Phishing as a Service

Strengthening the Human Network of Your Organization against Phishing Threats

Phishing as a Service (PHAAS)

Why our PHAAS solution in raising security awareness is so unique?

Our PHAAS solution supports organisations in improving their resilience against phishing attacks by emphasising
psychological and cognitive factors of employees.

Phishing emails are constantly improving. Are your employees aware of these advanced phishing attacks and are they able to recognize phishing emails? If you are targeted by an advanced phishing attack, how will your organization respond and what can you do to improve your phishing resilience?


We have probably all dealt with phishing attempts, emails coming from a ‘Nigerian prince’ or a long lost ‘relative’ offering you a tremendous amount of money. These examples are easily filtered nowadays, as the effectiveness of spam filters has greatly increased over the years. Even if such a phishing attempt does get through to your inbox, it is probably easily identified by you. These phishing attempts are also called ‘mass-phishing’ emails, phishers send out thousands of messages hoping that the small percentage of people who click will earn them money. However, phishers nowadays have found a more sophisticated way of phishing; ‘spear-phishing’. With spear-phishing phishers put a lot of effort in crafting their emails to make them look legitimate, winning your trust and making you do anything they want you to do. Do you know how your organization will respond to such targeted phishing attack?

Our approach

World's first "Personality based Phishing as a Service"© approach

Screen Shot 2016-06-12 at 19.07.53

With Phishing as a Service, we use six steps for each phishing scenario to raise the awareness within your organisation:

01. Intake
Together, we think about what phishing scenarios could be used and for what groups of employees. By dividing your employees into logical groups, results will be more fine grained and you will, for example, be able to view results on a departmental level. Then we think about the email and website content. What will appeal to your employees, what information are attackers likely to use and when can we best send the phishing email? 

02. Development
We will create the phishing email and phishing website. The email will contain a link to this tailor made phishing-website. On this website we can actually measure how many employees click the link in the phishing email, and ask employees to provide various pieces of information, such as a questionnaire, personal information and username/password-combinations.

03. Validation
Once you are satisfied with the content of the phishing email and website, the IT department and the helpdesk should be informed about the phishing test. In doing so, we ensure that all employees will receive the email and can reach the website and thus make sure that the data is an actual representation of the level of awareness of your employees, and not your technical measures.

04. Execution
If all is set, we will send the phishing emails on the predetermined time. During the execution phase, we will monitor for any responses and we will analyse employee behaviour. By doing so, we are able to directly let you know if there are any complaints or escalations by your employees during the execution of the phishing test.

05. Psychological Assessment
After sending the email, we will do an in-depth analysis of the results. By reporting on group level we provide you with meaningful insights, while preserving the individual’s privacy. Furthermore, we will do an in-depth analysis to check how many of the employees clicked on the links in the phishing emails. Those employees are then invited to participate in a online Psychological Assessment to identify their information needs. Once data is collected and analysed, a tailored Phishing Awareness training is provided.

06. Results

After the tailored Phishing Awareness training is provided, based on these results, we jointly determine the approach for the second phishing scenario.

After executing the first phishing scenario, it is time to explain to your employees what has happened and why. By giving your employees insight into the statistics and the impact that a phishing attack could have on your organisation, you will already create a higher level of awareness. By leveraging this momentum, you can reinforce the awareness with additional awareness materials and trainings such as our e-learning module, workshops, seminars, various awareness materials or gamification. With these methods we can teach your employees everything about phishing. From the psychology behind the various phishing techniques, to the technological aspects phishers utilize to deceive you. This turns your employees into a stronger line of defence against phishing

We are not just able to provide such services on an ad-hoc basis, but also on a continuous service basis. Whether you send it to just one department or 100.000 employees, we will track the responses and provide you with insights in how your organization responds.

Frequent statistics updates
Our PhaaS service allows frequent statics updates depending on your needs. Using our charts, you can see within minutes what the current state is of the security maturity of your weak link. These statistics include data about the clicks over time, the sizes of used groups, clicks per department, used operating system and the used browser.

Tailor made
All our phishing mails and e-learnings are tailor made depending on your industry and the current security awareness within your company. Our phishing mails are made using our in-house developed PhaaS phishing tools. By using HTML and CSS, any professional design can be created to maximize the quality of the email and website.

How to defend your corporate reputation 
Organizations are often directly targeted with phishing emails by attackers. These attacks usually aim to trick an employee to disclose credentials or to share sensitive information. Besides resolving this challenge, organizations are now facing a second challenge. Attackers start abusing their brand name to gain trust at the companies’ most important segment: the customer. Read more about how to defend your corporate reputation in our whitepaper.