Hoxhunt

100% completion ≠ reduced risk. It proves you ran training. It doesn’t prove people behave differently when it counts. Why completion isn’t enough: It’s an input metric. You’re measuring if people took training, not what they do after. It creates a false sense of security and invites executive optics - clean number, messy reality. 📊 What to track instead (behavior > box-ticking) - Reporting rate on phishing simulations and real threats (success, not failure). The latest DBIR report shows trained people report ~4× more - so measure the lift. - Time to first report (dwell time) on real phishinghow fast your human sensors alert SecOps. Faster = real risk reduction - Pair hard metrics with attitudes/culture signals (surveys, focus groups) so you know why behaviors look the way they do. How to sell it internally: Run a small, controlled experiment and show outcomes. If leadership still wants “one number,” roll up a behavior scorecard (reporting rate + dwell time + key control behaviors) and show the trend. And resist the urge to coerce. Don’t force - design for motivation, mastery, and ease (self-determination > scare tactics). You’ll get both engagement and behavior. Bottom line: Completion checks the compliance box. Behavior metrics prove risk goes down. If your dashboard can’t tell those two stories apart, it’s time to upgrade what you measure and what you celebrate. Listen to full podcast here 👉 https://hubs.ly/Q03P3MSd0

Immersive deepfake attack training like never before... your boss call you on Teams with an urgent request. It’s their face and their voice. Why would you suspect anything? It’s fake. The face is virtual, the voice is cloned. Even the Teams call controlled by the attacker. This is our Deepfake Attack Simulation. Our custom attack service brings awareness and experience-based training on the future’s biggest social engineering threat. What’s in the simulation: - A custom phishing email luring the target into a video call - Video deepfake of a manager, executive or other authority including voice cloning - A mock video call page prompting the target to take the urgent action - After the experience, Hoxhunt provides in-depth training on all the modern dangers simulated in the attack. Deepfake Attack Simulations train on deepfake threats in a safe, controlled environment... providing a safe space to question authority when things feel off Find out more here 👉 https://hubs.ly/Q03NFywQ0

QR phishing isn’t new; it’s the same old phish hiding in a square. We broke down how it works and shipped a free QR-sticker drill to build the pause → verify → report habit across your org. What’s going on: QR codes show up everywhere (emails, posters, parcels, parking meters, event signage) and push you to spoofed logins or malware. Mobile UX hides the full URL; filters can’t see the final action. What “good” looks like for defenders: Coach people to never log in from a poster/menu; prefer official apps/bookmarks; spot off-brand/typosquat domains; and report in one tap. 💡 Run low-friction QR-sticker simulations in high-traffic areas. Optimize for reporting rate and time-to-report - not “gotcha” clicks. Our Human Risk Benchmark - spanning 21M+ simulations and 2M+ users in 125 countries - shows behavior-first programs lift real outcomes: users become ~6× less likely to click and ~7× more likely to report suspicious content, cutting exposure to malicious links and fake websites. We turned the playbook into a quick read read with real examples + printable stickers you can use this month. Get stickers here 👉 https://hubs.ly/Q03MtSwh0

Gamification works - when it’s not just points and badges. If the “game” rewards activity divorced from defense, you build noise. If it rewards the right action at the right time, you build habits. Game mechanics that move security outcomes: - Core action first: reward fast, accurate reporting of suspicious emails; everything else is decoration. - Progression, not grind: levels and variable rewards that get harder as skill increases. - Streaks that teach consistency: protect them with fair grace periods. - Immediate feedback loop: in-the-moment coaching + instant reinforcement for correct actions. Read our guide to effective gamification here 👉 https://hubs.ly/Q03MlYhs0

Real-time coaching > after-the-fact training. But cadence makes or breaks it. Security habits change when the feedback arrives during the behavior, not a week later. The trap: crank frequency until people tune out. The win: immediate, actionable coaching with adaptive frequency. What “real-time” actually means... 1) Trigger on behavior: click or report → instant micro-coach overlay. 2) Keep it under 45–60 seconds: one insight, one action, one example. 3) Show the tell: highlight the exact indicators (display name spoof, URL mismatch, tone shift). 4) Reinforce reporting: celebrate time-to-report, not “zero clicks.” 5) Cadence that changes habits (without being annoying) 6) Start small: 2–3 touchpoints per user/month. 7) Vary the stimulus: mix real threats, simulations, and role-specific lures to prevent habituation. Link to full podcast episode in comments below 👇

🐟 PHISH OF THE WEEK: Fake Google Careers Recruiter Scam Cybercriminals are impersonating Google Careers to harvest personal data and steal Google credentials - then hide the theft behind a fake calendar confirmation. How this attack works: 1️⃣ Email lure: Message claims to be from a Google Careers recruiter but is sent via mc.salesforce.com (Salesforce Marketing Cloud) → sender identity mismatch and a generic role with no requisition ID. 2️⃣ Fake scheduling site: Link opens a look-alike Google Careers page on an unrelated domain to collect full legal name, business email, and phone number. 3️⃣ Credential harvest: Victims are funneled into a phony Google sign-in to capture username and password. 4️⃣ Deceptive finish: A fake “You’re all set” calendar screen provides false reassurance and masks the compromise. What makes this campaign dangerous: ⚠️ Job-seekers expect outreach from big-name recruiters. ⚠️ Clean replicas of Google UI, copy tone, and flows across email → site → login → calendar. ⚠️ Personal-info form + staged sign-in + calendar “confirmation” lowers skepticism at each step. ⚠️ Stolen Google creds can unlock SSO, Drive, Gmail, and downstream SaaS; pivot to data exfiltration and invoice fraud. Red flags to watch for: 🔴 Sender domain ≠ employer (e.g., mc.salesforce.com vs. google.com). 🔴 “Schedule a call” links that don’t resolve to careers.google.com. 🔴 Requests for PII before any verified job posting or portal login. 🔴 Sign-in pages reached from email instead of navigating directly. 🔴 Calendar confirmations generated outside your org’s workflow. Do this instead: Open a new tab and go directly to the company’s careers portal; search the role ID. Use a password manager - it won’t autofill on impostor domains. Report and delete the email in your mail client; notify security if credentials were entered. How confident are you that your team can spot recruiter-impersonation chains that blend marketing-cloud senders, fake portals, and calendar bait? At Hoxhunt, we turn real threats like this into interactive training that hardens behavior against multi-stage social engineering across personal and work accounts. 👉 See how we turn threats into training: https://lnkd.in/emGG5a7h

Phishing simulations aren’t the problem. Bad design is. A recent WSJ piece questions security awareness training. The real fix isn’t to cancel training - it’s to kill the gotcha model and build programs that change behavior. What works (and scales): - Frequency over annuality: monthly micro-drills beat once-a-year videos. - Relevance + adaptivity: role-specific lures and progressive difficulty. - Psych safety > shame: no public call-outs; reward fast reporting. - One-click reporting into SOC workflows - Interactive coaching: 30-second, hands-on feedback If your program optimizes embarrassment over defense, you’re training the wrong behavior. Redesign it - don’t retire it. Here's what happened when The AES Corporation tested Hoxhunt against their previous security awareness training... Reporting rate increased by 526% to 60.5%. Failure rate decrease by 79% to 1.6% Miss rate decreased by 58% and resilience ratio increased by 2533%, from 1.5 to 38. Full breakdown → https://hubs.ly/Q03MjG2p0

🎯 Don't miss this at it-sa – Home of IT Security Expo! TODAY at 3 PM (Forum E, Booth 9-105), Marcus Beyer, Security Awareness Training Officer at Swisscom, takes the stage to share real-world insights on transforming phishing training. Session: "Phishing Training in Context - Practical Example from Swisscom" 📅 Tue, 10/07/2025, 15:00 - 15:15 📍 Forum E, Booth 9-105 The results speak for themselves: → 85% reporting rate → 10x reduction in phishing simulation fail rates → Seamless integration for Swiss/DACH workforce → High engagement through gamification Marcus has built something special at Swisscom: Phishing Training that's practical, measurable, and woven into daily workflows - creating lasting awareness and a resilient security culture. Want to see how Hoxhunt powers programs like this? 📊 Program details: https://lnkd.in/eDxwDTGB #itsaExpo #SecurityAwarenessTraining #Cybersecurity #Hoxhunt

Here’s how to actually win Cybersecurity Awareness Month (and have people enjoy it)... • Launch something new while security’s top of mind → higher adoption (think: tool rollout, policy update, or a clean reporting flow). • Make it playful: a cyber escape room or scavenger hunt + small prizes = outsized engagement. • Experiment and measure: prioritize impact over activity count; test, learn, share results with leadership. • Plan for the marathon, not the sprint: focus your core weeks, then keep momentum year-round to build culture that lasts. We bundled the templates, comms, activities, and measurement tips so you don’t have to start from scratch. Grab the free toolkit 👉 https://hubs.ly/Q03Mf-7Y0

When your clients are global financial heavyweights, “good enough” security doesn’t cut it. Bird & Bird - an international law firm - rebooted their approach with a people-first Human Risk Management program. Result: measurable behavior change, happier users, stronger risk posture. What changed (fast): - Real-threat detection: +1400% (from 60 to 900 reports/month) - Resilience ratio: +613% - Success rate: +41.7% - Failure rate: –80% - Miss rate: –33% - Median reporting time: 6h 35m Why it worked: Hoxhunt rewards good clicks, coaches the bad with micro-trainings, and keeps difficulty adaptive - so engagement compounds into culture. “People still say, I love Hoxhunt phishing simulations! That’s the best statistic of all.” - Martyn Styles, Head of Information Security, Bird & Bird 60% of users reported a suspicious or malicious email within a year of starting training. That’s how you turn a workforce into a human detection network. See how Hoxhunt work here: https://hubs.ly/Q03M2N2J0