What is phishing simulation?

Phishing simulation is an authorised test where realistic phishing emails, SMS messages, or phone calls are sent to your employees to measure how many would fall for a real attack. The results are used to train high-risk employees and improve overall security awareness.

How much does phishing simulation cost?

Phishing simulation programmes typically cost between €3,000 and €15,000 depending on the number of employees, number of campaigns, channels tested (email, SMS, phone), and whether physical social engineering is included.

What types of phishing does OFFCEPT test?

OFFCEPT tests email phishing, spear phishing, vishing (voice phishing), smishing (SMS phishing), and physical social engineering including tailgating and USB drops. Each campaign is crafted to match real threat actor techniques targeting your sector.

How long does a phishing simulation programme take?

A complete programme runs 8-12 weeks with 3-4 campaigns. The first campaign establishes a baseline, followed by targeted training and re-testing. Most organisations see click rates drop by 70%+ within three campaigns.

Is phishing simulation legal?

Yes, when properly authorised. OFFCEPT works with your leadership and legal team to define scope, rules of engagement, and ensure all simulations comply with local regulations and your internal policies.

OFFCEPT

Let's Talk

All Engagements

Real testing by experienced operators. Threat-informed scoping, actionable reporting, and verified remediation.

See Methodology

What We Do

Penetration Testing

Manual testing that finds what scanners miss

Red Team Operations

Multi-week adversary simulations

CTEM

Continuous threat exposure management

Threat Intelligence

Data breach, dark web, and credential monitoring

EDR & XDR Testing

Endpoint detection gap analysis and evasion testing

Phishing & Social Engineering

Real campaigns, not generic templates

AI & LLM Security

Testing AI systems and LLM integrations

Zero-Day Research

Hunting undiscovered vulnerabilities

Reverse Engineering

Binary analysis, malware, and firmware

How We Work

From scoping to verified remediation in four phases. Every engagement follows the same structure, adapted to your threat landscape.

Full Breakdown

The Process

01 Scoping & Threat Model

Profile threat actors, map attack surface, define objectives

02 Testing & Exploitation

Manual testing, chained vulnerabilities, real attack paths

03 Reporting & Debrief

Proof, impact, remediation path, live walkthrough

04 Remediation & Validation

Re-test fixes, confirm they work, measurable improvement

Blog Open Source Tools Case Studies

Phishing & Social Engineering

Most breaches start with a person clicking something they should not. We replicate the exact techniques attackers use, from weaponised attachments and credential harvests to fake phone calls and impersonation, to find out who falls for it and help them get better.

Get Started

Simulate the real thing

A one-hour awareness video does not prepare anyone for a well-crafted spear phishing email. Our campaigns are based on real attacks seen in the wild. Same techniques, same pressure, same psychology.

Learn More

We write each email by hand to match the lures, sender profiles, and payload delivery methods that threat groups are actually using against your sector right now. No templates.

We use publicly available information about your employees and executives to craft targeted emails. The same reconnaissance and lure building process a real attacker would use.

We call your employees with a convincing story and test whether they will hand over credentials, reset MFA, or do something they should not.

SMS campaigns that look like delivery notifications, IT alerts, or authentication prompts, the same lures modern phishing operators rely on.

We try to walk through your front door. Tailgating, impersonating vendors, dropping USB sticks in common areas. Testing whether your physical security holds up.

Attack Channels

Four channels. One programme.

Most Common

Email

Weaponised attachments, credential harvest pages, domain spoofing. Written by hand to match real campaigns.

Rising

Voice (Vishing)

Phone calls impersonating IT support, executives, or vendors. Testing whether employees hand over credentials or bypass controls.

Fastest Growing

SMS (Smishing)

Delivery notifications, authentication prompts, IT alerts. The same lures mobile-first phishing operators rely on.

Overlooked

Physical Access

Tailgating through the front door, impersonating contractors, dropping USB sticks in common areas. Testing your physical controls.

Channels Covered

Custom

Lures

Ongoing

Campaign Cycles

Measurable

Results

How It Works

How a phishing programme works

Reconnaissance

Publicly available information about your organisation: email formats, employee roles, internal jargon, vendor relationships. Exactly like an attacker would.

Campaign Execution

We run the campaigns manually across whatever channels make sense for your threat profile: email, SMS, phone calls, or physical access attempts.

Measure & Report

We track clicks, credential submissions, and response times. Every interaction is logged so you can see exactly where the risk is, without exposing personal data.

Train & Re-Test

High-risk employees get targeted training, then we test again to see if it worked. Multiple campaigns over time build habits that stick.

Case Study

Healthcare group reduces phishing susceptibility by 71% across 4,000 employees

71% Susceptibility Drop4,000 EmployeesHealthcare Sector

First campaign: 38% click rate. By the third, 11%. OFFCEPT's reporting showed exactly where the risk concentrated, which made it easy to justify keeping the programme running.

Director of Information Security

Multi-Site Healthcare Group

Read Case Study See All Case Studies

Test your team before someone else does

We run phishing campaigns built from the same playbooks attackers are using right now. Emails, phone calls, SMS, physical access. Find out who clicks before someone with worse intentions figures it out.

Get Started