consult a qualified lawyer in your jurisdiction for specific guidance.**

---

## EU: GDPR and NIS2—Training as a Legal Obligation

In the European Union, data protection is governed primarily by the **General Data Protection Regulation (GDPR)** and, more recently, by the **NIS2 Directive**.

### GDPR: The 72-Hour Rule and Beyond

Under Article 33 of the GDPR, organizations must notify their national Data Protection Authority of a personal data breach within **72 hours** of becoming aware of it, unless the breach is unlikely to result in a risk to individuals.

If an employee falls for a phishing email that exposes personal data (e.g., customer emails, HR records, financial details), the organization **must**:

- Notify the regulator
- Potentially notify affected individuals (if the risk is “high”)
- Document the incident and mitigation steps taken

What matters is not whether the phishing attack was sophisticated—it’s whether the company had **adequate safeguards** in place.

### NIS2: Security for Essential and Important Entities

The **NIS2 Directive**, in force since 2023, raises the bar further for businesses in sectors like logistics, transport, finance, health, and digital services. It mandates:

- Cybersecurity risk management
- Regular employee training
- Incident reporting obligations
- Fines for non-compliance

The takeaway? Even if your employee made a mistake, **your liability may hinge on how well you prepared them**.

**Source**: [ENISA Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)

---

## UK: GDPR Clone and Real-World Penalties

Post-Brexit, the UK retained the GDPR framework in the form of the **UK GDPR** and the **Data Protection Act 2018**. Most of the obligations are identical to those in the EU:

- Report data breaches within **72 hours**
- Inform affected individuals if there’s a “high risk” to them
- Maintain an internal record of all breaches and decisions

### Case Study: Interserve Fine (£4.4M)

In 2022, the **ICO** fined **Interserve** £4.4 million after a phishing attack exposed over 100,000 employee records. The ICO cited poor training, outdated software, and insufficient monitoring as key failings—not the employee’s mistake.

In the UK, **employers are expected to create a culture of security awareness**. That means:

- Regular training
- Incident simulations
- Logging and documenting risks and responses

**Source**: [ICO Enforcement Action](https://ico.org.uk/action-weve-taken/enforcement/interserve-group-ltd-en/)\
**Best practice**: [NCSC Small Business Guide](https://www.ncsc.gov.uk/collection/small-business-guide)

---

## US: A Patchwork of Laws with One Message—Act Fast

The United States lacks a single national breach notification law, but all **50 states** have their own statutes. These generally require:

- Notification to affected individuals
- Often within **30 to 60 days** of discovery
- Some states require notification to regulators

States like California, New York, and Colorado have **more stringent requirements**, particularly when sensitive data is compromised.

### Federal Action via the FTC

The **Federal Trade Commission (FTC)** can penalize companies for “unfair or deceptive practices”—including poor cybersecurity. In recent years, the FTC has made it clear that **employee training and phishing prevention** are part of reasonable cybersecurity.

- In 2021, the FTC launched a warning campaign targeting businesses that don’t train employees on social engineering.
- In several enforcement cases, failure to act on known phishing risks was cited as negligence.

**Source**: [FTC Data Breach Response Guide](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business)

---

## Are You Liable? It Depends on Preparation

While laws vary, the general legal consensus across jurisdictions is:

- You **may not be directly liable** for an employee clicking a phishing link
- But you **can be held liable** if you didn’t take reasonable steps to prevent or mitigate the impact

**What counts as reasonable steps?**

- Documented security training
- Regular phishing simulations
- Strong access control and monitoring
- Clear response plans

Courts and regulators assess whether the breach was **foreseeable** and whether you were **negligent** in preventing it.

> A trained, well-informed team is your best legal defense.

---

## How Phishing Simulations Help

Phishing simulations aren’t just an IT tool—they’re a **compliance and legal risk management tool**.

**Benefits include:**

- Demonstrating due diligence during audits
- Reducing the chance of real-world breaches
- Educating employees with real-life examples
- Logging metrics and improvements over time

Platforms like **AutoPhish** make this easy for SMEs:

- AI-generated phishing tests
- Fully GDPR-compliant
- No real data capture
- Ongoing metrics for accountability

> “We train our people” is a good story. “We simulate, report, and improve” is a better one.

---

## Final Thoughts: Document Everything

When it comes to phishing-related incidents, **your documentation is your insurance policy**. If a regulator calls, you need to show:

- When training took place
- How simulations were conducted
- How quickly you responded to the breach
- Whether affected users were notified (and when)

✅ Keep records\
✅ Update your policies regularly\
✅ Work with legal and IT together

The law may forgive a mistake—but **not a lack of preparation**.

> 🧑‍⚖️ Always consult legal counsel to align your cybersecurity program with local laws and sector-specific requirements.



Autophish Blog

Phishing Trends in 2026: What’s Really Changing (and What Isn’t)

Phishing on Mobile: SMS, WhatsApp & QR - What Policies SMEs Actually Need

Role-Based Phishing Simulations: Finance, HR, IT & Execs — Scenarios, Guardrails, and Metrics

How Phishing Works in 2025: The Modern Kill Chain (Email, QR, Deepfakes, and SaaS)

10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025 – including important Lessons Learned

Privacy-Friendly Phishing Training: Works Councils, Consent, and GDPR Essentials

Automated Phishing Testing vs. Manual Campaigns: Which Is Best for Your Business?

Open-Source Phishing Simulation Tools vs. Managed Solutions: A Technical and Business Comparison

Measuring the ROI of Security Awareness Training

Am I Liable If My Employee Falls for a Phishing Attack?

Ready to Fortify Your Defenses?