Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

PHISHING CAMPAIGNS

Phishing campaigns: measure people’s real susceptibility, not their test knowledge

We run controlled, realistic phishing campaigns and measure who clicked, who entered data and who reported the attack. You get hard numbers and material to build awareness that works.

Realistic scenarios tailored to your companyMeasuring clicks, data entry and reportsSafe, ethical campaign deliveryA report ready for awareness work

WHY IT MATTERS

The best technical controls are bypassed by one well-written email

Most serious breaches start with a person, not a code flaw. A slide-based training tells you what people know. A controlled campaign shows how they really behave under the pressure of a genuine message.

This is not about catching anyone out. It is about hard data: what percentage clicks, how many enter data and how many employees report the attack to the security team. Those numbers show where awareness investment really pays off.

WHAT WE DO

A realistic campaign, a measurable result

01
Scenario design
We build credible messages tailored to your company and sector.
02
Capture pages
Safe login pages that measure data entry without storing it.
03
Behavior measurement
We track clicks, data entry and, most importantly, reports.
04
Education material
We deliver findings and guidance to base your further training on.

We run campaigns ethically, with respect for employees. The goal is learning, not shaming.

OUR APPROACH

We measure behavior, not declarations

Awareness you have not measured is just an assumption. So instead of asking whether employees recognize phishing, we test it with a real but safe message and count actual responses.

The most important metric is not the click rate but the report rate. A company where people quickly report suspicious messages is genuinely safer than one where they simply click less often.

COMPLIANCE

Proof of awareness building that regulators expect

Regular phishing tests and staff education are part of security and awareness requirements.

NIS2
Part of required cyber hygiene and staff training.
ISO 27001
Evidence of security awareness activity (A.6).
DORA
Support for awareness programs within ICT risk management.

STANDARDS & CERTIFICATIONS

We work to recognized methodologies, not gut feeling

Every project is run by certified pentesters and based on public standards. That makes the result repeatable, auditable and comparable across vendors.

Team certifications
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
Methodologies
MITRE ATT&CKOSINTPTES
Team certifications
OSEPOSCP

We share the full list of certifications and standards on request, together with a sample test scope.

HOW WE DO IT

A campaign run in stages

01
Planning
We define goals, groups and scenarios tailored to the company.
02
Preparation
We build messages and safe measurement pages.
03
Delivery
We run the campaign in a controlled, ethical way.
04
Measurement
We collect data on clicks, data entry and reports.
05
Report
We deliver findings and recommendations for further education.

EVIDENCE

Numbers behind every promise

Every test is run by certified pentesters, and we document the result with reproduction steps, evidence and a verified remediation path. Proof, not a promise.

500+
security tests and audits completed
5.0
average score from 10 verified Clutch reviews
20+
offensive certifications across the team
01
Certified team
20+ offensive certifications across the team (OSCP, OSEP, OSWE, CREST). Tests are run by our people, not anonymous subcontractors.
02
Manual testing
We work by hand to PTES and OWASP, chaining seemingly small flaws into a real, proven attack path.
03
Evidence, not a promise
Every finding comes with reproduction steps and a working proof. A report that holds up in front of an auditor.
04
Retest included
After fixes are deployed we confirm in writing that the gaps are closed. We do not vanish once the PDF is sent.

KNOWLEDGE

A controlled phishing campaign in practice

What a controlled phishing campaign is

A controlled phishing campaign is a safe simulation of a real attack on employees, run with your consent. Its purpose is to measure how the organization responds to manipulation, not to catch specific individuals.

Phishing is still the most common way into a company, because it bypasses technical controls and targets the human. So it is worth testing this resilience in safe conditions before an attacker does.

How we run the campaign

We prepare a realistic scenario and a message tailored to your company context, then send it to an agreed group of recipients. We measure who opened the message, who clicked and who entered data on the prepared page.

We match the scenarios to real risk: from simple attempts to polished impersonations of known services or colleagues. Everything happens within safe boundaries, without any real account takeover.

What we measure and how we report without shaming

We report metrics at the organization level: click rate, data submission and, just as important, the rate of reporting a suspicious message. The latter shows whether employees know how to react.

We deliberately do not build a wall of shame. The goal is to improve the resilience of the whole team, and singling out individuals only discourages reporting incidents in the future.

What you get and how to use it

You get a clear picture of phishing susceptibility and recommendations, including which groups and scenarios need the most attention. The results feed directly into a security awareness training program.

The greatest value comes from a cycle: campaign, training, repeat campaign. That is when you see a real drop in click rate and a rise in reporting, a measurable improvement rather than a one-off result.

FAQ

Common questions

Do you store employee passwords?

No. The measurement pages only record the fact that data was entered, without saving the passwords themselves. The metric matters, not the content.

Will this harm employee relations?

We run campaigns ethically, with a focus on learning. Results are shared in aggregate, and the goal is awareness, not blame.

How often should we repeat it?

Ideally on a cycle, because awareness fades. Repeated campaigns show the trend and the effectiveness of training over time.

Do you combine this with training?

Yes. Campaign results are the best starting point for targeted security awareness training.

RELATED

Related reading

CASE STUDIES

Case studies in this area

REFERENCES

“The project was delivered professionally and on time, with a strong grasp of both technology and business. We were impressed by their cybersecurity expertise and partnership approach.”
M
Mateusz Widenka
Head of Delivery, Order Group
Clutch★★★★★5.0 · 10 reviewsRead all reviews on Clutch

FIRST STEP

Start with a free consultation

Tell us what you want tested. Within 24 hours you get a proposed scope and next steps. You talk to a consultant who understands the technical side, not a salesperson.

Get in touch
No obligation · we reply within 24 h · your data stays confidential
Methodology
PTES · OWASP
Team
20+ certifications
Rating
5.0 on Clutch
What you get
A scope proposal matched to your risk
A report with evidence and reproduction steps
Remediation priorities by real impact
A retest after fixes are deployed
Asia, ElementricaKacper, ElementricaGrzesiek, Elementrica
A member of our team runs the call, and we reply within 24 hours. No bots, no call center.