Social Engineering & Awareness | ITanic
Cybersecurity Social Engineering & Awareness
Employees as targets

Your employees are your strongest line of defense.

Over 90% of all successful attacks start with people, not technology. We simulate phishing, CEO fraud, and voice phishing under real-world conditions. You’ll see exactly where your team is vulnerable.

Schedule an initial consultation
Phishing Simulation Q1 2025 COMPLETED
Total results · 247 emails · 3 scenarios
Clicked the link
34%
Login credentials entered
18%
Incident reported
8%
Click-through rate by department
Accounting
71%
Sales
52%
Management
38%
IT Department
14%
247
Employees tested
84
Training needs
3
Scenarios
Simulationen Bericht & Training Warum ITanic FAQ
The problem

Technical security is worthless if people can bypass it.

Firewalls, antivirus software, and EDR protect against automated attacks. Professional attackers bypass all of these by simply calling an employee, sending a credible email, or posing as a technician.

Many companies conduct training once a year using a PowerPoint presentation. That’s not enough. Only by testing under real-world conditions can you truly know how your team will react.

91%
All cyberattacks start with a phishing email
82%
Human error is the cause of these data breaches

Employees are unaware of the real danger

Theoretical knowledge isn't enough. Unless you've experienced a real-world simulation, you won't be able to recognize a targeted attack on your company in time.

No measurement, no improvement

Without simulation, you won't know where your team stands. Click-through rates, reporting rates, and risk groups remain hidden until a real attack brings them to light.

CEO fraud costs companies millions

Fake payment orders from someone posing as the CEO are the most costly social engineering attacks. Average loss per incident: over 130,000 euros.

01 Simulations

Real-world attacks. Controlled conditions. Measurable results.

We simulate the methods used by real attackers. Each scenario is tailored specifically to your company, your industry, and current attack trends.

Phishing
Email · Mass Attack · Credential Harvesting
CEO Fraud & Spear Phishing
Targeted · Personalized · Invoice Fraud
Voice Phishing
Vishing · IT Support Impersonation · Pretexting
Smishing & QR Phishing
SMS · QR codes · Fake login · Mobile
Planning
Tailor scenarios to your company's specific needs
Define target groups and departments
Developing pretexts and attack patterns
Simulation
Run a campaign without prior notice
Track click-through rates and responses
Measuring reporting behavior and response time
Report
Management Summary for Executive Management
Technical Report with Campaign Analysis
Recommendations in 3 priority levels
This is what a real phishing attack looks like
Von: it-support@ihr-unternehmen-helpdesk.com 1
An: m.wagner@ihr-unternehmen.at
Betreff: ⚠ Dringlich: Ihr Passwort läuft in 24 Stunden ab 2
Immediate action required: Account verification

Dear Ms./Mr. Wagner,

Our system has detected that your business account will be suspended in 24 hours unless you verify your login credentials immediately.

Bitte klicken Sie auf den folgenden Link um Ihr Konto zu sichern:
→ Konto jetzt verifizieren: ihr-unternehmen-portal.helpdesk-login.net/verify 3

Mit freundlichen Grüßen
IT-Support Team | Ihr Unternehmen GmbH
1
Fake sender domain
The address sounds familiar, but it doesn't come from your company. "helpdesk.com" is an external domain that mimics the real one. In the inbox, many email clients display only the display name, not the domain.
2
Artificial urgency
Time pressure is the most effective social engineering tactic. When people act under pressure, they don’t think things through. That’s exactly the goal: getting them to click quickly without thinking.
3
phishing link
At first glance, the URL looks familiar. The actual domain is at the very end: "helpdesk-login.net" is the fake one. Any login credentials entered there go straight to the attacker.
Do you know how many of your employees would click on a phishing email?
Most companies underestimate the risk until they see the numbers in black and white.
Schedule an initial consultation
02 Report & Training

After the attack comes clarity. Then improvement.

Simulation alone isn't enough. The final report identifies the risks. Training addresses them. And the documentation proves it.

Training Schedule and Content

01

Analysis of Results and Final Report

After the simulation, you will receive a comprehensive final report: a management summary, a technical report with campaign analysis, detailed click-through rates by department, and prioritized recommendations in three tiers.

Report
02

Management Presentation of the Findings

We present the results directly to management or the IT manager. Figures, risk groups, and recommended actions are presented clearly and without jargon.

Presentation
03

Awareness Training for At-Risk Groups

The training is directly based on actual results. Employees can see how their own department performed. Attack patterns, identifying characteristics, and the proper response in an emergency.

Workshop
04

Certificates and NIS2 Documentation

All training participants will receive a certificate. The entire program is documented in accordance with NIS2 standards: date, participants, content, and results. This can be used as official proof of compliance.

NIS2 certification
05

Repeat simulation to measure success

After the training session, a second simulation will be conducted upon request. You will see exactly how click-through rates and sign-up rates have changed.

optional
Simulation, reports, training, and certificates—all from a single source.
Everything you need for NIS2 compliance and real improvement.
Schedule an initial consultation
Why ITanic

Simulations that really hit the mark.

Generic phishing templates provide little insight. What matters is a scenario that your employees believe is real.

No hype. Real results.

Simulations run without warning. This is the only way to get realistic click-through rates instead of estimates based on a pre-selected test group.

No one-size-fits-all solution. Your business, your scenarios.

Company names, industry sectors, typical internal processes, and current attack trends are incorporated into every scenario. Employees believe it’s real because it feels real.

Measurable. Before and after your workout.

Click-through rates, response rates, and risk groups are documented. You can see exactly where improvements have been made, not just whether they have.

NIS2 compliance and GDPR compliance—all from a single source.

Complete documentation for the authorities; no analysis of personal data without HR approval; compliant with Austrian labor law.

FAQ

Your questions about phishing simulations.

Simulation
Are employees informed about the simulation in advance?
+
No, that would be counterproductive. The simulation is conducted without prior notice to employees. Company management and relevant stakeholders, such as HR and IT, are involved in advance, but the workforce is not. This is the only way to obtain realistic results.
Can specific individuals or departments be excluded?
+
Yes. We will work with you to define the scope and exclusions in advance. Individuals in particularly sensitive roles, employees on parental leave, or other exceptions can be identified in advance.
What happens if an employee actually clicks on the link?
+
After clicking, the employee is immediately redirected to a neutral information page that explains what just happened and why. No data is collected, and no real login credentials are stored. The goal is to educate, not to catch anyone out.
Results and Training
How are the results analyzed, and who has access to them?
+
Results are analyzed exclusively at the department level, not as a list of individual names. We will determine in advance, in consultation with you, who will receive the reports. All data will be treated confidentially and processed in compliance with the GDPR.
Does the training meet the NIS2 requirements?
+
Yes. NIS2 requires affected companies to implement regular security awareness measures and document them. We provide simulations, training, and comprehensive documentation that can be used as evidence of NIS2 compliance.
How often should simulations be repeated?
+
At least once a year, ideally two to three times a year. Attackers are constantly adapting their methods, and the benefits of a single training session fade after a few months. We recommend an annual cycle: simulation, training, and a repeat simulation.
Next step
Training helps prevent problems. But if someone does click on a link, someone needs to catch it.
View Detection & Response

Do you know how secure your team really is?

A simulation will show you where the real risks lie in your company in just a few weeks. No theory, no guesswork.

Schedule an initial consultation +43 664 252 0495
Free and with no obligation
NIS2 documentation included
GDPR-compliant, tailored to HR needs