db
Sign inSign up
← All Cyber Security services
Site auditInternal auditPhishingArchitectureIncident negotiationDarknet monitoring
Home /Cyber Security /Phishing simulation
Phishing Simulation · /cyber-security/phishing-simulationEMAIL · QR · VISHING

Ethical attack on employees and in-the-moment training

We run real phishing campaigns: email, spear, QR, vishing. You get numbers on team vulnerability and micro-training for the ones who fail the test.

With a report broken down by team, vulnerable-role analysis and a security awareness plan.

DEMO · #PS-1408
campaign · day 3/7

Phishing funnel · 482 emails

Received482
Opened318 (66%)
Clicked94 (19%)
Entered creds27 (5.6%)
Reported12 (2.5%)
Scenarios

All the typical social engineering techniques

Email campaigns

Realistic emails: fake HR notifications, accounting, IT, suppliers. Clickable links and lookalike forms.

Spear phishing

Targeted attack on executives and key staff using OSINT and personal details.

QR phishing (quishing)

QR codes in emails and physical locations — bypassing email filters via mobile devices.

Vishing — calls

Phone-based social engineering: "IT support", fake HR, supplier impersonation to grab data.

What we measure

Numbers training and decisions can lean on

Click-rate

How many opened the email, clicked through, entered creds. Segmented by team.

Report-rate

Who reported the suspicious email to IT or security. Ideal value — close to 100%.

Vulnerable cohorts

Which teams / roles are most exposed. Targeted training — precise, not blanket.

Micro-training

Anyone who fails gets a short post-mortem: what went wrong, how to spot it next time.

Who it's for

Any team of 50+ people

/ 01

Corporate HR / Security

Rolling out a security awareness programme — you need before/after numbers to show ROI.

/ 02

Growing companies

Team's past 50+ — time to systematically check resilience to social engineering, not hope for the best.

/ 03

Fintech & finance

Regulatory pressure plus a high cost of mistakes. Targeted training of accounting managers and executives.

/ 04

Teams post-incident

After a real incident — checking whether team behaviour actually changed or the pattern will repeat.

How it goes

Five steps from inquiry to report

1

Inquiry and alignment

Set the campaign size, scenarios, window, exclusions and report format.

2

Scenario prep

Crafting emails, landing pages, attack infrastructure. Approved by the client before launch.

3

Campaign launch

Email waves, QR collateral, vishing calls — on the agreed schedule.

4

Metrics + nudge

Real-time tracking + micro-training for the ones who failed.

5

Report and plan

Report with team-level segmentation and a plan for the next iteration (in 3–6 months).

Inquiry

Launch a phishing campaign

Describe the team and the scenarios you want. Details and approvals — in DevBay's secure chat.

  • Ethical attack with written agreement
  • Click/report metrics broken down by team
  • Micro-training for the ones who failed
  • All campaign materials handed over to the client

Campaign parameters

After submission we open a dialog in the internal chat — that's where we continue.

By submitting the form you agree to our data processing policy and the DevBay terms of service.

What's next: after submission a dialog opens in the internal chat. We approve scenarios, sign off the emails and set the launch window there.

Ready to measure your team's resilience to social engineering?

Describe the team and desired scenarios — we'll build an approved campaign, run it and hand over the metrics and a training plan.