Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Phishing Simulation

Test your people before
attackers do.

Find out how vulnerable your organisation is to social engineering. Tailored campaigns or a managed platform - we measure what e-learning modules cannot show.

Request simulation Analyse a phishing email
500+ campaigns up to -86% click rate GDPR-compliant
E-Mail Threat Scanner
0 Threats0 Safe
Warte auf eingehende E-Mails...
0/6 E-Mails analysiert
0% Threat-Rate
of data breaches involve a human factor (Verizon DBIR 2024)
phishing campaigns conducted
click rate reduction after 12 months (KnowBe4 2025)
click rate in first test (KnowBe4 Benchmark 2025)

Why e-learning alone does not protect

Compliance training conveys knowledge - but does not change behaviour. Only employees tested under realistic conditions learn to spot the difference.

3-second decision

Under time pressure, gut instinct decides - not the knowledge from the last e-learning module. Phishing emails strike exactly at that moment.

Click rate ≠ training score

Employees who pass every training course with 100% still click on phishing emails. Only a realistic simulation reveals the true picture.

$4.5M per incident

The average cost of a data breach (IBM). A regular phishing simulation is the most cost-effective prevention measure available.

Real-world example

Anatomy of a phishing email

This realistic mock-up shows the typical warning signs in a phishing email. Watch as the 5 most common red flags are revealed step by step - exactly how we test your employees.

5 Warnsignale erkennen

1Gefälschte Absenderadresse

Der Anzeigename sagt "Deutsche Kredit Bank AG", aber die echte Adresse ist service@dk-bank-sicherheit.com - eine fremde Domain, die nichts mit der Bank zu tun hat.

2Unpersönliche Anrede

Ihre echte Bank kennt Ihren Namen. "Sehr geehrter Kunde" ist ein Zeichen für eine Massen-Phishing-Kampagne an tausende Empfänger.

3Künstlicher Zeitdruck

"Innerhalb von 24 Stunden" und Kontosperrung - klassische Panikmacher-Taktik. Seriöse Unternehmen setzen keine so kurzen Fristen per E-Mail.

4Gefälschter Link

Der Button verspricht die offizielle Seite, aber die echte URL ist dk-bank-sicherheit.com/verify - eine Phishing-Domain. Immer Linkziel prüfen!

5Abfrage sensibler Daten

Kein seriöses Unternehmen fordert per E-Mail zur Eingabe von Passwörtern, TANs oder Kreditkartendaten auf. Niemals über E-Mail-Links einloggen.

Fahren Sie mit der Maus über die nummerierten Bereiche in der E-Mail, um die Warnsignale zu entdecken.

Two models

Tailored or as a managed service

Choose between personal support from our social engineering experts or a self-service managed platform.

Recommended

Manual Phishing Simulation

Personal support from our experts

  • Handcrafted, individual phishing emails
  • Spear phishing, CEO fraud and industry-specific scenarios
  • Dedicated point of contact for the entire campaign
  • Detailed report with management summary
  • Ideal for one-off baseline tests and targeted campaigns

From €3,000 per campaign

Managed Phishing Platform

Self-service platform via phished.io

  • AI-driven, automated phishing campaigns
  • Your own dashboard with real-time statistics
  • Hundreds of ready-made templates in 30+ languages
  • Continuous, automated campaigns
  • Integrated micro-learnings after every click failure

Available as a monthly retainer

Not sure which model fits? Free consultation in 15 minutes.

Attack scenarios

Typical scenarios from our campaigns

Every scenario is individually tailored to your organisation - from the sender address to the pretext:

CEO Fraud / BEC

Spoofed instructions from senior management. Test whether your finance team responds to fraudulent wire transfer requests.

Business Email Compromise Wire Fraud

Credential Harvesting

Fake login pages for Microsoft 365, VPN portals or internal tools. How many employees enter their credentials?

Fake Login M365 Phishing

Malware Simulation

Fake invoices, applications or supplier emails with simulated malicious attachments - without any real risk.

Payload Delivery Macro Documents

QR Code Phishing (Quishing)

Manipulated QR codes on posters, in meeting rooms or on business cards. We also test physical attack vectors.

Quishing Physical Vector

Spear Phishing

Highly personalised attacks on specific individuals or departments - with OSINT research and tailored pretexts.

OSINT Targeted Attack

Custom scenario?

We develop industry-specific scenarios to your specifications.

Discuss scenario

Manual vs. Managed - the comparison

Both models have their strengths. The ideal solution? Often a combination - manual baseline test, then managed for ongoing operations.

Manual Simulation Managed Platform
Scenarios Individually handcrafted Hundreds of ready-made templates
Support Dedicated point of contact Self-service + support
Frequency 1-4x per year Continuous / automated
Languages German & English 30+ languages
Reporting Management report as PDF Real-time dashboard
Ideal for Baseline & deep-dive test Ongoing operations & measurement

Maximum impact? Manual baseline test + managed retainer for ongoing operations.

How it works

From enquiry to campaign in 5 steps

  1. Briefing & Goal Definition: Together we define target groups, scenarios and success metrics. Which departments will be tested? Which attack scenarios are realistic for your organisation?
  2. Campaign Design: Our social engineering experts develop tailored phishing emails, landing pages and pretexting scenarios - aligned to your company structure and industry.
  3. Execution & Monitoring: The campaign is rolled out and monitored in real time. We capture open rates, click rates, credential entry rates and reporting rates.
  4. Analysis & Report: Detailed results report with benchmarks, department comparisons, risk assessment and concrete recommendations for action.
  5. Sustainable Improvement: On request, we support you with regular follow-up campaigns. Security awareness is not a one-off project - it is a continuous process.

GDPR & Compliance

Privacy-by-design as standard

Phishing simulations involve personal data - which is why GDPR compliance is not an afterthought for us, but a core component of every campaign.

Anonymised evaluation

Results at department level only

Works council-ready

Pre-coordination with works council & DPO

No individual exposure

Individuals are never identified

Data stored in Germany

Infrastructure on German servers

Request simulation

Successful phishing campaigns

Managed Phishing Simulation

Windhoff Group

Durchführung einer Phishing-Simulation für die Windhoff Group

6

Monate Simulationsdauer

2

Simulationen alle X Monate

Managed Phishing Simulation

LOTTO Bayern · Spielbanken Bayern

Durchführung einer 1-Jahres-Phishing-Simulation

12

Monate Simulationsdauer

1

Simulationen pro Monat

ISO/IEC 27001 certified
BSI-qualified
GDPR-compliant
500+ campaigns conducted

Related services

Phishing simulation as part of your awareness strategy

Simulations have the greatest impact when combined with other measures:

Live Hacking Show

Kick-off before the simulation - your employees experience live how attackers operate.

Details

Escape Desk

Gamified security training - employees solve security challenges in a fun, competitive format.

Details

Penetration Testing

Test the technical side - our pentesters find vulnerabilities in your systems.

Details

Why organisations trust AWARE7

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter — mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails — publiziert auf ACM- und Springer-Konferenzen. Zwei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen — ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen — und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA — wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Organisations that rely on AWARE7 phishing simulations

Your phishing experts

Our social engineering specialists develop realistic campaigns for your organisation.

Chris Wojzechowski
Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail
PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
Vollständiges Profil ansehen
Jan Hörnemann
Jan Hörnemann

Chief Operating Officer · Prokurist

E-Mail
PGP A3FD64BB96C888E2

M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.

ISO 27001 Lead Auditor (PECB/TÜV) T.I.S.P. (TeleTrusT) ITIL 4 (PeopleCert) BSI IT-Grundschutz-Praktiker (DGI) Ext. ISB (TÜV) BSI CyberRisikoCheck CEH (EC-Council)
Vollständiges Profil ansehen

Target groups

Who benefits from a phishing simulation?

Phishing attacks target every industry and every level of the hierarchy. These groups benefit most.

All employees

Every employee is a potential entry point. Broad campaigns show where the greatest risks lie within the organisation - cross-departmental and reported anonymously.

Executives & C-level

CEO fraud and Business Email Compromise target decision-makers directly. Spear phishing scenarios with personalised context test exactly the attack vectors most commonly used at executive level.

Finance & HR

Accounting and HR manage sensitive data and payment approvals. Attackers use fake invoices, IBAN changes and malware-laden job applications. Targeted scenarios for these departments are particularly effective.

IT departments

Even IT professionals are not immune to social engineering. Technically sophisticated attacks - such as fake support requests, vendor impersonation or manipulated update links - test security behaviour exactly where privileged access is managed.

NIS-2 affected organisations

The NIS-2 Directive requires technical and organisational measures to demonstrate attack resilience. Regular phishing simulations are a verifiable component of an ISMS and support compliance documentation with supervisory authorities.

Organisations after a phishing incident

Companies that have already been targeted have a particular need for action. A post-incident simulation analyses which gaps exist in the human security layer - and provides the foundation for a targeted training programme for lasting improvement.

“We thought our employees knew what phishing looks like. The simulation by AWARE7 proved us wrong - and in a way that does not single anyone out, but creates lasting awareness. Three months later, we had halved the click rate.”

Information Security Officer

Public authority, NRW - 1,200 employees

Frequently asked questions

Your questions about phishing simulation

A phishing simulation is a controlled test in which realistic but harmless phishing emails are sent to your employees. The goal is to measure current awareness levels and improve them in a targeted way - without any real risk to your organisation.
In a manual simulation, our experts develop individual, handcrafted phishing scenarios with personal support throughout the campaign. With a managed simulation, we provide you with a professional platform (phished.io) that allows you to run campaigns independently on an ongoing basis.
That depends on your strategy. We generally recommend an unannounced initial test to get a realistic baseline result. Awareness measures can then be communicated and progress measured with follow-up tests.
Very realistic. Our experts use current attack techniques that real attackers also use: spear phishing with personalised content, fake login pages, CEO fraud scenarios and industry-specific pretexts.
Costs depend on scope and model. A one-off manual campaign starts from around €3,000. Managed phishing via phished.io is available as a monthly retainer model. We will provide you with an individual quote within 24 hours.
Yes. We work exclusively with anonymised results at department level. Individuals are never identified or exposed. The simulation is coordinated with your works council and data protection officer beforehand.
For sustainable results, we recommend at least quarterly tests. Studies show that click rates return to baseline levels within 6 months after a single campaign. Continuous campaigns keep awareness permanently high.
Fundamentally, any organisation is a potential target. Particularly at-risk industries include financial services, healthcare, public authorities, critical infrastructure operators and industrial companies. NIS-2-affected organisations also have a legal obligation to demonstrate technical and organisational measures for attack resilience.
They are redirected to an awareness landing page that explains what just happened and which warning signs the email contained. No blame, no pressure - instead a learning moment right at the moment of the mistake. This "just-in-time training" is demonstrably more effective than traditional e-learning modules.
Yes, and this is strongly recommended. We support you with a sample works agreement template and advise you on presenting the project. The key point: only anonymised department-level results are reported. Individual employees are never identified or sanctioned.

Aus dem Blog

Weiterführende Artikel

How phishing-resilient is your organisation, really?

Find out - with a professional simulation. We will provide you with an individual quote within 24 hours. Free and non-binding.

Request phishing simulation

Kostenlos · 30 Minuten · Unverbindlich

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung