Most programs optimize for the wrong number — and a handful of typical mistakes destroy the trust they were meant to build.
30 minutes, research-based: reporting rate over click rate, law & co-determination, campaign design, 90-day playbook.
An internal phishing campaign means sending your own employees harmless test phishing emails to rehearse the real thing before it happens. Sounds simple — it isn't. There are two seemingly contradictory stories about phishing tests: some studies show barely any effect, others show clear improvement. The difference almost always lies in the how, not the whether.
That's exactly where this training comes in. It's built on the doctoral research of Webguardiola founder Fabian Hable on overconfidence bias in the phishing context, and summarizes what studies, NIST recommendations and practice from hundreds of campaigns actually show — compact, with citations, without marketing promises.
Eight chapters, condensed into 30 minutes — from the right metric to a ready-to-use 90-day plan.
Why the reporting rate matters more than the click rate — and how to weigh both correctly.
Why studies seem to contradict each other — and what's actually known about the effectiveness of phishing tests.
Involving data protection and employee representation cleanly from the start — before the first test email goes out.
Which lures destroy trust (bonus emails, termination threats) and which campaigns actually create learning.
Reporting rate, lure difficulty per the NIST Phish Scale, and management reporting without individual tracking.
From foundation (law, reporting channel) through a baseline wave to a role-based cadence — step by step.
Webguardiola does not run phishing campaigns on employees itself. This training is for the people planning their own campaign — regardless of which simulation tool is used. It shows how a program builds culture instead of mistrust: a campaign trains only one attack channel; lasting security only emerges together with continuous awareness learning. That's exactly what the Webguardiola e-learning is built for.
A sample from the training — each point is explained in detail with citations.
Punishing creates fear and cover-ups instead of reports — destroying exactly the culture you're trying to build.
Salary and bonus emails as lures permanently destroy trust — the industry's classic PR disaster.
Long text walls after a click make people confident, not better. Short feedback works better.
If only the post-click page teaches, only clickers learn. An organization-wide debrief reaches the majority.
Without the reporting rate you only see half the truth — and without a difficulty rating, click rate alone says little.
A low click rate on an easy lure isn't good news. The NIST Phish Scale makes waves comparable.
Mistake 07 — "Law & representation too late" — and all details, sources, and the full 90-day playbook are in the training itself.
IT administrators, security leads, CISOs and data protection officers — activated on the Webguardiola cloud platform. Not the general workforce: for all employees there's the regular security awareness training.
The training is continuously expanded with new insights — new studies, new attack patterns, new case law. Not a SCORM download, but a living resource on the platform.
30 minutes for your security team, research-based and continuously updated. Write to us — we'll activate the training for your program owners.
Inquire now →For the general workforce: test the security awareness training for free →