About the Client
The client is a well-established co-operative bank founded in the mid-1980s, in India. Over the decades, it has expanded to multiple branches, offering a wide range of financial services, including deposit accounts, loan products, and digital banking solutions. With a strong commitment to customer satisfaction and security, the bank has earned multiple awards for its excellence in service delivery.
Objective
- Identify High-Risk Employees Conduct phishing simulations to measure employees’ susceptibility to email-based threats.
- Enhance Cyber security Awareness Deliver training and assessments to help staff recognize and respond to phishing attacks.
- Create Realistic Scenarios Use custom templates and sending domains to mirror real-world phishing campaigns.
- Notify Management of Non-Compliant Users Alert leadership about employees who failed to complete assessments for targeted follow-up.
The Challenge & Its Solution
The bank required multiple custom email templates for a more realistic phishing simulation. PhishCare created tailored templates with different sending domains, including:
- Sensitive Data Breach
- IT Security Shared a Spreadsheet
- RBI Circular
- New Year Special Amusement from HR
One of the key challenges in this engagement was the client’s complex IT environment. The institution operated using a third-party mail server in combination with a Sophos firewall, which introduced restrictions that prevented traditional open-rate tracking — a crucial metric in most phishing simulations.
This limitation posed a risk of incomplete visibility into user behavior, making it harder to gauge how many employees actually interacted with the phishing emails.
PhishCare’s team responded swiftly and strategically. After a detailed technical review of the infrastructure, we:
- Recalibrated the simulation logic to prioritize click-based tracking (phishing link interactions), which offered a more definitive measure of user susceptibility.
- Provided a customized reporting strategy to compensate for the lack of open data, ensuring the bank still received actionable insights.
- Adjusted email templates and delivery methods to maximize visibility and engagement, despite the firewall’s constraints.
By adapting our approach in real-time, we ensured that the simulation’s integrity was maintained and that critical risk indicators were still captured accurately.
Key Findings & Observations
| Metric | Value |
| Users Phished (Clicked Link) | 30 |
| Users Who Ignored Email | 137 |
| Assessment Completion Rate | 3 |
| Users Passed | 3 |
| Users Failed | 27 |
A significant number of employees failed to complete the security assessment despite being phished. This raised concerns about cyber security awareness within the organization. PhishCare promptly notified the bank’s management, allowing them to take appropriate action to mitigate potential risks.
Conclusion
The phishing simulation revealed critical vulnerabilities in the bank’s cyber security posture. Despite the low assessment completion rate, the results provided valuable insights into employees’ susceptibility to phishing attacks. By leveraging PhishCare’s tailored phishing simulations, the bank identified high-risk individuals and took necessary measures to strengthen cyber security awareness.
The proactive approach of notifying management about employees who failed to complete assessments ensured accountability and enabled targeted training efforts. This case study underscores the importance of continuous phishing simulations and cyber security training in safeguarding financial institutions from cyber threats.
