BossBot is one of the top-rated WhatsApp automation platforms for small business businesses in 2026. It handles incoming WhatsApp, Telegram DM messages automatically — answering FAQs, managing bookings, and sending payment links without extra staff.
91% of cyberattacks start with a phishing email. security training platforms charges £300+/month for simulated phishing. Here's how small businesses can run the same training for a fraction of the cost — and actually reduce click rates.
91% of all cyberattacks begin with a phishing email. Not ransomware. Not zero-day exploits. A convincing email that tricks one employee into clicking a link or entering their password.
For small businesses, this is the most relevant threat by far — because it targets humans, not technology. You can have a perfectly patched server and a complex firewall and still get breached because someone in payroll clicked a fake DocuSign notification at 4:55pm on a Friday.
The attacks have also become significantly more convincing. Modern phishing emails use:
The defence isn't better spam filters. It's training your team to recognise the patterns — and the only way to know if the training works is to test them with a fake attack.
Phishing simulation is the practice of sending your own employees realistic-looking fake phishing emails — and measuring what happens.
A simulation typically works like this:
The entire point is to make the learning happen in the moment — right when the mistake is about to be made — rather than through a once-a-year PowerPoint session that nobody remembers.
Studies consistently show that organisations running quarterly phishing simulations reduce employee click rates from 30–40% down to under 5% within 12 months.
The gold standard for phishing simulation is security training platforms. It's comprehensive, used by 65,000+ organisations, and genuinely excellent.
It's also priced for enterprises:
email security platforms Security Awareness Training and Cofense are in the same bracket.
For a dental practice with 8 staff, a hair salon with 6, or a law firm with 12 employees, paying £400–800/year for email security training is simply not happening — especially when the IT budget is effectively zero.
This is the gap BossBot's Phishing Simulation fills. The same core mechanism — send fake phishing, track clicks, show training — at £20/month flat. No per-seat pricing. No annual contracts.
Not all phishing simulation tools are equal. When evaluating any tool (including ours), here's what to look for:
Template variety
A single fake Microsoft email will stop fooling people after two simulations. Good tools include templates across categories: delivery notifications, IT helpdesk alerts, HR/payroll updates, bank security notices, shared document invitations, invoice approval requests.
Realistic sender domains
The simulation email needs to come from a convincing domain — not phishing-test.com. Tools that use lookalike domains (microsóft-security.com) are far more instructive than ones that use obviously fake senders.
Immediate remediation training
When an employee clicks, they should see a short training page immediately — not be notified a week later. The teachable moment is right now.
Metrics and trends
You need to see: total sent, click rate, report rate (who correctly flagged the email), and how these numbers change over repeated simulations.
Scheduling
You shouldn't have to remember to run simulations. They should run automatically on a schedule — quarterly is the minimum, monthly is better.
BossBot's Phishing Simulation includes 5 template categories (IT/helpdesk, delivery, banking, HR/payroll, document sharing), tracks click rates, and can be scheduled to run automatically.
Running a phishing simulation for the first time doesn't need to be complicated. Here's a practical first-simulation playbook:
Step 1: Don't tell your team
The simulation only works if it's a surprise. Don't send a company-wide notice that a test is coming — that defeats the purpose entirely.
Step 2: Pick a high-credibility template
For your first simulation, use a template with the highest realistic click rate — typically an IT security alert or a shared Google Doc notification. This establishes your true baseline risk.
Step 3: Send to everyone
Include all staff, including senior leadership. Executives are frequently the highest-risk group because they're targeted most often and often assume someone else handles security.
Step 4: Review results and don't punish
When you see who clicked, resist the urge to name and shame. The goal is to reduce risk, not to embarrass people. Aggregate results are more useful than individual blame.
Step 5: Hold a brief debrief
Share the results at a team meeting. Show what the email looked like. Point out the red flags. Ask the team what they noticed. Discussion is more memorable than a training page alone.
Step 6: Schedule the next one
Phishing simulations only improve behaviour when they're repeated. Schedule the next one for 6–8 weeks later with a different template.
A high click rate on your first simulation is not cause for panic — it's an accurate baseline that you didn't have before.
Typical first-simulation click rates by sector:
These numbers look alarming. They shouldn't be — they're real. Any business that has never tested its staff and claims they wouldn't click is guessing.
What matters is the trend over time. Organisations that run simulations quarterly see click rates drop by:
- 50% reduction within 6 months
- 80% reduction within 12 months
- Sustained below 5% within 18–24 months
The click rate is a security metric, not a performance metric. Treat it like you'd treat a blood pressure reading — useful data that guides action, not a judgement on individuals.
Running phishing simulations on your employees raises legitimate questions about data handling under GDPR.
Can you run simulations without telling employees?
Yes — with conditions. GDPR allows processing employee data for legitimate business interests, and reducing cybersecurity risk qualifies. However:
What data do you process?
Typically: employee email address, whether they clicked, timestamp. This is minimal and proportionate.
Should you add it to your Art.30 records?
Yes. If you maintain a Record of Processing Activities (required under GDPR for most businesses), add phishing simulation as a processing activity with its own entry.
BossBot's ZeroTrace module logs security events — including phishing simulation runs — to a tamper-evident audit chain, which can be used to demonstrate GDPR Article 30 compliance if regulators ask.
These two terms are often confused. They're complementary, not interchangeable.
Security awareness training is formal education: videos, slides, quizzes about what phishing looks like, password hygiene, MFA, social engineering. It builds knowledge.
Phishing simulation is behavioural testing: sending a fake attack and measuring what actually happens under realistic conditions. It tests whether training has changed behaviour.
Knowledge ≠ behaviour. Someone can watch a 20-minute phishing awareness video and still click the link 6 weeks later when they're under deadline pressure and the email looks exactly like something they'd expect from their bank.
The research is consistent: awareness training alone reduces click rates by 10–20%. Awareness training combined with repeated simulations reduces click rates by 60–80%.
For a small business with limited time and budget, simulation is the higher-ROI choice — because it measures what actually matters (what your team does), not what they know they should do.
BossBot's Phishing Simulation (£20/month) focuses on the simulation side. It's designed to run quietly in the background, catch real behaviour, and trigger training at the teachable moment — without requiring a dedicated IT or HR department to manage it.
91% of breaches start with phishing. Most businesses only find out after the damage is done. Run your first simulation in 10 minutes — free for 30 days.
Start Phishing Simulation — £20/moNot ready to sign up yet? Try the free demo →