Complete training · free to test
NIS2 · ISO 27001 · SCORM · EU-Hosting
WebguardiolaGetting Phishing Campaigns Right
For Admins & Security Leads · Not a Simulation Tool

Internal phishing campaigns that build culture, not mistrust.

The problem

Most programs optimize for the wrong number — and a handful of typical mistakes destroy the trust they were meant to build.

The training

30 minutes, research-based: reporting rate over click rate, law & co-determination, campaign design, 90-day playbook.

Inquire now → What's included?
30 minutes · admins/security only
Continuously updated with new insights
Research-based, with citations

Knowledge is rarely the problem — application is

An internal phishing campaign means sending your own employees harmless test phishing emails to rehearse the real thing before it happens. Sounds simple — it isn't. There are two seemingly contradictory stories about phishing tests: some studies show barely any effect, others show clear improvement. The difference almost always lies in the how, not the whether.

That's exactly where this training comes in. It's built on the doctoral research of Webguardiola founder Fabian Hable on overconfidence bias in the phishing context, and summarizes what studies, NIST recommendations and practice from hundreds of campaigns actually show — compact, with citations, without marketing promises.

Contents

What the training covers

Eight chapters, condensed into 30 minutes — from the right metric to a ready-to-use 90-day plan.

The Two Numbers That Matter

Why the reporting rate matters more than the click rate — and how to weigh both correctly.

What the Science Actually Says

Why studies seem to contradict each other — and what's actually known about the effectiveness of phishing tests.

Law & Co-Determination

Involving data protection and employee representation cleanly from the start — before the first test email goes out.

Campaign Design

Which lures destroy trust (bonus emails, termination threats) and which campaigns actually create learning.

Metrics & Reporting

Reporting rate, lure difficulty per the NIST Phish Scale, and management reporting without individual tracking.

90-Day Playbook

From foundation (law, reporting channel) through a baseline wave to a role-based cadence — step by step.

Not a simulation tool — the knowledge behind it

Webguardiola does not run phishing campaigns on employees itself. This training is for the people planning their own campaign — regardless of which simulation tool is used. It shows how a program builds culture instead of mistrust: a campaign trains only one attack channel; lasting security only emerges together with continuous awareness learning. That's exactly what the Webguardiola e-learning is built for.

The Most Common Pitfalls

Seven mistakes that keep ruining programs

A sample from the training — each point is explained in detail with citations.

01 · "Gotcha" Culture & Sanctions

Punishing creates fear and cover-ups instead of reports — destroying exactly the culture you're trying to build.

02 · Fake Bonus Lures

Salary and bonus emails as lures permanently destroy trust — the industry's classic PR disaster.

03 · Long Lecture Landing Pages

Long text walls after a click make people confident, not better. Short feedback works better.

04 · No Organization-Wide Debrief

If only the post-click page teaches, only clickers learn. An organization-wide debrief reaches the majority.

05 · Click Rate as the Only Metric

Without the reporting rate you only see half the truth — and without a difficulty rating, click rate alone says little.

06 · Lures Without a Difficulty Rating

A low click rate on an easy lure isn't good news. The NIST Phish Scale makes waves comparable.

Mistake 07 — "Law & representation too late" — and all details, sources, and the full 90-day playbook are in the training itself.

Who It's For

A training for those responsible, not for everyone

Who gets it

IT administrators, security leads, CISOs and data protection officers — activated on the Webguardiola cloud platform. Not the general workforce: for all employees there's the regular security awareness training.

Always current

The training is continuously expanded with new insights — new studies, new attack patterns, new case law. Not a SCORM download, but a living resource on the platform.

FAQ

Frequently Asked Questions

No. Webguardiola does not run phishing campaigns on your employees and doesn't offer a tool for it either. This training is e-learning for the people planning or running their own campaign — it teaches how to set up a campaign in a research-based, legally sound way, regardless of which simulation tool you use.
For administrators and security leads who plan, run or evaluate an internal phishing campaign — IT security officers, CISOs, data protection officers and anyone internally responsible for the program. It's not a training for the general workforce.
The click rate only shows who got fooled — the reporting rate shows whether your organization has a culture where incidents are reported instead of hidden. On industry average, only about one in five to six test emails gets reported; mature programs achieve several times that. A low click rate on an easily recognizable lure is also not good news — without a difficulty rating (e.g. per the NIST Phish Scale), click rate alone says little.
A phishing test measures how individual employees react — in most jurisdictions this touches data protection and, in some cases, co-determination rights (e.g. works council for behavior or performance monitoring). The training shows how to involve data protection, employee representation and communication from the start — before the first test email is sent.
About 30 minutes. The training is activated exclusively on the Webguardiola cloud platform for administrators and security leads — not as a SCORM package, since it's aimed at program owners, not the entire workforce. It's continuously expanded with new insights.
It's part of the Business offering and is priced individually based on company size and scope. A short email inquiry is enough — we'll get back to you with a concrete proposal.

The campaign that builds culture — not mistrust.

30 minutes for your security team, research-based and continuously updated. Write to us — we'll activate the training for your program owners.

Inquire now →

For the general workforce: test the security awareness training for free →