Do you notify staff before running a phishing simulation?

For a true baseline measurement, no. The initial campaign runs without prior warning to your staff, which is the only way to get an honest click rate. We do notify your IT team and any relevant stakeholders beforehand so there are no surprises at the management level.

What happens when someone clicks in a simulation?

They're immediately redirected to a short training page explaining what to look for and how they were deceived. A more comprehensive training module is then assigned for completion within a defined timeframe. We track completion and report on it.

How many simulations should we run?

A single simulation gives you a baseline. To see measurable improvement, we recommend a minimum of three simulations over six months, varying the attack type each time. An ongoing quarterly programme is the most effective approach for sustained behavioural change.

Does this support our cyber insurance requirements?

Yes. Most Australian cyber insurers now require evidence of regular phishing simulations and staff awareness training. Our programme generates completion records, click rate reports, and improvement data in a format suitable for insurance applications.

How does this fit with Fortify managed security?

Phishing simulations and awareness training are included in every Fortify engagement as standard. The same programme is also available as a standalone service for organisations not yet on Fortify.

Human Security · Awareness Training

Your people are your biggest risk. Train them.

Security awareness training and phishing simulation programmes that create measurable behavioural change in Australian workforces.

91 per cent of successful cyber attacks start with a phishing email. Technical controls matter, but a trained workforce is your most resilient layer of defence. We test, train, and measure.

Launch a simulation →Our approach

Australian-relevant scenarios

Phishing, vishing & smishing

Essential Eight aligned

What we deliver

More than a checkbox. Measurable change.

A phishing simulation is only valuable if it leads to behaviour change. Our programme runs in cycles — simulate, train, measure, repeat.

Every campaign mapped to Essential Eight controls and documented for insurance and compliance purposes.

Phishing simulations

Realistic campaigns targeting your entire workforce. We track who clicks, who reports, and who ignores — giving you a genuine risk score per employee.

Targeted training

Users who fail a simulation receive immediate, role-specific training. Australian-relevant examples in plain English, not generic US content.

Vishing & smishing

Simulated phone and SMS attacks on your staff. Tests whether people give out sensitive information to an authoritative-sounding caller or click on fake parcel delivery links.

Risk reporting

Department and individual risk scores tracked over time. Identify your highest-risk users for targeted follow-up and demonstrate improvement to insurers.

What's included

Every attack vector, every role.

Eight distinct components across email, phone, SMS, and compliance reporting. Delivered as an integrated programme, not isolated exercises.

Spear phishing campaigns

Targeted email campaigns using real employee names, realistic sender domains, and believable pretexts.

BEC simulation

Business email compromise scenarios targeting finance, HR, and executive assistants — the most commonly attacked roles.

Vishing testing

Simulated phone calls from IT support, the ATO, and other trusted entities to test whether staff give up sensitive information.

Smishing campaigns

Fake parcel delivery, myGov, and bank SMS messages sent to employee mobile numbers.

Interactive training modules

Short scenario-based modules delivered automatically to users who fail a simulation. Mobile-friendly and completion-tracked.

Department risk scoring

Click rates, credential capture rates, and call compliance rates broken down by department and role.

Essential Eight mapping

Training completion documented against ACSC Essential Eight User Application Hardening control.

Insurance documentation

Awareness training evidence pack structured for cyber insurance application and renewal requirements.

Australian-relevant content

Generic training using American examples doesn't resonate the same way. Our simulations use Australian businesses, government agencies, and services your staff encounter every day.

ATO tax refund phishing
myGov credential harvesting
Australia Post parcel delivery smishing
Westpac and CommBank impersonation
NSW Government contractor pretexting
ASIC and APRA regulatory notices

View phishing simulation →

How a campaign works

Four stages from baseline measurement to ongoing programme. Tracks improvement over time and builds a culture of security awareness rather than a one-off exercise.

Stage 1: Baseline simulation. No prior warning, measure starting click rate
Stage 2: Targeted training for users who clicked, plus general module for all
Stage 3: Follow-up simulation with different attack vector
Stage 4: Monthly or quarterly ongoing programme across varied attack types

What changes

Lower click rates, measured over time.

Four concrete outcomes from every awareness training engagement, tracked across campaigns from day one.

Human layer strengthened

Staff who recognise phishing attempts stop them before technical controls are ever tested. The human layer becomes your most resilient defence, not your weakest link.

Risk scores reduced

Click rates tracked per department and role over every campaign. The data shows improvement — and identifies the pockets of risk that need additional attention.

Compliance demonstrated

Training completion records suitable for Essential Eight reporting, cyber insurance applications, and Privacy Act compliance documentation.

Incidents prevented

Fewer phishing-driven breaches. Fewer credential compromises. Staff who report suspicious emails rather than click them become an active detection layer.

Common questions

Awareness training questions answered.

Talk to a specialist →

Do you notify staff before running a phishing simulation?
For a true baseline measurement, no. The initial campaign runs without prior warning to your staff, which is the only way to get an honest click rate. We do notify your IT team and any relevant stakeholders beforehand so there are no surprises at the management level.
What happens when someone clicks in a simulation?
They're immediately redirected to a short training page explaining what to look for and how they were deceived. A more comprehensive training module is then assigned for completion within a defined timeframe. We track completion and report on it.
How many simulations should we run?
A single simulation gives you a baseline. To see measurable improvement, we recommend a minimum of three simulations over six months, varying the attack type each time. An ongoing quarterly programme is the most effective approach for sustained behavioural change.
Does this support our cyber insurance requirements?
Yes. Most Australian cyber insurers now require evidence of regular phishing simulations and staff awareness training. Our programme generates completion records, click rate reports, and improvement data in a format suitable for insurance applications.
How does this fit with Fortify managed security?
Phishing simulations and awareness training are included in every Fortify engagement as standard. The same programme is also available as a standalone service for organisations not yet on Fortify.

Find out where you stand

Run a simulation. See who clicks.

A baseline phishing simulation shows your real human risk score before an attacker does. We can have one running across your organisation within a week.

Launch a simulation →