Skip to content
Back to blog
simulationphishingcybersecurityguide

Phishing simulation for businesses: a practical 2026 guide

How to plan, run, and measure a phishing simulation campaign. Methodology, templates, timing, and results analysis for SMBs.

Thomas Ferreira30 min read

Companies that regularly simulate phishing attacks reduce their click rate by 75% on average within 12 months (SANS Security Awareness 2025). This figure makes one thing clear: theoretical awareness training is not enough. Only real-world, controlled, measured, and repeated exposure to simulated attacks can produce lasting behavioral change against phishing.

The difference between a traditional training session and a phishing simulation is the same as the difference between a driving class on a whiteboard and an actual driving lesson on the road. Research in cognitive psychology shows that retention of theoretical training drops by 80% after 30 days without hands-on practice (Ebbinghaus, forgetting curve). By contrast, an employee who experiences clicking on a simulated phishing email - and immediately sees what they should have spotted - encodes that reflex into long-term memory.

This guide is designed for business leaders, IT managers, and CISOs at SMBs who want to build a structured, effective phishing simulation program that complies with French legal requirements. You will find the complete methodology, from preparing your first campaign to detailed analysis of 12-month results, including the five types of simulations you need to master and the mistakes to avoid. All data cited comes from the SANS Institute 2025, Gartner Security & Risk Management 2025, Proofpoint State of the Phish 2025, and Verizon DBIR 2025 reports.

To understand the threat these simulations are designed to counter, see our full guide to phishing in the workplace with 2026 statistics.

What is a phishing simulation and why run one

A phishing simulation is the controlled sending of fake phishing emails to an organization's employees, with the goal of measuring their vigilance and improving their detection reflexes. Unlike a pentest (penetration test), which targets technical vulnerabilities in the infrastructure, a phishing simulation targets the human factor exclusively. The goal is not to compromise a system but to assess and strengthen employees' ability to identify a phishing attempt.

Why theory alone falls short

The data from Gartner Security & Risk Management 2025 is unambiguous: purely theoretical awareness programs have a measurable impact of less than 15% on click rates at six months (Gartner Security & Risk Management 2025). In other words, six months after a standard training session, employees click almost as often as before.

The reason is neurological. Experiential learning activates episodic memory circuits - the same memory that makes you remember a stovetop is hot after you burn yourself once. An employee who lives through the experience of a simulated phishing attack - the surprise, the realization, the remediation page - encodes an emotional memory that is far more resistant to forgetting than a slide deck about "5 warning signs."

Organizations combining simulation with micro-learning achieve a reporting rate above 70%, compared to less than 10% for theoretical training alone (SANS Institute 2025). The reporting rate - the share of employees who actively report a suspicious email rather than simply ignoring it - is the true indicator of a mature cybersecurity culture.

Legal framework in France: what is allowed, what is not

Phishing simulation in the workplace is legal in France, but it is governed by several regulations that every organization must understand before launching a first campaign.

What is allowed:

  • Sending simulated phishing emails to employees as part of a declared awareness program
  • Collecting aggregate metrics (click rate by department, trends over time)
  • Displaying an educational remediation page after a click
  • Using results to guide training - never to impose penalties

What is regulated:

  • GDPR: Individual results data constitutes personal data processing. Recommended legal basis: the employer's legitimate interest (securing information systems). Prior information of the individuals concerned is mandatory. Retention period must be limited and proportionate.
  • Labor law: The works council (CSE) must be informed before the program is implemented. Individual results cannot be used in disciplinary proceedings.
  • CNIL (France's data protection authority): The CNIL recommends transparency about the existence of the simulation program while acknowledging that the element of surprise is necessary for its effectiveness. It is not mandatory to notify employees of the exact date of a campaign.

What is prohibited:

  • Using results to penalize, dismiss, or discriminate against an employee
  • Collecting excessive data (keystroke logging, screenshots, etc.)
  • Running simulations without a legal basis or without informing the individuals concerned

Regulatory requirements: NIS2, SOC 2, and ISO 27001

Beyond the legal framework, compliance standards now explicitly require regular awareness testing. The NIS2 directive (in force since October 2024 in France) requires "cyber risk management measures including staff awareness and training." SOC 2 (Trust Services Criteria) requires "awareness programs including periodic testing." ISO 27001 (control A.6.3) mandates "information security awareness, education, and training." In all cases, phishing simulation is the most direct and measurable way to demonstrate compliance with these requirements. For more on the compliance angle, see our dedicated SOC 2 and ISO 27001 compliance page.

Preparing your first campaign: the 10-point checklist

The success of a phishing simulation program is determined before the first email is sent. Here are the ten preparation steps to follow carefully.

1. Define the objectives

Every phishing simulation campaign must answer a specific question. Is the goal to establish an initial baseline (measure the company's current click rate with no prior reference)? To improve an existing score? To meet a NIS2 or SOC 2 compliance requirement? The objective determines the simulation type, frequency, and success metrics. A baseline requires a simple simulation sent to the entire company. An improvement is measured by the trend of click rates and reporting rates over several months.

2. Get leadership buy-in

Without commitment from senior leadership, a simulation program is doomed to fail. The CEO or executive committee must understand why simulations are necessary, approve the budget and schedule, and - most importantly - agree to be included in the campaigns. Nothing undermines a program faster than a leader who opts out. Present the data: a simulation program costs an average of 10 to 30 euros per employee per year, compared to a median cost of 50,000 euros for a successful phishing incident at an SMB (source: CESIN 2025).

Launch your first campaign - measurable results within the first week.

3. Informing (or not) managers: the debate

Should managers be warned before a campaign? The debate is legitimate. On one hand, warning them avoids tension and helps manage post-simulation reactions. On the other hand, it biases the results (managers often tip off their teams). The SANS Institute recommends a middle ground: inform managers that the program exists and give them a general sense of the frequency ("simulations will take place every month"), without revealing specific dates or scenarios. This way, they are not caught off guard, but results remain authentic.

4. Choose the scenarios

The scenario is the single biggest factor determining the click rate. A scenario must be realistic (it could be a real email the company might receive), adapted to context (industry, tools in use, current events), and calibrated in difficulty. For a first campaign, start with an easy-to-medium difficulty scenario: package delivery notification, password update, shared document. Save advanced scenarios (spear phishing, BEC) for later campaigns.

5. Configure sending domains

Using a custom sending domain (for example, hr-notifications.yourcompany.com) is significantly more effective than a generic domain (like loginform.net). A custom domain replicates the conditions of a real attack, where threat actors register domains that resemble the target company's. Configure SPF, DKIM, and DMARC records for the simulation domain so it passes email filters - otherwise your simulations will end up in spam and the results will be unusable.

6. Define the target audience

For an initial baseline, target the entire company to get a complete picture. For subsequent campaigns, you can segment by department (finance, HR, executive team, technical), by seniority level, by tenure, or by results from previous simulations. Segmentation lets you adapt difficulty and scenarios to each group and pinpoint specific pockets of vulnerability.

7. Plan the timing

Send timing significantly influences the click rate. According to Proofpoint State of the Phish 2025 data, the highest click rates are observed on Tuesday and Wednesday, between 9 AM and 11 AM - the hours when employees process their inbox on autopilot. Avoid Monday mornings (too many accumulated emails, lower attention) and Friday afternoons (mental disengagement). Exclude vacation periods, public holidays, and high-workload periods (financial closes, technical deployments) to avoid skewing results or causing unnecessary stress.

8. Prepare post-failure remediation

Before sending the first email, the remediation page must be ready. This is the page an employee sees after clicking the simulated phishing link. It must be supportive and educational - never guilt-inducing. Recommended structure: "This was a simulation. Here are the 3 clues you could have spotted. Here is a 3-minute module to sharpen your reflexes." Tone matters: an employee who feels tricked or humiliated will never report a suspicious email again.

9. Define success metrics

Before the campaign, decide which metrics you will track and what thresholds you are aiming for. The key metrics are the click rate (percentage of employees who click the link), the submission rate (percentage who enter credentials), the reporting rate (percentage who report the email as suspicious), and the reaction time (delay between send and first click or report). A realistic target for a first campaign: click rate below 20%, reporting rate above 10%.

10. Plan results communication

Decide in advance how and to whom you will communicate results. Aggregate results (by department, by campaign) can be shared broadly - in fact, this is recommended to build collective momentum. Individual results must remain confidential. Present a report to leadership with trends, recommendations, and program ROI. Share department-level scores with teams (without naming individuals) to foster positive competition.

The 5 types of simulations you need to master

Not all phishing simulations are equal. An effective program varies the types of attacks to expose employees to the full spectrum of real-world threats. Here are the five categories, ordered by increasing difficulty.

1. Mass generic email

Difficulty: Easy | Average click rate: 20-30% | When to use: Initial baseline, first campaigns

The generic email replicates the most common phishing campaigns: pending package notification, account security alert, mandatory password update. These simulations are not personalized - the same email is sent to all recipients.

Example scenario: "Your Colissimo package is awaiting delivery. Confirm your address to schedule delivery." With a link to a fake Colissimo page.

These simulations are ideal for establishing an initial diagnosis. A click rate above 25% on this type of simulation indicates insufficient awareness and justifies an intensive training program.

2. Department-targeted email

Difficulty: Medium | Average click rate: 15-25% | When to use: After the baseline, monthly campaigns

The targeted email is adapted to the professional context of the department being tested. HR receives an email about leave or health insurance. Accounting receives an invoice to approve. The technical team receives a monitoring alert. This contextualization makes the email more credible because it fits into the recipient's daily workflow.

Example scenario for accounting: "Invoice #2026-0847: Payment 15 days overdue. Please review the attached invoice and process payment." With an attachment or link to a fake supplier portal.

Example scenario for HR: "Company health insurance update: your coverage is changing on April 1st. Log in to your portal to confirm your new options."

3. Personalized spear phishing

Difficulty: High | Average click rate: 10-20% | When to use: Advanced campaigns, testing high-risk profiles

Simulated spear phishing replicates targeted attacks that use personal information. The recipient's name, their role, a current project, the name of their direct manager - all of these elements are woven into the email to maximize credibility. This type of simulation requires more preparation since each email is personalized.

Example scenario: "Hi [First name], following our meeting yesterday on the [project name] project, I'm sending you the updated summary document. Please review it before Friday's meeting. - [Manager's name]." The link points to a fake OneDrive or Google Drive.

4. Simulated Business Email Compromise (BEC)

Difficulty: Very high | Average click rate: 5-15% | When to use: Annual simulation, testing finance and executive teams

Simulated BEC replicates the most financially damaging fraud scenarios. The email simulates a supplier bank details change request, an urgent wire transfer requested by the CEO, or a payment redirection. These simulations test both individual vigilance and adherence to verification procedures (dual approval for transfers, callback verification).

Example scenario: "[First name], I need you to process a 45,000 euro wire transfer to our new audit partner. This is confidential for now - I'm sending you the bank details. Please process today, the deadline is tight. - [CEO's name]." The email comes from a domain similar to the company's domain (simulated typosquatting).

5. Multi-vector simulation (email + SMS)

Difficulty: Maximum | Average click rate: Variable | When to use: Advanced testing, mature organizations

The multi-vector simulation combines several attack channels to replicate the most sophisticated phishing campaigns. An SMS announces a problem ("Suspicious login attempt on your work account"), followed a few minutes later by an email offering the "solution" (a password reset link). The convergence of both messages significantly reinforces the attack's credibility.

These simulations are reserved for organizations that already have a mature simulation program. They test employees' ability to resist coordinated attack scenarios - a threat that is growing rapidly according to Verizon DBIR 2025 data. To learn more about new multi-channel phishing methods, see our article on quishing, vishing, and smishing.

Ready to test all 5 simulation types? Create a nophi.sh account - deployed in 15 minutes.

To learn more about click rates by industry and compare your results to national benchmarks, see our dedicated article on phishing click rate benchmarks by industry.

Anatomy of an effective simulated phishing email

A simulated phishing email must be realistic enough to test employee vigilance without crossing the line into abusive manipulation. Here is a detailed breakdown of each component.

The sender: custom domains make all the difference

The choice of sending domain is the primary credibility factor. Simulation platforms often offer generic domains shared across all their clients. The problem: these domains end up being known and blocklisted, and they do not replicate real attack conditions.

A custom domain, such as hr-portal.yourcompany.com or it-support.yourcompany.com, faithfully replicates the typosquatting technique used by real attackers. Employees need to learn to verify the exact sender domain, and a custom domain trains this critical reflex. This is one of the differentiating features of the nophi.sh platform: every company gets dedicated sending domains.

The subject line: the 10 most effective topics

The email subject line determines whether it will be opened or ignored. According to aggregate campaign data analyzed by Proofpoint, here are the ten most effective subject themes (highest open rate):

  1. "Password update required": 42% open rate
  2. "Package awaiting delivery": 39%
  3. "Unpaid invoice - action required": 38%
  4. "Your account will be deactivated in 24 hours": 36%
  5. "Document shared by [colleague's name]": 35%
  6. "Changes to your health insurance benefits": 33%
  7. "Suspicious login notification": 31%
  8. "Invitation to a company event": 29%
  9. "Exceptional bonus - details to confirm": 28%
  10. "Update your bank details for salary payment": 27%

The most effective themes exploit three psychological triggers: urgency ("24 hours," "immediately"), authority ("your management," "your bank"), and personal benefit ("bonus," "benefits").

The email body: psychological triggers

A phishing email - real or simulated - systematically exploits one or more psychological triggers documented by Robert Cialdini in his research on influence:

Urgency: "Your access will be suspended in 2 hours unless you confirm your identity." Urgency shuts down analytical thinking and drives impulsive action. It is the most powerful and most commonly used trigger.

Authority: "Message from the IT department: a critical security update is required." The sender positions themselves as an authority figure (management, IT, HR, bank) to suppress questioning.

Curiosity: "A confidential document has been shared with you." Humans are wired to satisfy their curiosity - even when caution should take priority.

Fear: "Suspicious activity detected on your account. Verify immediately." The fear of losing access to a service or of being the victim of an intrusion triggers reflexive clicking.

Reciprocity: "As requested, here is the document." The false context of a past interaction (which the recipient does not remember but does not dare challenge) creates an implicit obligation to respond.

The link: realistic landing page vs. tracking pixel

Two approaches exist for measuring clicks in a phishing simulation.

The tracking pixel (an invisible image embedded in the email) only measures whether the email was opened. This is useful data but insufficient: opening an email is not a risk - clicking a link is.

The landing page is a web page displayed after the user clicks the simulated phishing link. It can be a simple login form (to measure the credential submission rate) or an immediate remediation page (so that each mistake becomes a practical lesson). The landing page with a form provides the most critical data point: how many employees would have entered their credentials in a real attack.

Timing: the most effective hours and days

Data from Proofpoint and the SANS Institute converge on the most "effective" time slots (meaning the ones where employees are most vulnerable):

  • Tuesday and Wednesday: click rate 23% higher than the rest of the week
  • 9 AM–11 AM: peak clicks, corresponding to morning inbox processing
  • 2 PM–3 PM: second peak, corresponding to the post-lunch dip in vigilance
  • Monday 8 AM–9 AM: high click rate (weekend backlog, batch processing)

Vary sending days and times between campaigns to expose employees to different situations and prevent them from anticipating simulations.

Analyzing results: beyond the click rate

The click rate is the best-known metric in phishing simulation, but relying on this single indicator is like running a business solely by its revenue. Here are the six key metrics to track and how to interpret them.

Open rate

Definition: Percentage of recipients who opened the simulation email.

Interpretation: A high open rate indicates a credible subject line. It is not a risk metric on its own (opening an email is generally not dangerous), but it validates the quality of the scenario. An open rate below 40% suggests the email did not reach inboxes (technical issue) or the subject line was not convincing enough.

Click rate

Definition: Percentage of recipients who clicked the link in the email.

Interpretation: This is the benchmark metric. According to SANS Institute 2025, the average click rate during a first simulation (baseline) is between 20% and 35% for organizations without a prior awareness program. After 12 months of regular simulations, this rate drops to an average of 3-5%. A rate below 5% is considered excellent by industry standards.

Submission rate

Definition: Percentage of recipients who entered credentials (login, password) on the simulated phishing page.

Interpretation: This is the most alarming metric. An employee who enters credentials on a fraudulent page potentially grants access to the entire information system. The submission rate averages 40 to 60% of the click rate - in other words, more than half of the people who click go on to enter their credentials. Reducing this rate is a top priority.

Reporting rate: the most important KPI

Definition: Percentage of recipients who reported the email as suspicious (via an integrated reporting button or by forwarding to IT).

Interpretation: The reporting rate is the most revealing indicator of an organization's cybersecurity maturity. An employee who reports a suspicious email actively contributes to collective defense. According to the Gartner Security & Risk Management 2025 report, organizations with a reporting rate above 60% have an 80% lower risk of phishing compromise than others (correlation observed by Gartner, not a proven causation). The 12-month target: a reporting rate above 50%.

Reaction time

Definition: Time elapsed between email send and the first click or the first report.

Interpretation: This metric reveals two things. A very short click time (under 2 minutes) indicates impulsive behavior - the employee clicked without thinking. A very short reporting time indicates, conversely, a sharp vigilance reflex. Tracking reaction time across campaigns is an excellent progress indicator.

Multidimensional analysis

Beyond global metrics, analysis by dimension reveals specific pockets of vulnerability:

  • By department: Finance and HR teams traditionally show the highest click rates (daily exposure to this type of email). Technical teams have the lowest rates.
  • By tenure: New hires (under 6 months) and long-tenured employees (over 10 years) are the most vulnerable - the former due to lack of training, the latter due to overconfidence.
  • By role type: High-email-volume positions (executive assistants, customer service, procurement) carry higher risk due to cognitive overload.
  • By simulation type: Tracking results by scenario helps identify which psychological triggers the organization is most susceptible to (urgency? authority? curiosity?).

Creating an actionable report for leadership

An effective simulation report for the executive committee fits on one page and contains four elements: the click rate compared to the baseline and industry benchmarks, the trend over the past 3-6 months, departments requiring increased attention, and the estimated program ROI (program cost vs. average cost of a prevented incident). Always accompany figures with concrete recommendations. See our article on phishing click rate benchmarks by industry to contextualize your results. To build the ROI argument for your leadership team: cybersecurity awareness ROI.

Post-failure remediation: turning every mistake into a practical lesson

Remediation - what happens after an employee fails a simulation - is the most critical moment of the program. Handled well, every failure becomes a lasting learning experience. Handled poorly, it destroys trust and undermines the entire program.

Immediate micro-learning: the 5-minute window

The "teachable moment" principle is at the heart of phishing simulation effectiveness. When an employee clicks a simulated phishing link, they are in a state of peak attention: the surprise and realization open an optimal learning window. The pedagogical impact is strongest in the 5 minutes following the click.

The immediate remediation module must be short (3 to 5 minutes maximum), specific (focused on the attack type of the simulation), and supportive (no judgment, no penalties). Recommended structure:

  1. Reveal: "This was a phishing simulation test."
  2. Explain: "Here are the 3 clues you could have spotted" (annotated arrows on the original email)
  3. Reinforce: 3-minute interactive module with quiz
  4. Encourage: "By reporting the next suspicious email, you protect the entire company."

Content adapted to the level of failure

Not all failures are equal. An employee who clicked the link but did not enter credentials had a delayed suspicion reflex - that is actually a positive signal. An employee who entered their full password needs deeper remediation. Adapt the content:

  • Click only: Short module (2 minutes) on link verification
  • Credential submission: Full module (5 minutes) covering sender verification, link verification, and context assessment
  • Repeat failure (failed the previous campaign too): In-depth training path with hands-on exercises

Do NOT punish: encourage reporting

This point is fundamental. Gartner 2025 documents that organizations using phishing simulation results for disciplinary purposes see their reporting rate drop by 75%. The logic is straightforward: if failing a test leads to a penalty, employees stop reporting suspicious emails - out of fear of drawing attention to their own vulnerability.

The right approach: reward reporting rather than penalize failure. Some organizations highlighted by the SANS Institute have implemented "positive gamification" systems: rewarding departments with the best reporting rates rather than stigmatizing those with the worst click rates. The message is clear: "We don't judge you on your mistakes - we commend you for your vigilance."

Enhanced training for high-risk departments

Simulation results help identify departments that need particular attention. For these teams, plan dedicated training sessions (30-minute workshop format), more frequent simulations with scenarios adapted to their professional context, and individualized follow-up (always confidential) for employees with recurring difficulties.

Frequency and 12-month planning

An effective phishing simulation program is planned on an annual cycle, with progressive ramp-up. Here is the calendar recommended by the SANS Institute and validated by Gartner data.

Month 1: Establish the baseline

Send a single simulation to the entire company. Choose an easy-difficulty scenario (mass generic email) to get a representative click rate. This baseline is your reference point for measuring all future progress. Do not share individual results - present only aggregate data to leadership.

Months 2-4: Ramp-up phase

Move to one simulation per month with increasing difficulty. Month 2: generic email on a different theme than the baseline. Month 3: department-targeted email. Month 4: first spear phishing scenario. Each simulation is followed by an immediate remediation module. Share overall trends with teams to build collective improvement momentum.

Months 5-12: Steady-state phase

Increase to two simulations per month, alternating types and difficulty levels. Systematically vary themes to prevent employees from recognizing a simulation "style." Incorporate calendar events: a Black Friday-themed phishing simulation in November, tax returns in April, breaking news events. This variation mirrors real attacks, which exploit current events to maximize impact.

Events to incorporate into your calendar

  • January: New Year wishes, bonuses, annual objectives
  • March-April: Tax returns, annual review
  • May-June: Summer vacation, health insurance
  • September: Back to work, new hires, mandatory training
  • November: Black Friday, online shopping
  • December: Holiday packages, company parties, year-end close

Quarterly reporting to leadership

Each quarter, present a summary report to the executive committee that includes the trend of click rates and reporting rates, comparison against industry benchmarks, departments making progress and those needing increased attention, and recommendations for the next quarter. This regular reporting maintains leadership engagement and justifies renewing the program budget.

Frequently asked questions

Is phishing simulation legal in France?

Yes. Phishing simulation is legal as part of a cybersecurity awareness program, provided you comply with the GDPR (legitimate interest legal basis, informing individuals), labor law (informing the works council (CSE), prohibition of disciplinary use of results), and CNIL (France's data protection authority) recommendations (transparency about the program's existence). Individual results must remain confidential and can under no circumstances justify a penalty. See our compliance page for a full guide to the regulatory framework.

Should employees be warned before a campaign?

The SANS Institute recommends informing employees that a phishing simulation program exists (which is required by the GDPR anyway), without revealing specific dates or scenarios. This approach preserves the element of surprise needed for effective testing while meeting the transparency expected by employees and their representatives. The works council (CSE) must be informed before the program is implemented.

How should you handle employees who fail multiple times?

With care and increased support - never with penalties. Repeat offenders receive an in-depth training path adapted to their risk profile. Some platforms, including nophi.sh, offer adaptive learning paths that automatically adjust difficulty and content based on individual results. As a last resort, for very high-risk profiles (access to sensitive data, financial roles), a supportive one-on-one meeting with the CISO can be arranged - framed as coaching, not as a warning.

What is the ideal simulation frequency?

Data from SANS Institute 2025 and Gartner 2025 agree: one to two simulations per month is the optimal pace. Below one simulation per month, the training effect fades (reflexes weaken after a few weeks without practice). Above two simulations per month, the risk of "simulation fatigue" appears: employees become cynical and stop taking emails seriously. Calibration matters - frequent enough to maintain vigilance, not so frequent that the program loses credibility.

Can you simulate smishing (SMS) in addition to email?

Yes, and it is increasingly recommended. SMS phishing attacks (smishing) have risen 300% since 2023 according to Proofpoint, and click rates on SMS links are up to 8 times higher than on email links (SMS carries a higher level of trust). The most advanced simulation platforms allow you to combine email and SMS in multi-vector scenarios. This is the most advanced level of simulation, reserved for organizations that already have a mature email program. Discover the multi-vector capabilities of nophi.sh.

How to choose between an in-house tool and a SaaS platform?

Building a phishing simulation tool in-house is technically feasible but rarely justified for an SMB. Maintaining email templates, managing sending domains, ensuring GDPR compliance, analyzing results, and updating scenarios represents a significant workload. A dedicated SaaS platform like nophi.sh offers ready-to-use scenarios that are continuously updated, custom sending domains, automated remediation paths, analytical dashboards, and built-in regulatory compliance - for a cost of 10 to 30 euros per user per year. The question is not "can we build this in-house?" but "is this the best use of our IT team's time?"

Conclusion

Phishing simulation remains the most effective tool for building lasting reflexes against phishing. Organizations that simulate regularly reduce their click rate by 75% in 12 months (SANS Institute 2025). The key: progressive ramp-up. Start with a simple simulation to establish your baseline, increase intensity with more advanced and varied scenarios, and follow every failure with supportive, immediate remediation.

Don't let the next real phishing attack be your team's first test. Launch your first simulation in 15 minutes with nophi.sh: custom domains, ready-to-use scenarios, automated remediation, and analytical dashboard included.

Launch your first simulation | Discover the platform

To build a full training program around your simulations, see our cybersecurity training guide for SMBs.

Related articles

CEO Fraud and Targeted Phishing: The Most Costly BEC Cases in France

From Pathé (EUR 19.2M) to Vallourec (EUR 22M), a look back at the most expensive CEO fraud cases in France. Techniques, case law, and how to protect your business from BEC.

Cybersecurity training vs phishing simulation: what's the difference, and what actually works?

E-learning, in-person workshops, phishing simulation: an objective comparison of security awareness methods with effectiveness data and ROI for SMBs.

France Travail: 43 Million Records Stolen - A Complete Analysis

In-depth look at the France Travail breach of March 2024: timeline, stolen data, exploited vulnerabilities, consequences for 43 million victims, and lessons for businesses.