91% of cyberattacks start with a phishing email. KnowBe4 charges £300+/month for simulated phishing. Here's how small businesses can run the same training for a fraction of the cost — and actually reduce click rates.
91% of all cyberattacks begin with a phishing email. Not ransomware. Not zero-day exploits. A convincing email that tricks one employee into clicking a link or entering their password. For small businesses, this is the most relevant threat by far — because it targets humans, not technology. You can have a perfectly patched server and a complex firewall and still get breached because someone in payroll clicked a fake DocuSign notification at 4:55pm on a Friday. The attacks have also become significantly more convincing. Modern phishing emails use: - **Real company logos** scraped from your website - **Personalised sender names** ("Hi Sarah, it's Mike from IT") - **Urgency triggers** ("Your account will be suspended in 24 hours") - **Lookalike domains** (paypa1.com, microsoít.com) - **AI-generated copy** that passes grammar checks The defence isn't better spam filters. It's training your team to recognise the patterns — and the only way to know if the training works is to test them with a fake attack.
Phishing simulation is the practice of sending your own employees realistic-looking fake phishing emails — and measuring what happens. A simulation typically works like this: 1. **You choose a template** — a fake DHL delivery notification, a fake Microsoft password reset, a fake payroll update from HR 2. **The system sends it** to your team as if it came from an external sender 3. **Employees who click the link** are redirected to a training page explaining what they missed and why it was suspicious 4. **You get a report** showing who clicked, who reported it, and your overall click rate 5. **You repeat the simulation** over time and watch the click rate drop The entire point is to make the learning happen in the moment — right when the mistake is about to be made — rather than through a once-a-year PowerPoint session that nobody remembers. Studies consistently show that organisations running quarterly phishing simulations reduce employee click rates from 30–40% down to under 5% within 12 months.
The gold standard for phishing simulation is KnowBe4. It's comprehensive, used by 65,000+ organisations, and genuinely excellent. It's also priced for enterprises: - **KnowBe4 Silver**: starts at approximately £25–35 per user per year - **For a 15-person team**: £375–525/year minimum, billed annually - **For a 30-person team**: £750–1,050/year, plus setup and onboarding - Add-on modules (advanced phishing templates, SCORM compliance training) push the real cost higher Proofpoint Security Awareness Training and Cofense are in the same bracket. For a dental practice with 8 staff, a hair salon with 6, or a law firm with 12 employees, paying £400–800/year for email security training is simply not happening — especially when the IT budget is effectively zero. This is the gap BossBot's Phishing Simulation fills. The same core mechanism — send fake phishing, track clicks, show training — at £20/month flat. No per-seat pricing. No annual contracts.
Not all phishing simulation tools are equal. When evaluating any tool (including ours), here's what to look for: **Template variety** A single fake Microsoft email will stop fooling people after two simulations. Good tools include templates across categories: delivery notifications, IT helpdesk alerts, HR/payroll updates, bank security notices, shared document invitations, invoice approval requests. **Realistic sender domains** The simulation email needs to come from a convincing domain — not `phishing-test.com`. Tools that use lookalike domains (microsóft-security.com) are far more instructive than ones that use obviously fake senders. **Immediate remediation training** When an employee clicks, they should see a short training page immediately — not be notified a week later. The teachable moment is right now. **Metrics and trends** You need to see: total sent, click rate, report rate (who correctly flagged the email), and how these numbers change over repeated simulations. **Scheduling** You shouldn't have to remember to run simulations. They should run automatically on a schedule — quarterly is the minimum, monthly is better. BossBot's Phishing Simulation includes 5 template categories (IT/helpdesk, delivery, banking, HR/payroll, document sharing), tracks click rates, and can be scheduled to run automatically.
Running a phishing simulation for the first time doesn't need to be complicated. Here's a practical first-simulation playbook: **Step 1: Don't tell your team** The simulation only works if it's a surprise. Don't send a company-wide notice that a test is coming — that defeats the purpose entirely. **Step 2: Pick a high-credibility template** For your first simulation, use a template with the highest realistic click rate — typically an IT security alert or a shared Google Doc notification. This establishes your true baseline risk. **Step 3: Send to everyone** Include all staff, including senior leadership. Executives are frequently the highest-risk group because they're targeted most often and often assume someone else handles security. **Step 4: Review results and don't punish** When you see who clicked, resist the urge to name and shame. The goal is to reduce risk, not to embarrass people. Aggregate results are more useful than individual blame. **Step 5: Hold a brief debrief** Share the results at a team meeting. Show what the email looked like. Point out the red flags. Ask the team what they noticed. Discussion is more memorable than a training page alone. **Step 6: Schedule the next one** Phishing simulations only improve behaviour when they're repeated. Schedule the next one for 6–8 weeks later with a different template.
A high click rate on your first simulation is not cause for panic — it's an accurate baseline that you didn't have before. Typical first-simulation click rates by sector: - **Healthcare**: 28–35% (high workload, frequent legitimate requests from external systems) - **Legal**: 20–28% (lower IT literacy on average, high volume of legitimate external emails) - **Retail and hospitality**: 32–40% (high turnover, limited security culture) - **Finance**: 18–25% (more security-aware sector) These numbers look alarming. They shouldn't be — they're real. Any business that has never tested its staff and claims they wouldn't click is guessing. What matters is the trend over time. Organisations that run simulations quarterly see click rates drop by: - 50% reduction within 6 months - 80% reduction within 12 months - Sustained below 5% within 18–24 months The click rate is a security metric, not a performance metric. Treat it like you'd treat a blood pressure reading — useful data that guides action, not a judgement on individuals.
Running phishing simulations on your employees raises legitimate questions about data handling under GDPR. **Can you run simulations without telling employees?** Yes — with conditions. GDPR allows processing employee data for legitimate business interests, and reducing cybersecurity risk qualifies. However: - You need a **legitimate interests assessment** on record - The simulation should be **proportionate** (no deceptive elements beyond what's needed to test behaviour) - Results should be **kept confidential** and not used for disciplinary purposes - It's best practice (though not legally required) to mention in your employment contract or security policy that simulated phishing tests may be conducted **What data do you process?** Typically: employee email address, whether they clicked, timestamp. This is minimal and proportionate. **Should you add it to your Art.30 records?** Yes. If you maintain a Record of Processing Activities (required under GDPR for most businesses), add phishing simulation as a processing activity with its own entry. BossBot's ZeroTrace module logs security events — including phishing simulation runs — to a tamper-evident audit chain, which can be used to demonstrate GDPR Article 30 compliance if regulators ask.
These two terms are often confused. They're complementary, not interchangeable. **Security awareness training** is formal education: videos, slides, quizzes about what phishing looks like, password hygiene, MFA, social engineering. It builds knowledge. **Phishing simulation** is behavioural testing: sending a fake attack and measuring what actually happens under realistic conditions. It tests whether training has changed behaviour. Knowledge ≠ behaviour. Someone can watch a 20-minute phishing awareness video and still click the link 6 weeks later when they're under deadline pressure and the email looks exactly like something they'd expect from their bank. The research is consistent: awareness training alone reduces click rates by 10–20%. Awareness training combined with repeated simulations reduces click rates by 60–80%. For a small business with limited time and budget, simulation is the higher-ROI choice — because it measures what actually matters (what your team does), not what they know they should do. BossBot's Phishing Simulation (£20/month) focuses on the simulation side. It's designed to run quietly in the background, catch real behaviour, and trigger training at the teachable moment — without requiring a dedicated IT or HR department to manage it.
91% of breaches start with phishing. Most businesses only find out after the damage is done. Run your first simulation in 10 minutes — free for 30 days.
Start Phishing Simulation — £20/mo