## Why Role-Based Training Matters

Phishing is still the number one entry point for cyberattacks. According to [Verizon’s 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/), over 68% of breaches involve the human element, with phishing and stolen credentials leading the charge.  

The problem? Not all employees face the same risks. A finance controller has very different exposure compared to an HR manager or an IT helpdesk agent. This is why **role-based phishing simulations** are now considered best practice for any serious security awareness program.  

Instead of sending the same generic “password reset” email to everyone, role-based simulations:  

- Target specific job functions with realistic but safe scenarios.  
- Train employees on the threats they’re most likely to face.  
- Provide actionable metrics to improve defenses where they matter most.  

This blog post will walk you through **scenarios, guardrails, and KPIs** for the four most at-risk groups: Finance, HR, IT, and Executives. 

---

## Finance: Wire Transfers and Invoice Fraud

If you’re in finance, you’re on the front line of **Business Email Compromise (BEC)** attacks. Criminals impersonate suppliers, executives, or even regulators to trick employees into approving fraudulent payments. Losses from BEC scams exceeded [55 billion over the last 10 years](https://www.tripwire.com/state-of-security/bec-cost-citizens-worldwide-over-55bn-last-10-years).  

### Example Scenarios
- **Invoice Fraud:** Fake invoice request from a “supplier.”  
- **CEO Wire Request:** Spoofed executive email asking for urgent payment.  
- **Bank Verification:** Request to “confirm account details” via a link.  

### Guardrails for Simulations
- Don’t use personal/emotional triggers (“bonus payment” or “layoff list”).  
- Keep simulations clearly professional and finance-related.  

### Metrics to Track
- % of users who click the link.  
- % who attempt to initiate payment.  
- % who report the email via the phishing button.  

---

## HR: Payroll & Sensitive Data

HR departments are gold mines for attackers: payroll data, PII, and access to employee portals. Attackers often pose as staff requesting urgent changes.  

### Example Scenarios
- **Payroll Diversion:** Request to change direct deposit details.  
- **Resume Malware:** “Candidate” attaches a poisoned CV.  
- **Policy Update:** Fake HR portal login for compliance documents.  

### Guardrails for Simulations
- Never simulate life events like pregnancies, medical issues, or layoffs.  
- Avoid emotional manipulation — focus on administrative risks.  

### Metrics to Track
- % who download attachments.  
- % who enter credentials.  
- % who report the email via the phishing button.  

---

## IT: MFA Fatigue & Account Resets

IT staff are bombarded with requests — a perfect target for attackers abusing MFA fatigue or password reset flows.  

### Example Scenarios
- **MFA Push Flood:** Repeated login requests from “new device.”  
- **System Update:** Spoofed IT alert with a login link.  
- **Ticket Escalation:** Fake service desk message with embedded URL.  

### Guardrails for Simulations
- Make it clear this is *not* a test of job performance.  
- Avoid highly technical jargon that could confuse non-IT staff if simulations spill over.  

### Metrics to Track
- % of MFA prompts accepted without verification.  
- % who click malicious IT links.  

---

## Executives: High-Value Targets

Executives are prime targets for **whaling** (CEO fraud) and **contract scams**. Attackers know they’re busy, trust assistants, and often bypass standard processes.  

### Example Scenarios
- **Contract Signature:** Urgent DocuSign link for a new deal.  
- **M&A Leak:** Confidential acquisition “details” requiring login.  
- **Board Communication:** Fake message from a board member.  

### Guardrails for Simulations
- Don’t embarrass executives with trivial lures.  
- Keep tone professional; focus on decision-making risks.  

### Metrics to Track
- % of executives who click without verification.  
- Response time to report suspicious emails.  
- Cross-check with assistants/EA reporting behavior.  

---

## Cross-Department Simulation Guardrails

While each department has its nuances, there are common rules that keep simulations safe and constructive:  

1. **No “gotcha” emails.** Training should build trust, not resentment.  
2. **Stay professional.** Avoid personal or sensitive themes.  
3. **Be transparent.** Communicate to staff that simulations are ongoing and for their protection.  
4. **Respect works councils and privacy.** Tools like [AutoPhish](https://autophish.io/anonymization) anonymize results and support GDPR compliance.  

---

## Building a Simulation Roadmap

Here’s how to scale role-based training:  

1. **Phase 1:** Start broad — generic phishing for all staff.  
2. **Phase 2:** Introduce role-based simulations by department. This can easily be done by using AutoPhish's campaign feature, setting up role-based campaigns.
3. **Phase 3:** Cross-department scenarios (e.g., fake invoice sent to both Finance and Execs).  
4. **Phase 4:** Adaptive campaigns.  

This phased approach avoids overwhelming staff and shows measurable improvement.  

---

## Final Thoughts

Role-based phishing simulations are no longer a “nice to have.” They’re the difference between a generic awareness program and one that actually reduces risk where it matters most.  

By focusing on **scenarios, guardrails, and metrics**, you can train Finance, HR, IT, and Executives in the threats that target them directly — and build a culture of resilience.  

Ready to see it in action? Try [AutoPhish](https://autophish.io/) today and make your next simulation smarter, safer, and role-aware.  



## TL;DR

- **Lure** → **Capture** → **Session/Token theft** → **Lateral movement** → **Impact**  
- Identity + **session** protection is everything—and the fastest path to durable resilience is frequent, realistic practice that builds instinct.

## Intro

If you’re wondering **how phishing works** in 2025, here’s the honest answer: attackers rarely stop at passwords — they want your **session**. And if they can’t get you by email, they’ll try a QR code on your phone, a slick SaaS consent screen, or even a deepfaked video call with your “CFO.” Fun (for them).

Below is the modern kill chain most incidents follow—plus where **AutoPhish** makes you much harder to fool.

## 1) The Lure: email, QR, and scarily convincing “humans”

Phishing still arrives by **email**, but URLs are the star. Proofpoint’s latest **Human Factor 2025** research shows URLs are used _around four times_ more than attachments in malicious emails—and **4.2 million QR-code (quishing) threats** were flagged in just the first half of 2025 ([blog overview](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing), [Vol. 2 report page](https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishing)).

Then there’s the human layer: **deepfake video/voice**. The Arup case—~$25M lost after a deepfaked group call—shows how social engineering now looks like a perfectly normal meeting invite ([Guardian](https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video), [World Economic Forum](https://www.weforum.org/stories/2025/02/deepfake-ai-cybercrime-arup/)). Policies that require secondary verification beat “vibes” every time.

Want a field guide to spot the tricks inside a single message? Start with **[The Anatomy of a Modern Phishing Email](https://autophish.io/blog/the-anatomy-of-a-modern-phishing-email-what-your-employees-miss-every-day)** on our blog.

---

## 2) Capture: credentials _or_ consent—both open the door

Attackers don’t always ask for your password. Increasingly, they present a legit-looking **SaaS/OAuth consent screen** (“Allow this app to read your mail?”). If you click **Allow**, they gain durable API access—**no password needed**. Microsoft’s guidance on **illicit consent grants** explains detection and remediation ([Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent) [Microsoft Learn 2](https://microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants); also see the [app-consent incident response playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)).

Old-school **credential harvesters** still work, often hosted behind reputable services (forms/storage/view-only files) to dodge filters. Proofpoint’s *Human Factor* series and Microsoft’s threat posts highlight the shift toward URL-centric delivery ([Proofpoint](https://www.proofpoint.com/us/resources/threat-reports/human-factor-url-phishingng), [Microsoft](https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/)).

---

## 3) Session/Token theft: bypassing MFA with a tiny man-in-the-middle

Here’s the 2025 twist: **Adversary-in-the-Middle (AiTM)** toolkits sit between you and Microsoft/Google, **proxy the login**, and **steal your session cookie** after you successfully pass MFA. The attacker then **replays** that cookie and walks right in—**no password, no second factor**. See Microsoft’s analyses and playbooks, plus Proofpoint and Talos reporting ([MSFT Security Blog](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/); see also:
- [Cisco Talos IR:](https://blog.talosintelligence.com/ir-trends-q2-2025/)ry-point-to-further-financial-fraud/), 
- [Multi‑stage AiTM](https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/), 
- [Session‑cookie theft alert playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)
- [Proofpoint on AiTM](https://www.proofpoint.com/us/blog/email-and-cloud-threats/aitm-phishing-attacks-evolving-threat-microsoft-365)
- [Talos IR Q2 2025](https://blog.talosintelligence.com/ir-trends-q2-2025/).

---

## 4) Lateral movement: once inside, attackers get comfy

With mailbox or token access, attackers set **inbox rules**, register **malicious OAuth apps**, and pivot to perform **BEC**—sometimes for weeks before anyone notices (see Microsoft’s guidance on session-cookie theft alerts: [learn.microsoft.com](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)). For real-world color (and quick guardrails), see **[10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025](https://autophish.io/blog/10-wild-phishing-and-phish-adjacent-stories-from-2024-2025-including-important-lessons-learned from-2024-2025-including-important-lessons-learned)**.

---

## 5) What actually stops this? (Practical controls)

- **Phishing-resistant MFA (passkeys/FIDO2)** and limiting weak fallbacks (SMS/voice codes). CISA and NIST‑aligned guidance: [CISA success story (USDA)](https://www.cisa.gov/news-events/alerts/2024/11/20/usda-releases-success-story-detailing-implementation-phishing-resistant-multifactor-authentication), [CISA HISG on passkeys](https://www.cisa.gov/resources-tools/services/hybrid-identity-solutions-guidance-hisg), and the **Phishing‑Resistant Authenticator Playbook** ([IDManagement.gov](https://www.idmanagement.gov/playbooks/altauthn/)). For a plain‑English explainer, see WIRED’s overview of [how passkeys work](https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/).
- **Consent governance:** block risky OAuth app consent, require admin approval, and educate users about **what an app is asking for** ([Microsoft Learn](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent).
- **Anti‑AiTM controls:** conditional access with **token binding** where possible, vigilant revocation of sessions, and alerts on unusual inbox rules ([MSFT Token Theft Playbook](https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent)icrosoft.com/en-us/security/operations/token-theft-playbook)).
- **User behavior:** treat **QR codes** like links; don’t scan from unsolicited messages. Proofpoint’s 2025 data shows quishing is mainstream now ([Proofpoint blog](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing)).

---

## Where AutoPhish makes a measurable difference

AutoPhish is designed around those exact failure points (and it’s EU/GDPR‑friendly by design):

- **Role‑aware realism.** We generate **ever‑fresh lures** per role and industry (finance, HR, execs)—covering **emails**, **QR campaigns**, and **SaaS‑consent** prompts. That builds instinct against the attacks people actually face. Learn how we do it in **[Phishing Simulations‑as‑a‑Service Explained](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)**.
- **Kill‑chain‑aware simulations.** We don’t stop at a click—we teach what a **consent screen** looks like, why it’s risky, and how to respond (see also our **[Anatomy of a Modern Phishing Email](https://autophish.io/blog/the-anatomy-of-a-modern-phishing-email-what-your-employees-miss-every-day)** guide).
- **Just‑in‑time training + clear reports** you can take to audits (NIS2/ISO‑friendly). If you’re weighing formats, compare **[Automated vs. Manual Campaigns](https://autophish.io/blog/automated-phishing-testing-vs-manual-campaigns-which-is-best-for-your-business)**.
- **Employee‑friendly & GDPR‑smart.** Options for **anonymization/pseudonymization**, short retention, and works‑council‑compatible guardrails—because culture and compliance matter. Details: **[Privacy‑Friendly Phishing Training](https://autophish.io/blog/privacy-friendly-phishing-training-works-councils-consent-and-gdpr-essentials)**.

Curious about open-source vs. SaaS trade‑offs? We’ve compared them in **[Open‑Source Tools vs. Managed Solutions](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison)**.


## FAQ: How phishing works

**Can a phishing link install malware?**  
Yes. A link can trigger a **drive‑by download** or lead to a site that drops malware—or it can simply steal your credentials. Keep software patched, use reputable endpoint protection, and avoid opening links/attachments from unknowns ([Emsisoft explainer](https://www.emsisoft.com/en/blog/38301/drive-by-downloads-can-you-get-malware-just-from-visiting-a-website/), [Kaspersky](https://usa.kaspersky.com/resource-center/definitions/drive-by-download)).

**Can phishing be done by phone?**  
Absolutely. **Vishing** (voice) and **smishing** (SMS) are mainstream—often augmented with AI voice cloning. Verify through a known channel before acting (definitions from the [FBI](https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing) and [FCC](https://www.fcc.gov/avoid-temptation-smishing-scams)).

**What is “quishing”?**  
**QR‑code phishing**: a message/poster contains a QR code that sends you to a malicious site—often on your **phone**, away from enterprise protections. Treat QR codes like links; don’t scan from unsolicited messages (see Proofpoint’s 2025 data on QR threats: [overview](https://www.proofpoint.com/us/blog/email-and-cloud-threats/human-factor-vol-2-offers-new-insights-phishing)).

**Does MFA stop all phishing?**  
MFA is essential, but **AiTM** can steal the **session cookie after MFA**. Prefer **phishing‑resistant MFA (passkeys/FIDO2)** and disable weak fallbacks (SMS/voice) where you can ([MSFT on AiTM](https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/; see also https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/; Cisco Talos IR: https://blog.talosintelligence.com/ir-trends-q2-2025/)); [CISA playbooks](https://www.idmanagement.gov/playbooks/altauthn/).

**What’s OAuth consent phishing, in one sentence?**  
A malicious app asks for permission to your data; if you click **Allow**, it keeps API access **until consent is revoked**—even without your password ([Microsoft Learn](https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants)).


> Want this explained to your whole team—with hands‑on practice? Launch a monthly, role‑aware program in minutes with **AutoPhish**. Make your people the firewall.

QR codes turned into logins. AI impersonated your CFO on Zoom. “Internal” emails arrived from the great beyond. The past two years were a nonstop parade of inventive cons – equal parts brazen and brilliant. Below, we tour ten real incidents that defined the era and, more importantly, translate each one into plain-English guardrails you can put in place. Sources are linked throughout so you can go deeper whenever you like.

**1) Change Healthcare: one portal, no MFA, and a very expensive lesson (Feb 2024)**

In February 2024, attackers walked through the digital front door at Change Healthcare using **stolen credentials**—no alarms, no second factor, just a remote portal without MFA. The breach eventually spiraled into ALPHV/BlackCat ransomware and nationwide disruption in healthcare billing. Executives later testified that the compromised entry point **did not** have MFA enabled—an omission that reads like a plot twist you can see coming a mile away ([Reuters](https://www.reuters.com/world/us/unitedhealth-ceo-testifies-before-us-senate-house-hack-2024-05-01/); context via [Cybersecurity Dive](https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/); sector wrap-ups from the [AHA](https://www.aha.org/system/files/media/file/2025/02/Change-Healthcare-Cyberattack-Underscores-Urgent-Need-to-Strengthen-Cyber-Preparedness.pdf) and [HHS OCR](https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html)).

Why did it work? Because one non-MFA’d app is a skeleton key in a world drenched in infostealer logs and password reuse. The countermeasure is gloriously unsexy: **phishing-resistant MFA (FIDO2)** everywhere the public can see you, ideally behind **SSO + conditional access**, with legacy protocols turned off. Add basic anomaly alerts—impossible travel, odd ASNs, strange hours—and you at least get a fighting chance to catch the first footsteps.

**2) Pepco Group: classic BEC, polished like a diamond (Feb 2024)**

Pepco’s Hungarian business lost about **€15.5 million** to what reads like a textbook—but extremely well executed—**business email compromise**. No malware extravaganza; just convincing messages, authority, urgency, and a payment process that trusted the inbox too much ([company notice](https://www.pepcogroup.eu/media-news/pepco-group-n-v-notice-regarding-hungarian-business/) / [PDF](https://www.pepcogroup.eu/wp-content/uploads/2024/02/Pepco-Group-Notice-regarding-Hungarian-business-vF.pdf); coverage via [Reuters](https://www.reuters.com/technology/cybersecurity/retailer-pepco-loses-about-15-mln-euros-hungarian-phishing-attack-2024-02-27/) and [Help Net Security](https://www.helpnetsecurity.com/2024/02/28/pepco-phishing-bec-attack/)).

The fix is cultural as much as technical: treat money movement like a cockpit checklist. **Dual approvals**, **callback verification to known numbers**, supplier portals with **2FA**, and a **hold period** for first-time bank-detail changes transform “please pay this urgently” into “sure—after we follow the process.”

**3) The Arup deepfake boardroom: when faces lie (Jan–May 2024)**

A finance employee at **Arup** joined a video call with the “CFO” and colleagues. They looked right, sounded right, moved right—and were **AI deepfakes**. Roughly **$25 million** left the building before reality caught up ([Financial Times](https://www.ft.com/content/b977e8d4-664c-4ae4-8a8e-eb93bdf785ea); [CFO Dive](https://www.cfodive.com/news/scammers-siphon-25m-engineering-firm-arup-deepfake-cfo-ai/716501/); background via [CNN/Yahoo](https://finance.yahoo.com/news/british-engineering-giant-arup-revealed-030558740.html)).

We’ve trained people to “trust the face.” Deepfakes torch that instinct. The pragmatic fix is policy, not paranoia: **no funds released on live calls alone**. Require a **ticketed approval** plus a **verbal callback** to a number pulled from an internal directory—never from the email or the meeting invite. Teach teams to spot telltales (lip-sync drift, odd latencies) and to use backchannels when something feels off.

**4) Paris 2024: the Olympics of fake ticketing (mid-2024)**

Hype, scarcity, and immaculate branding make for superb phishing weather. Heading into Paris 2024, law enforcement and researchers flagged **hundreds of fraudulent sites** hawking tickets, hospitality, and “priority access.” At one point the French gendarmerie counted **338** suspect domains. The playbook was simple: SEO-poisoning, cloned logos, and urgency that makes even savvy buyers forget their rules ([Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites); consumer warnings via [CBS News](https://www.cbsnews.com/news/paris-olympics-ticket-scams/); official notices at [Olympics.com](https://www.olympics.com/en/news/free-ticket-scam-for-the-opening-ceremony-of-the-paris-2024-paralympic-games)).

If your staff travel or buy event access, front-load the safety briefing: **type, don’t click**, and only on **official URLs**. On the backend, watch for **typosquats** and block **brand-new domains** in high-risk categories for a cooling-off period. A little friction beats expensive FOMO.

**5) Snowflake-linked breaches: one password to rule them all (spring–summer 2024)**

Ticketmaster, Santander, and others reported data accessed via **customer Snowflake environments**, with a familiar villain: **stolen credentials** and **missing MFA**. Snowflake itself said its platform wasn’t breached; rather, attackers rode in on real keys to customer instances and got to querying ([Dark Reading](https://www.darkreading.com/threat-intelligence/snowflake-account-attacks-driven-by-exposed-legitimate-credentials); [The Verge](https://www.theverge.com/2024/6/11/24176080/snowflake-cloud-storage-data-breach-ticketmaster-santander); [Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion); [Push Security](https://pushsecurity.com/blog/2024-identity-breaches/)).

If your data lives in SaaS, treat identity like your new network perimeter. Put **SSO/SAML + MFA** in front, add **IP allowlists/VPN**, and instrument for **unusual query volumes** or sudden **role changes**. Keys and tokens should rotate the way you change the batteries in a smoke alarm: regularly, before the fire.

**6) Star Blizzard’s WhatsApp pivot: your QR code is a session token (late 2024–Jan 2025)**

FSB-linked **Star Blizzard** started corralling diplomats and policy folks into scanning **WhatsApp QR codes**, turning a simple handoff into account takeover. The move cleverly sidestepped email controls and shifted the conversation to a compromised app where trust is high and scrutiny is low ([Microsoft](https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/); [BleepingComputer](https://www.bleepingcomputer.com/news/security/star-blizzard-hackers-abuse-whatsapp-to-target-high-value-diplomats/); [The Guardian](https://www.theguardian.com/technology/2025/jan/17/russian-hackers-star-blizzard-whatsapp-accounts-ministers-officials)).

The mindset shift is crucial: **QR codes often _are_ authentication**. Train people to treat scans like passwords, restrict linking on unmanaged devices via MDM, and require **number-matching MFA** where available. Also, watch for **new linked devices** and suspicious location jumps—both are early smoke.

**7) Quishing at scale: Microsoft Sway as a lure factory (Aug 2024)**

Attackers leaned on **Microsoft Sway** to host slick, **QR-code phishing** pages that slipped past filters thanks to first-party halo effects. The QR image concealed the true destination, and scanners not built to decode images saw only a nice, clean file hosted by a trusted brand ([BleepingComputer](https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-massive-qr-code-phishing-campaign/"%20\t%20"_new); original research from [Netskope](https://www.netskope.com/blog/phishing-in-style-microsoft-sway-abused-to-deliver-quishing-attacks)).

Defenders can answer in kind: add **QR decoding** to email/web security, scrutinize **new Sway/Forms/Sites** links, and lock identity down with **passwordless MFA**, **conditional access**, and **continuous access evaluation**. On mobile, teach people how to preview URLs before opening them—tiny skill, huge payoff.

**8) Trezor: when your support desk becomes the social engineer (Jan 2024 & Jun 2025)**

In **January 2024**, a **third-party support portal** tied to **Trezor** exposed contact details for ~66,000 users—jet fuel for follow-on phishing. By **June 2025**, adversaries went a step further, **abusing Trezor’s support form** to send convincing auto-replies that looked official enough to make even veterans blink ([BleepingComputer](https://www.bleepingcomputer.com/news/security/trezor-support-site-breach-exposes-personal-data-of-66-000-customers/"%20\t%20"_new); [BleepingComputer](https://www.bleepingcomputer.com/news/security/trezors-support-platform-abused-in-crypto-theft-phishing-attacks/)).

Your support stack is part of your security perimeter. Treat it accordingly: **rate-limit auto-replies**, enforce strict **DKIM/DMARC alignment**, scan templated responses for risky language (especially around “recovery” and crypto), and publish **clear safety PSAs** so customers know what you’ll never ask them to do.

**9) “Internal” without compromise: M365 Direct Send gets cheeky (Jun–Aug 2025)**

Campaigns abusing **Microsoft 365’s Direct Send** made it possible to **spoof internal users** without actually taking over an account. That little detail matters, because “from IT@yourcompany” still carries psychological weight—even when the authentication story is mushy ([Varonis](https://www.varonis.com/blog/direct-send-exploit); summaries via [Dark Reading](https://www.darkreading.com/cyber-risk/phishers-abuse-m365-direct-send-to-spoof-internal-users) and [Arctic Wolf](https://arcticwolf.com/resources/blog/arctic-wolf-observes-microsoft-direct-send-abuse/)).

Tighten your **connector rules**, limit the scope of Direct Send, and prefer **authenticated SMTP** where you can. Teach people that “internal” isn’t a magic word; if an email tries to move money or credentials, the verification should happen in a portal or via a known backchannel—not a convenient blue link.

**10) AI site builders drafted into the phish factory: Lovable at scale (2025)**

Finally, a very 2025 plot line: attackers using AI website builders—**Lovable** in particular—to crank out **tens of thousands** of phishing and malware pages with on-brand design and near-instant turnaround. Fresh domains plus pretty templates equals a steady drip of clicks before reputation systems catch up ([Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/cybercriminals-abuse-ai-website-creation-app-phishing); coverage via [BleepingComputer](https://www.bleepingcomputer.com/news/security/ai-website-builder-lovable-increasingly-abused-for-malicious-activity/) and [TechRadar](https://www.techradar.com/pro/security/top-ai-website-builder-lovable-hit-in-worrying-cyberattack-heres-what-we-know)).

Defensively, expand your URL intelligence to include **time-since-registration** and **builder/hosting reputation**, and don’t reflexively whitelist shiny new domains just because they look professional. Criminals can look professional now, too—it’s kind of their thing.

**The pattern you can’t ignore**

Across all ten stories, the same threads keep showing up. **Credentials and session tokens are gold.** **MFA gaps are fatal.** **“Internal” is a feeling, not a control.** And **AI is both accelerant and firehose**—it speeds up attackers and overwhelms defenders, but it also gives us better training and detection if we choose to use it.

If you only do a few things this quarter, make them these: roll out **phishing-resistant MFA** and retire legacy auth; add **QR decoding** to your email/web stack; stage realistic **BEC and deepfake drills** for finance and execs (with mandatory callbacks); and put **support, marketing, and event workflows** squarely in your threat model with rate limits, DMARC alignment, and pre-emptive warnings.

And if you want to practice safely, that’s our jam. AutoPhish can recreate the trends you’ve just read about—**quishing**, **AI-style lures**, **“internal” spoofing**, and meticulous **BEC**—then follow up with bite-sized training that actually sticks. Because seeing the trick once, in a safe environment, is how you stop it when it really counts.

> ⚖️ This article is general information - for specific decisions about your organisation, consult a qualified lawyer in your jurisdiction.

---

## TL;DR
You can run impactful phishing simulations in the EU without alienating staff or risking non-compliance by: 
1. using **legitimate interests** (not consent) as your primary legal basis and documenting a balancing test; 
2. engaging **works councils** early and codifying guardrails in a works agreement where required; 
3. prioritising **anonymization/pseudonymization**, **short retention**, and **transparent notices**; and 
4. running a DPIA if your context points to **high risk** (e.g., systematic monitoring).

---

## 1) Lawful basis: why **legitimate interests** usually beats consent
In the employment context, consent is **rarely freely given** because of the employer–employee power imbalance. The European Data Protection Board’s *Guidelines 05/2020 on Consent* underline that employee consent is valid only in **exceptional** circumstances without adverse consequences for refusal. For phishing simulations, a better fit is **Article 6(1)(f) legitimate interests**, documented with a **Legitimate Interests Assessment (LIA)** that weighs your security needs against employees’ rights and expectations.

**Good practice for the LIA**  
- Define the interest (security awareness; fraud prevention).  
- Map reasonable employee expectations (training is normal; covert profiling is not).  
- List mitigations (see Sections 3–5).  
- Record why consent would be inappropriate in your context.

References: EDPB *Guidelines 05/2020 on Consent*; GDPR Recital 47 (reasonable expectations).

---

## 2) Works councils: Germany & Austria in focus
If you operate in countries with strong co-determination, involve the works council before rollout.

- **Germany (BetrVG §87(1) No. 6):** the works council co-determines the *“introduction and use of technical devices designed to monitor employee behaviour or performance.”* Even simple dashboards can trigger this, so a **Betriebsvereinbarung** (works agreement) that sets scope, data handling, and safeguards is common practice.  
- **Austria (ArbVG §96(1) No. 3):** monitoring measures and technical systems that may affect human dignity require **works council consent** (or **individual consent** if no works council).

**What to include in the agreement/works policy**  
Purpose & scope, lawful basis, minimal data collected, **no disciplinary use** of metrics alone, who sees what, retention & anonymization schedule, vendor list (processors/sub-processors), employee rights, and an annual review clause.

Sources: Germany—BetrVG §87(1) no. 6 (official English text); analysis by Luther Law. Austria—Eurofound summary of ArbVG §96(1) no. 3; Schoenherr explainer.

---

## 3) Anonymization vs. Pseudonymization (and what it means for reports)
- **Anonymization** (GDPR Recital 26): once data is truly anonymous, GDPR no longer applies.  
- **Pseudonymization** (GDPR Art. 4(5)): data is still personal if it can be re-linked via separate keys; treat it accordingly.

**Privacy-centric reporting model**  
- Default to **aggregates by team/location**.  
- Use **stable random IDs** for trend analysis instead of names; keep the key separate with strict access control.  
- Show **individual results only to a small, need-to-know group** (e.g., security awareness lead + HR) and only when necessary for targeted coaching.  
- Never collect real passwords; if a user attempts to submit credentials, show a training page and **discard any entry**.

For a practical example of how a platform implements these concepts, see **AutoPhish’s anonymization** overview: https://autophish.io/anonymization

---

## 4) Retention: shorter is safer (and required by principle)
GDPR’s **storage limitation** principle requires keeping personal data in identifiable form **no longer than necessary** for the stated purpose. For phishing programs, many SMEs adopt a two-tier window:  
- **Operational window (e.g., 30–90 days):** identifiable data available for coaching and remediation.  
- **Post-campaign analytics:** thereafter **aggregate/anonymize**, keeping only non-identifiable trends for long-term KPI tracking.

Document this in your **Article 30 records of processing** and in your employee privacy notice.

---

## 5) Notices: be transparent and plain-language (Art. 13)
Before your first campaign, provide a short internal notice (or update your employee privacy policy) that explains: the **purpose** (security awareness), **lawful basis** (legitimate interests), what data you collect (e.g., email, department, click/report events), **retention**, who can access individual-level data (limited roles), **no disciplinary use** of single events, **employee rights** (access/objection), and a **contact** (DPO or privacy lead).

**Copy-paste starter (adapt to your context)**  
> We run periodic phishing simulations to build security awareness and reduce fraud risk. We process your name, work email, department, and simulation interactions (e.g., opened/reported/submitted). Our lawful basis is legitimate interests (GDPR Art. 6(1)(f)). Individual-level data is visible only to the security awareness team (and HR where necessary for targeted coaching). We keep identifiable data for **[X days]** and then aggregate/anonymize. We never store real passwords. You can exercise your data rights (access/objection, etc.) via **[contact]**. See **[link to your full employee privacy notice]**.

---

## 6) Do you need a DPIA?
A **Data Protection Impact Assessment (DPIA)** is required when processing is **likely to result in high risk** to individuals (Art. 35). Regulators and the EDPB note that **employee monitoring** may trigger a DPIA—especially where processing is systematic or involves vulnerable data subjects. If your programme introduces new tooling, large-scale metrics, or cross-border transfers, err on the side of conducting a DPIA.

**What to cover**: purpose/necessity, alternatives (less intrusive options), data flows, risks, mitigations (anonymization, minimization, role-based access, short retention, no-blame coaching), and a plan for periodic review.

---

## 7) Vendors & international transfers
If you use a platform provider, you’re the **controller** and they’re a **processor**; sign a **Data Processing Agreement** that meets **Article 28** requirements (security, sub-processor controls, assistance with data rights, deletion at end of service). If the provider or its sub-processors are outside the EEA, implement the **Standard Contractual Clauses** and perform a transfer risk assessment.

---

## 8) NIS2: if you’re in scope, training is no longer optional
For entities covered by the **NIS2 Directive**, management must oversee cybersecurity risk-management measures (Art. 20) and ensure appropriate training and incident processes (Art. 21). Even if you’re not in scope, the bar NIS2 sets is a useful benchmark for SMEs.

---

## 9) A practical, privacy-first architecture (that still works)
- **Data in:** name, email, team, and manager (optional). No personal emails; no special categories.  
- **During campaign:** collect only **event data** (delivered, clicked, reported, submitted). If a user tries to enter credentials, show training and capture **no secrets**.  
- **Access control:** the awareness team can see cohorts and anonymized IDs
- **Retention:** 30–90 days for identified data → auto-anonymize; keep aggregates for year-over-year trends.  
- **Outputs:** exec report shows **rates and trends**, not names.  
- **Governance:** LIA + (if needed) DPIA on file; Article 30 register updated; works agreement approved.

---

## Final thoughts
Privacy-friendly phishing training is not a contradiction. With the right lawful basis, genuine worker representation, and technical guardrails like anonymization and short retention, your programme can **protect people and their data** while measurably reducing risk. When in doubt, get legal advice tailored to your facts.

## Legal references (Germany & Austria)

*   **Germany — Works Constitution Act (BetrVG) §87(1) no. 6 (official English text)**  
    [Gesetze im Internet – Works Constitution Act (Betriebsverfassungsgesetz – BetrVG), English translation](https://www.gesetze-im-internet.de/englisch_betrvg/englisch_betrvg.html)
    
*   **Analysis by Luther Law**  
    [“Perennial issue: software vs. co-determination (Section 87 (1) No. 6 BetrVG)” — Luther Law](https://www.luther-lawfirm.com/en/newsroom/blog/detail/dauerbrenner-software-vs-mitbestimmung-87-abs-1-nr-6-betrvg)
    
*   **Austria — Eurofound summary of ArbVG §96(1) no. 3**  
    [Eurofound: Employee monitoring and surveillance — Austria](https://apps.eurofound.europa.eu/legislationdb/employee-monitoring-and-surveillance/austria)
    
*   **Schoenherr explainer (ArbVG §96(1) no. 3)**  
    [“Whistleblowing Hotline – Implementation Only with Employee Consent?” — Schoenherr](https://www.schoenherr.eu/content/whistleblowing-hotline-implementation-only-with-employee-consent)
    

---

## Further reading

*   **EDPB _Guidelines 05/2020 on Consent_**  
    [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb\_guidelines\_202005\_consent\_en.pdf](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf)
    
*   **GDPR Recital 26 (anonymous data)**  
    [https://gdpr-info.eu/recitals/no-26/](https://gdpr-info.eu/recitals/no-26/)
    
*   **GDPR Article 4(5) (pseudonymization)**  
    [https://gdpr-info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/)
    
*   **GDPR Article 5 (principles)**  
    https://gdpr-info.eu/art-5-gdpr/
    
*   **GDPR Article 13 (information to be provided)**  
    https://gdpr-info.eu/art-13-gdpr/
    
*   **GDPR Article 28 (processors)**  
    https://gdpr-info.eu/art-28-gdpr/
    
*   **GDPR Article 30 (records of processing activities)**  
    https://gdpr-info.eu/art-30-gdpr/
    
*   **GDPR Article 35 (Data Protection Impact Assessment)**  
    https://gdpr-info.eu/art-35-gdpr/
    
*   **NIS2 Directive (Articles 20–21)**  
    EUR-Lex — Directive (EU) 2022/2555 (NIS2)
    
*   **AutoPhish — Anonymization overview (product-side controls)**  
    [https://autophish.io/anonymization](https://autophish.io/anonymization)

Phishing emails might not be glamorous, but they’re the sneaky tricksters of the cyber world. They show up in inboxes pretending to be important messages — an invoice, a password reset, maybe even a fake LinkedIn invite. And unfortunately, they still work all too often. In fact, **74% of security breaches involve the human element**, with phishing being one of the top ways attackers break in [[1]](https://www.phishingbox.com/resources/phishing-facts)[[2]](https://www.phishingbox.com/resources/phishing-facts).

That’s why businesses of all sizes are turning to **phishing simulations** — basically “practice phishing attacks” that train employees to spot suspicious messages in a safe environment. Think of it like a fire drill, but for your inbox. The goal is to help employees build instincts and transform them into a “human firewall.”

But here’s the question: when it comes to running phishing simulations, should you **do them manually** (crafting fake phishing emails yourself or with the help of consultants) or rely on an **automated platform** (a service that does the heavy lifting for you)? Each approach has its perks and pitfalls. Let’s explore both in a way that’s insightful, practical, and just a bit more fun.

---

## Why Phishing Simulations Matter (Beyond Scaring Your Staff)

The idea is simple. Your company sends out a fake phishing email. If an employee clicks or submits their login details, it’s not a disaster — it’s a teaching moment. And unlike boring PowerPoint slides about security, these simulations stick. People remember what fooled them, and they get better at spotting the real thing next time [[3]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)[[4]](https://www.cynet.com/cybersecurity/phishing-simulation-how-it-works-and-5-tools-to-get-you-started/).

On top of that, regulators are watching. Standards like the EU’s **NIS2 Directive** don’t just want firewalls and antivirus software — they expect proof that your staff are trained and tested regularly [[6]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish). A solid phishing simulation program means you can check both boxes: better security and compliance.

---

## Manual Phishing Campaigns: Handcrafted, With Love (and Effort)

So what happens if you go the manual route?

- **What it is:** Your IT/security team (or hired consultants) brainstorm phishing scenarios, design emails, send them out, and later track who clicked. Maybe it’s a fake invoice. Maybe it’s a spoofed “CEO request.” Creativity is the name of the game.
- **The good:** Manual campaigns can be incredibly realistic. A consultant who knows your business can craft spear-phishing emails that reference actual projects or internal lingo. These hyper-tailored simulations feel *uncomfortably real* — which is exactly the point.
- **The bad:** They’re expensive and time-consuming. Niche providers often charge **$3–$6 per employee per month** [[8]](https://caniphish.com/phishing-simulation), which adds up fast. Doing it in-house? It may seem “free,” but your team still spends hours designing lures, setting up domains, and crunching results. Open-source tools like GoPhish are powerful, but they require ongoing maintenance [[10]](https://autophish.io/blog/open-source-phishing-simulation-tools-vs-managed-solutions-a-technical-and-business-comparison).

Scalability is another headache. Most companies that go manual manage only a couple of campaigns a year — often tied to Cybersecurity Awareness Month. That’s better than nothing, but far from the continuous reinforcement employees really need.

And let’s be honest: creativity runs dry. After a few tries, the “fake Amazon receipt” or “password reset” gets old. Without fresh ideas, employees start recognizing the pattern, which defeats the purpose.

**Bottom line:** Manual campaigns are great for highly targeted, one-off exercises. But for regular training across the whole company, they can drain resources and don’t scale well.

---

## Automated Phishing Platforms: Set It, Forget It, Train Continuously

Now let’s talk about automation.

**Automated phishing platforms** (think KnowBe4, Hoxhunt, Cofense, or newer players like **AutoPhish**) are SaaS tools built to make phishing simulations easy, scalable, and consistent. Instead of your team manually drafting emails and logging clicks, the platform handles:

- Crafting realistic phishing emails (often from a large template library, updated with the latest scam trends [[16]](https://caniphish.com/phishing-simulation)).
- Sending them out at scale, on a schedule you set.
- Tracking exactly who clicked, reported, or ignored.
- Delivering instant feedback or training to employees who fall for it.

Some platforms even use **AI** to generate unique phishing lures that evolve over time, so employees can’t just memorize a fixed set of templates [[18]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

### The Big Advantages
- **Efficiency & scale:** Send thousands of emails with a few clicks. Whether you’ve got 50 or 5,000 employees, the platform can handle it without extra work.
- **Affordability:** Pricing is usually **$0.45–$1.25 per employee per month** [[22]](https://caniphish.com/phishing-simulation). Compare that to the millions a real breach might cost (average global cost: $4.45M in 2024 [[23]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish)) — it’s a bargain.
- **Consistency:** You can schedule monthly or even weekly tests. Some platforms randomize delivery so employees don’t learn to expect them at a certain time.
- **Data & insights:** Automated platforms provide dashboards, trend analysis, and compliance-ready reports. Want to know if your finance department is click-prone or if your awareness is improving quarter over quarter? Easy [[26]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Low burden:** Instead of your team writing fake emails, they just review results. It’s a massive time-saver.

### A Nice Bonus: Just-in-Time Training
If an employee clicks, the platform can instantly show them a quick educational page: “Oops! Here’s what you missed.” That immediate feedback turns mistakes into teachable moments. Manual follow-ups can’t always deliver that consistency.

---

## Side-by-Side: Manual vs. Automated

| Factor              | Manual Campaigns (In-House/Consultants) | Automated Platforms |
|---------------------|------------------------------------------|----------------------|
| **Cost**            | High ($3–$6/user/month or staff time)   | Lower ($0.45–$1.25/user/month) |
| **Scalability**     | Hard to scale beyond occasional tests   | Scales easily to thousands |
| **Frequency**       | Infrequent (annual or quarterly)        | Continuous (monthly, weekly, randomized) |
| **Realism**         | Can be highly tailored, spear-phishy    | Broad range of realistic, evolving templates |
| **Customization**   | Unlimited but resource-heavy            | Flexible, with plenty of built-in options |
| **Team Burden**     | Heavy (time, creativity, reporting)     | Light (review dashboards, tweak settings) |
| **Reporting**       | Basic, often static                     | Detailed dashboards, compliance-ready data |

---

## Which Should You Choose?

It depends on your goals and resources:

- **Manual** makes sense if:
  - You want one-off, highly targeted tests (like spear-phishing execs).
  - You already have a skilled red team that enjoys this work.
- **Automated** makes sense if:
  - You want continuous, scalable training for your whole staff.
  - You’re an SME without endless budget or staff hours.
  - You need compliance-friendly reports at the click of a button.

Most companies use automation for their **day-to-day training**, and occasionally sprinkle in manual campaigns for special cases. That’s often the sweet spot.

---

## Why SMEs in Particular Should Care

Small and mid-sized businesses are juicy targets for attackers but often lack security staff. Hiring consultants is pricey. Running manual campaigns internally eats up scarce time. That’s why automated phishing testing — especially from platforms designed with SMEs in mind, like **AutoPhish** — is so appealing [[24]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

AutoPhish, for instance, offers:
- **AI-powered, ever-fresh phishing emails** [[19]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Automated scheduling** (monthly, quarterly, or custom) [[25]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **Quick setup** (under 30 minutes) [[28]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).
- **GDPR-friendly design** with no sensitive data stored [[35]](https://autophish.io/blog/phishing-simulations-as-a-service-explained-smarter-employee-training-with-autophish).

It’s basically enterprise-grade security awareness made accessible for businesses without enterprise budgets.

---

## Wrapping It Up

Phishing is going to keep evolving — attackers aren’t taking a holiday. The best way to stay ahead is to keep your people trained, sharp, and a little skeptical of unexpected emails.

- Manual campaigns are like gourmet, handcrafted training. Impressive, but pricey and limited.
- Automated platforms are like meal kits: reliable, affordable, and scalable. You get variety and consistency without slaving away in the kitchen.

For most businesses, especially SMEs, **automation wins hands down**. It keeps the program running, delivers continuous learning, and doesn’t overload your team. And if you ever want to spice things up with a bespoke spear-phishing test, you can always add a manual one on top.

In the end, what matters most is that you’re testing, training, and turning your employees into your first line of defense. After all, in cybersecurity, a well-trained workforce might just be the cheapest (and smartest) insurance you’ll ever buy.



## Introduction

Cybersecurity budgets are often tight—especially for small and mid-sized enterprises (SMEs). Executives want to know: *Is our investment in security awareness training actually paying off?*  
While phishing simulations and staff education seem like obvious choices, proving their **return on investment (ROI)** can be tricky.

In this article, we break down **how to measure ROI** for security awareness programs, the metrics that matter, and why **AI-driven phishing simulations** can deliver better long-term value.

> 💡 *This article is for informational purposes and does not constitute financial or legal advice.*

---

## Why Measuring ROI in Cybersecurity Is Difficult

Unlike marketing campaigns or sales initiatives, cybersecurity investments aim to prevent bad things from happening. That means ROI is often measured by **losses avoided**—which can be hard to quantify until a breach occurs.

According to the [2024 IBM Cost of a Data Breach Report](https://www.ibm.com/reports/data-breach), the global average cost of a data breach is **$4.45 million**, with phishing as the second-most common cause. For SMEs, even a fraction of that cost can be devastating.

The challenge is to **translate risk reduction into measurable savings**.

---

## The ROI Formula for Security Awareness Training

A common approach to calculating ROI in cybersecurity awareness programs is:

```
ROI (%) = [(Estimated Losses Avoided – Program Costs) / Program Costs] × 100
```

### Step 1: Estimate Potential Losses
- **Data breach costs**: Legal fees, regulatory fines (e.g., GDPR penalties), recovery costs, lost business
- **Operational disruption**: Downtime, lost productivity
- **Reputational damage**: Lost customers, decreased trust

Example: If your estimated potential loss from a phishing attack is €200,000 and effective training can reduce that risk by 70%, your *losses avoided* figure is €140,000.

### Step 2: Calculate Program Costs
- Vendor/platform subscription (e.g., AutoPhish license)
- Internal training time
- Administrative overhead

### Step 3: Run the Formula
If your annual training program costs €20,000 and avoids €140,000 in losses, the ROI is:

```
ROI = [(140,000 – 20,000) / 20,000] × 100 = 600%
```

---

## Metrics That Matter

To make ROI reporting credible, track **both leading and lagging indicators**:

### Leading Indicators (Preventive)
- Phishing simulation click rates
- Reported suspicious email rates
- Training completion rates

### Lagging Indicators (After Incidents)
- Number of phishing incidents per quarter
- Mean time to detect (MTTD) and respond (MTTR)
- Regulatory fines or customer churn after incidents

**Why it matters:** Regulators like the [UK ICO](https://ico.org.uk/) and [ENISA](https://www.enisa.europa.eu/) increasingly expect organizations to show evidence of employee training and proactive risk management.

---

## Case Studies and Industry Evidence

- [**KnowBe4’s 2024 Benchmarking Report**](https://www.knowbe4.com/resource-center/phishing): found that after initial training and simulated phishing, users’ “phish‑prone percentage” dropped from a higher baseline to just 18.9% within 90 days, and further to 4.6% after 12 months.
- [**UK ICO vs. Interserve (2022)**](https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information): A £4.4M fine was issued after a phishing attack. Lack of training and poor patching were cited as key failings. Demonstrating a history of phishing simulations could have reduced liability.
- **US FTC Guidance**: The [FTC](https://www.ftc.gov/business-guidance/small-businesses/cybersecurity) emphasizes training as a baseline security measure—failure to do so can result in enforcement action.


---

## Manual Training vs. AI-Driven Simulations

| Feature                          | Manual/Consultant-Led | AI-Driven (e.g., AutoPhish) |
|----------------------------------|-----------------------|-----------------------------|
| Cost per Campaign                | High                  | Low (subscription)          |
| Frequency                        | Usually Yearly        | Monthly or Continuous       |
| Customization                    | Limited               | High (industry & role-based)|
| Realism                          | Moderate              | High (AI-generated emails)  |
| Reporting & Analytics            | Manual                | Automated                   |
| Scalability                      | Low                   | High                        |

**Why it matters:** With AI-driven phishing simulations, you can run **more frequent, more realistic** campaigns at a fraction of the consultant cost—while collecting data that directly supports your ROI calculation.

---

## Making the Business Case

When presenting ROI to leadership, emphasize:

1. **Risk Reduction**: Quantify the drop in phishing success rates after training.
2. **Regulatory Compliance**: Demonstrate how training supports GDPR/NIS2/FTC expectations.
3. **Cost Efficiency**: Compare the program cost to potential breach costs.
4. **Operational Continuity**: Highlight reduced downtime from security incidents.


---

## Final Thoughts

Measuring ROI for security awareness training isn’t just an accounting exercise—it’s a way to prove that your investment is **reducing real-world risk** and **protecting your bottom line**.

**Key Takeaways**:
- Use a clear ROI formula that includes avoided losses
- Track both leading and lagging security metrics
- Run frequent, realistic phishing simulations for maximum impact
- Document results for compliance and executive reporting

With platforms like **AutoPhish**, SMEs can **maximize training impact**, **minimize costs**, and **generate clear ROI evidence**—turning security awareness from a “nice to have” into a proven business asset.


For small and mid-sized businesses (SMEs), a single phishing email can trigger a cascade of serious consequences: stolen credentials, data loss, reputational damage—and legal action. But is your company legally responsible if an employee falls for a phishing scam?

The answer depends on where you operate and what kind of data is at stake. Across the **European Union (EU)**, the **United Kingdom (UK)**, and the **United States (US)**, laws and expectations vary—but one theme is consistent: **preventative measures matter**.

In this article, we’ll explore:

- What the law says in different jurisdictions
- When companies are held accountable for employee mistakes
- How training and phishing simulations reduce risk

> ⚖️ **This is not legal advice. Always consult a qualified lawyer in your jurisdiction for specific guidance.**

---

## EU: GDPR and NIS2—Training as a Legal Obligation

In the European Union, data protection is governed primarily by the **General Data Protection Regulation (GDPR)** and, more recently, by the **NIS2 Directive**.

### GDPR: The 72-Hour Rule and Beyond

Under Article 33 of the GDPR, organizations must notify their national Data Protection Authority of a personal data breach within **72 hours** of becoming aware of it, unless the breach is unlikely to result in a risk to individuals.

If an employee falls for a phishing email that exposes personal data (e.g., customer emails, HR records, financial details), the organization **must**:

- Notify the regulator
- Potentially notify affected individuals (if the risk is “high”)
- Document the incident and mitigation steps taken

What matters is not whether the phishing attack was sophisticated—it’s whether the company had **adequate safeguards** in place.

### NIS2: Security for Essential and Important Entities

The **NIS2 Directive**, in force since 2023, raises the bar further for businesses in sectors like logistics, transport, finance, health, and digital services. It mandates:

- Cybersecurity risk management
- Regular employee training
- Incident reporting obligations
- Fines for non-compliance

The takeaway? Even if your employee made a mistake, **your liability may hinge on how well you prepared them**.

**Source**: [ENISA Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)

---

## UK: GDPR Clone and Real-World Penalties

Post-Brexit, the UK retained the GDPR framework in the form of the **UK GDPR** and the **Data Protection Act 2018**. Most of the obligations are identical to those in the EU:

- Report data breaches within **72 hours**
- Inform affected individuals if there’s a “high risk” to them
- Maintain an internal record of all breaches and decisions

### Case Study: Interserve Fine (£4.4M)

In 2022, the **ICO** fined **Interserve** £4.4 million after a phishing attack exposed over 100,000 employee records. The ICO cited poor training, outdated software, and insufficient monitoring as key failings—not the employee’s mistake.

In the UK, **employers are expected to create a culture of security awareness**. That means:

- Regular training
- Incident simulations
- Logging and documenting risks and responses

**Source**: [ICO Enforcement Action](https://ico.org.uk/action-weve-taken/enforcement/interserve-group-ltd-en/)\
**Best practice**: [NCSC Small Business Guide](https://www.ncsc.gov.uk/collection/small-business-guide)

---

## US: A Patchwork of Laws with One Message—Act Fast

The United States lacks a single national breach notification law, but all **50 states** have their own statutes. These generally require:

- Notification to affected individuals
- Often within **30 to 60 days** of discovery
- Some states require notification to regulators

States like California, New York, and Colorado have **more stringent requirements**, particularly when sensitive data is compromised.

### Federal Action via the FTC

The **Federal Trade Commission (FTC)** can penalize companies for “unfair or deceptive practices”—including poor cybersecurity. In recent years, the FTC has made it clear that **employee training and phishing prevention** are part of reasonable cybersecurity.

- In 2021, the FTC launched a warning campaign targeting businesses that don’t train employees on social engineering.
- In several enforcement cases, failure to act on known phishing risks was cited as negligence.

**Source**: [FTC Data Breach Response Guide](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business)

---

## Are You Liable? It Depends on Preparation

While laws vary, the general legal consensus across jurisdictions is:

- You **may not be directly liable** for an employee clicking a phishing link
- But you **can be held liable** if you didn’t take reasonable steps to prevent or mitigate the impact

**What counts as reasonable steps?**

- Documented security training
- Regular phishing simulations
- Strong access control and monitoring
- Clear response plans

Courts and regulators assess whether the breach was **foreseeable** and whether you were **negligent** in preventing it.

> A trained, well-informed team is your best legal defense.

---

## How Phishing Simulations Help

Phishing simulations aren’t just an IT tool—they’re a **compliance and legal risk management tool**.

**Benefits include:**

- Demonstrating due diligence during audits
- Reducing the chance of real-world breaches
- Educating employees with real-life examples
- Logging metrics and improvements over time

Platforms like **AutoPhish** make this easy for SMEs:

- AI-generated phishing tests
- Fully GDPR-compliant
- No real data capture
- Ongoing metrics for accountability

> “We train our people” is a good story. “We simulate, report, and improve” is a better one.

---

## Final Thoughts: Document Everything

When it comes to phishing-related incidents, **your documentation is your insurance policy**. If a regulator calls, you need to show:

- When training took place
- How simulations were conducted
- How quickly you responded to the breach
- Whether affected users were notified (and when)

✅ Keep records\
✅ Update your policies regularly\
✅ Work with legal and IT together

The law may forgive a mistake—but **not a lack of preparation**.

> 🧑‍⚖️ Always consult legal counsel to align your cybersecurity program with local laws and sector-specific requirements.



## Introduction

In 2025, phishing remains the #1 cause of data breaches worldwide. Yet for many European businesses—especially small and mid-sized ones—employee training remains reactive at best. With the rise of AI-generated phishing, tightening EU cybersecurity regulations, and increasing liability for companies, one thing is now crystal clear:

**Phishing simulations are no longer a “nice-to-have"—they are a business necessity.**

This article explores the trends, regulations, and risks that are making phishing simulations essential for all European businesses.

---

## Phishing in 2025: Smarter, Scarier, and More Common

Phishing attacks have evolved. They're no longer clumsy scams from suspicious Gmail accounts. Instead, attackers now use:

* **AI-generated emails** that mimic internal communication styles
* **Real-time data** from LinkedIn or leaked credentials
* **Targeted spear phishing** aimed at decision-makers

According to the [ENISA Threat Landscape 2024 report](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024), phishing was involved in **over 60% of initial access breaches** in the EU in 2023–24. And this number is rising.

---

## The Legal Perspective: NIS2, GDPR, and Cyber Insurance

### 🛡 NIS2 Directive: Cybersecurity Now a Legal Obligation

As of 2024, the [NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) is fully in effect across the EU. It expands the scope of cybersecurity regulations to **more than 160,000 organizations**, including:

* Medium-sized enterprises (50+ employees)
* Businesses in finance, energy, health, and digital infrastructure
* Public sector suppliers

Among the key requirements:

* **Security awareness training for staff**
* **Incident reporting within 24 hours**
* **Management-level responsibility**

Failing to provide such training—including phishing simulations—can result in **fines up to €10 million** or **2% of global turnover**.

### 🔒 GDPR: Consent, Breach Notification, and Accountability

Even outside NIS2-covered sectors, the GDPR requires businesses to:

* Prevent unauthorized access to personal data
* Report data breaches within 72 hours
* Prove they’ve taken appropriate safeguards

If a phishing email leads to a data breach involving personal data (e.g., HR files, customer info), companies may be found non-compliant if **no preventive measures**, such as employee testing, were in place.

### 🗞 Cyber Insurance Requirements

More insurers now require regular **employee security awareness testing** as a condition for cyber insurance coverage. Without this, claims may be rejected or premiums raised significantly.

---

## Why Traditional Training Fails

Many companies still rely on:

* Annual security webinars
* PDF handouts
* Static “test your knowledge” quizzes

But these approaches fall short because:

* **Real phishing emails aren’t multiple-choice**
* **Employees forget training within weeks**
* **Attackers adapt faster than training materials**

In contrast, **phishing simulations provide real-time behavioral insight**—how people react under pressure, not just what they *know*.

---

## Benefits of Regular Phishing Simulations

Here’s why automated, realistic phishing simulations (like those offered by [AutoPhish](https://autophish.io)) are changing the game:

### ✅ Behavior-Based Training

Simulations teach through **realistic practice**, reinforcing instincts rather than just information.

### 📊 Trackable KPIs

Monitor:

* Open rates
* Click-throughs
* Form submissions
* Reporting behavior

This data lets you **target weak points**—by department, role, or region.

### ↻ Continuous Improvement

Monthly or quarterly tests keep security **top of mind**, not just once a year.

### 💼 Management Reports

Show leadership and auditors measurable progress and risk reduction over time.

---

## Common Objections—and Why They Don’t Hold Up

---

**Objection:** “Our team is too small for this.”  
**Reality:** SMEs are **most vulnerable** and often targeted first.

---

**Objection:** “It might embarrass employees.”  
**Reality:** AutoPhish avoids shaming. It's about **learning, not blaming**.

---

**Objection:** “We outsource IT security.”  
**Reality:** Employee behavior can’t be outsourced. It’s part of your **internal responsibility**.

---

## Best Practices for Phishing Simulations

1. **Start simple**, then increase complexity gradually
2. Use **different vectors** (email, SMS, collaboration tools)
3. Send from **external-looking domains** to simulate real attackers
4. Include **educational feedback** after each test
5. Test **high-risk roles** more frequently (HR, Finance, Executives)

---

## How AutoPhish Can Help

AutoPhish offers **automated phishing campaigns** powered by AI. Our key features:

* 🧠 Realistic, natural-language phishing emails
* 🕵️ Spear phishing simulation for management roles
* 📈 Dashboards to track employee progress
* 🔐 GDPR-compliant, EU-based infrastructure
* 📨 No real email credentials ever collected

Try it at [autophish.io](https://autophish.io)

---

## Conclusion: It’s Time to Act

Phishing isn’t just an IT issue—**it’s a people issue**. And in 2025, the stakes are higher than ever.

✅ Your customers expect strong security
✅ Regulators demand proactive measures
✅ Insurance providers need proof of resilience
✅ Your reputation depends on prevention

**Start simulating. Start improving. Start protecting.**

---

### Further Reading

* [ENISA Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)
* [European Commission – NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive)


Cybersecurity training often fails where it matters most: behavior. While companies spend millions on firewalls and endpoint protection, a single click by an employee on a well-crafted phishing email can still bypass all defenses.

Traditional training methods—annual seminars, slide decks, compliance checkboxes—are not enough. They lack context, repetition, and most importantly: realism.

This is where **Phishing Simulations-as-a-Service (PhaaS)** comes in. By automating realistic, behavior-driven phishing tests, platforms like **AutoPhish** provide organizations with a modern, cost-effective way to improve security awareness.

---

## What Is Phishing Simulations-as-a-Service (PhaaS)?

Phishing Simulations-as-a-Service refers to cloud-based platforms that simulate phishing attacks to test and train employees. Unlike one-time workshops or static quizzes, these platforms provide:

- Recurring email simulations
- Role-based targeting (e.g., HR, finance, executives)
- Analytics on user behavior (who clicked, reported, or ignored)
- Just-in-time learning after each simulation

These simulations mimic real phishing threats in tone, structure, and design—often using AI to adapt and diversify content.

The goal isn’t to “trick” employees—it’s to help them **build lasting instincts** through exposure to safe, yet realistic scenarios.

---

## Why PhaaS Is Superior to Traditional Training

### 1. Behavior-Based Assessment

Conventional training tests knowledge. PhaaS tests behavior. This distinction is critical: employees don’t fall for phishing because they lack information, but because they fail to apply it in real-time.

### 2. Continuous Improvement

Cybersecurity is not a one-time event. Regular testing ensures that awareness remains high and adapts to evolving threats. Monthly or quarterly phishing campaigns establish cybersecurity as an ongoing responsibility.

### 3. Measurable Risk Reduction

With each test, you gain actionable data:

- Click-through rates
- Reporting rates
- Repeat offenders
- Departmental risk profiles

This data enables targeted interventions and compliance reporting.

### 4. Cost Efficiency

According to IBM's "Cost of a Data Breach 2024" report, the average breach costs €4.45 million globally. Phishing simulations reduce breach likelihood at a fraction of that cost. Services like AutoPhish offer predictable pricing and automated delivery—ideal for small and mid-sized enterprises (SMEs).

### 5. Smarter Than Manual Campaigns by Consultants

While cybersecurity consultants can craft bespoke phishing campaigns, they are often expensive, limited in scope, and hard to scale. AutoPhish, by contrast:

- **Delivers fresh, relevant campaigns regularly** using AI-generated content
- **Frees up CISOs and security teams** to focus on critical threats and incident response
- **Avoids reliance on manual creativity**, which is difficult to sustain long-term
- **Costs significantly less**, while providing higher frequency and consistency

For companies without a dedicated security awareness team, AutoPhish provides enterprise-grade simulation capability out-of-the-box.

---

## How AutoPhish Delivers PhaaS

AutoPhish is a European phishing simulation platform designed to be:

- Automated and scalable
- GDPR-compliant
- Powered by AI for content generation

### Key Features:

- **AI-generated phishing emails** that evolve over time
- **Spear phishing simulations** for high-risk roles
- **Detailed reports** for CISOs, IT admins, or DPOs
- **Education modules** triggered after interaction with phishing attempts
- **No credential capture**—simulations are safe by design

The platform runs monthly or custom-timed campaigns and includes industry-specific templates (e.g., banking, logistics, health care).

---

## The Science Behind Effective Phishing Simulations

Behavioral science supports learning by doing. Research by the National Cyber Security Centre (UK) and MITRE suggests that repeated exposure to simulated threats:

- Builds cognitive familiarity
- Encourages pattern recognition
- Improves threat detection over time

Moreover, simulations allow for **safe failure**. Employees who fall for a test receive immediate, contextualized feedback, turning a mistake into a microlearning moment.

---

## Compliance and Legal Considerations

Under the **NIS2 Directive**, businesses in the EU must:

- Implement risk management and security training measures
- Ensure incident readiness and reporting

Phishing simulations qualify as part of these compliance strategies—especially when:

- Conducted regularly
- Accompanied by training feedback
- Documented for audits

AutoPhish is fully compliant with GDPR. It collects no personal data beyond internal login metadata (e.g., email address) and does not store passwords or real user inputs.

---

## Getting Started

Launching a PhaaS program with AutoPhish typically takes less than 30 minutes:

1. Define your target group(s)
2. Schedule campaigns (monthly, quarterly, ad hoc)
3. Monitor results via dashboard
4. Share learnings with employees

No installation is required, and the platform integrates with standard email environments like Microsoft 365 and Google Workspace.

---

## Conclusion

Phishing Simulations-as-a-Service is not just a trend—it’s a necessary shift in how businesses approach cybersecurity training.

By simulating realistic threats, reinforcing behavior, and enabling continuous improvement, PhaaS helps companies reduce risk without overloading their teams.

**AutoPhish** makes this process simple, safe, and scalable—helping your employees become the firewall.

---

## Further Reading & Sources

- IBM Security: [Cost of a Data Breach 2024](https://www.ibm.com/reports/data-breach)
- ENISA: [Threat Landscape 2024](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024)


Autophish Blog

Role-Based Phishing Simulations: Finance, HR, IT & Execs — Scenarios, Guardrails, and Metrics

How Phishing Works in 2025: The Modern Kill Chain (Email, QR, Deepfakes, and SaaS)

10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025 – including important Lessons Learned

Privacy-Friendly Phishing Training: Works Councils, Consent, and GDPR Essentials

Automated Phishing Testing vs. Manual Campaigns: Which Is Best for Your Business?

Open-Source Phishing Simulation Tools vs. Managed Solutions: A Technical and Business Comparison

Measuring the ROI of Security Awareness Training

Am I Liable If My Employee Falls for a Phishing Attack?

Why Phishing Simulations Are No Longer Optional for European Businesses in 2025

Phishing Simulations-as-a-Service Explained: Smarter Employee Training with AutoPhish

Ready to Fortify Your Defenses?