Prepare for Phishing Attacks with Simulations & Training Courses


LUCY provides a “safe learning environment” where employees can experience what real attacks would feel like. With our variety of predefined, multilingual attack simulations you can test whether your employees are really familiar with the dangers of the Internet.

LUCY enables you to simulate the full threat landscape that goes beyond just simple phishing emails:

  • Portable media attacks

  • SMiShing

  • Data entry attacks

  • Hyperlink attacks

  • Powerful URL redirection toolkit

  • Mixed attacks

  • File-based attacks

  • Double barrel attacks

  • Java-based attacks

  • PDF-based attacks

  • Ransomware simulation attacks

  • Data entry validation toolkit

  • Multilingual Attack Template Library

  • Sector and division specific templates

  • Simultaneous attack template usage

  • Attack URL variations

  • URL shortening

  • Pentest kit

  • Website cloner

  • Level-based attacks

  • Spear phishing simulation

  • DKIM / S / MIME Support for Phishing e-Mails

  • Mail scanner

  • Custom homepage creation

  • null


    Portable media attacks

    Hackers can use portable media drives to gain access to sensitive information stored on a computer or network. LUCY offers the option to perform portable media attacks where a file template (e.g., executable, archive, office document with macros, etc.) can be stored on a portable media device such as USB, SD card, or CD. The activation (execution) of these individual files can be tracked in LUCY.

  • null



    Smishing is, in a sense, “SMS phishing.” When cybercriminals “phish,” they send fraudulent e-mails that seek to trick the recipient into opening a malware-laden attachment or clicking on a malicious link. Smishing simply uses text messages instead of e-mail.

  • null


    Data entry attacks

    Data entry attacks can include one or more web pages that intercept the input of sensitive information. The available web pages can be easily customized with a LUCY web editor. Additional editing tools allow you to quickly set up functions such as log-in forms, download areas, etc. without HTML knowledge.

  • null


    Hyperlink attacks

    A hyperlink-based campaign will send users an e-mail that contains a randomized tracking URL.

  • null


    Powerful URL redirection toolkit

    LUCY’s flexible redirection functions allow the user to be guided, at the right moment, to the desired areas of attack simulation or training. For example, after entering the first 3 characters of a password in a phishing simulation, the user can be redirected to a special training page about password protection.

  • null


    Mixed attacks

    Mixed attacks allow a combination of multiple scenario types (file-based, data entry, etc.) in the same campaign.

  • null


    File-based attacks

    File-based attacks allow the LUCY administrator to integrate different file types (office documents with macros, PDFs, executables, MP3s, etc.) into mail attachments or websites generated on LUCY and to measure their download or execution rate.

  • null


    Double barrel attacks

    This feature makes it possible to send multiple phishing e-mails in each campaign, with the first benign e-mail (the bait) containing nothing malicious and not demanding a reply from the recipient.

  • null


    Java-based attacks

    Java-based attacks allow the LUCY administrator to integrate a trusted applet within the file-based or mixed attack templates provided in LUCY and to measure their execution by the user.

  • null


    PDF-based attacks

    PDF-based phishing attacks can be simulated with this module. LUCY allows “hiding” executable files as PDF attachments and measuring their execution. Furthermore, dynamic phishing links can be also generated within PDFs.

  • null


    Ransomware simulation attacks

    LUCY has two different ransomware simulations, one of which tests the staff, and the other, the infrastructure.

  • null


    Data entry validation toolkit

    In phishing simulations, false positives must be prevented for log-in fields (e.g., logging with invalid syntax). The company guidelines may also forbid the transmission of sensitive data such as passwords. For this purpose, LUCY provides a flexible input filtering engine that offers a suitable solution for every requirement.

  • null


    Multilingual Attack Template Library

    LUCY comes with hundreds of predefined attack templates in more than 30 languages in the categories of data entry (templates with a website), file-based (e-mails or websites with a file download), hyperlink (e-mails with a link), mixed (combination of data entry and download), and portable media.

  • null


    Sector and division specific templates

    Attack templates are available for specific industries or divisions.

  • null


    Simultaneous attack template usage

    LUCY gives you the option to use multiple simulated attack templates in a single campaign. Mix the different types (hyperlink, file-based, etc.) with different attack themes to achieve the largest possible risk coverage and a better understanding of employee vulnerabilities. In combination with our scheduling randomizer, complex attack patterns can be executed over a longer period of time.

  • null


    Attack URL variations

    Take control of the generated URLs to identify the recipients. Use automated short (< 5 characters) or long URL strings or set individual URLs for each user. The manual URL creation allows you to form links that a user can easily remember. In environments where link clicks are disabled in e-mails, this is a must.

  • null


    URL shortening

    URL shorteners are a relatively new Internet service. As many online social services impose character limitations (e.g., Twitter), these URLs are very practical. URL shorteners, however, can be used by cyber criminals to hide the real target of a link, such as phishing or infected websites. For this reason, LUCY offers the possibility to integrate different shortener services within a phishing or smishing campaign.

  • null


    Pentest kit

    The pentest kit is a submodule of the malware simulation toolkit and goes by the name “Interactive Sessions.” It allows you to communicate interactively with a client pc that sits behind firewalls by using reverse http/s connections.

  • null


    Website cloner

    Quickly create highly professional landing pages for your campaigns. Clone existing websites and add additional layers with data entry fields, files for download, and more.

  • null


    Level-based attacks

    Level-based phishing training for employees serves to make the risk of social hacking measurable. Scientific analysis should also identify the most important risk factors so that individual training content can be offered automatically.

  • null


    Spear phishing simulation

    The Spear Phish Tailoring works with dynamic variables (gender, time, name, e-mail, links, messages, division, country, etc.) which you can use in landing and message templates.

  • null


    DKIM / S / MIME Support for Phishing e-Mails

    Digital signatures for e-mails: Send signed phishing simulation mails (s/mime). Use DKIM to get a better sender score.

  • null


    Mail scanner

    Curious which e-mail addresses in your organization can be found on the Internet? Use LUCY’s mail scanner and find out what a hacker already knows about your company.

  • null


    Custom homepage creation

    Recipients with a better technical understanding could use their browser to call the domain or IP address associated with the randomly generated phishing link. To prevent error messages from appearing or the end user from even coming to the login area of the admin console, you can create generic “homepages” within LUCY for the domains used in the phishing simulation.

Create custom templates in minutes

Make your own phishing templates with our editor and simulate any type of phishing attack.
No special technical skills are necessary.

Clone a webpage

LUCY allows you to make funcional website copies with a single click, enabling you to simulate real spear phishing attacks.

Insert trackable content

Measure how long a user stays on any particular website or track specific downloads.

Use pre-defined login forms

Add a functional login form to any page. It's a one-click process, and you can choose from several designs.

Insert non-malicious trojan simulation

The malware simulation toolkit is capable of emulating various threats. It allows an auditor to access an advanced set of features equivalent to many of the tools employed by criminal gangs.

So, how does such a simulated
phishing attack work?


Discuss your requirements

Phishing simulations provide quantifiable results that can be measured. Our available simulations include SMS Phishing, Corporate Phishing (simulated e-mails that appear to come from “inside” your own organization), Board Member Spear Phishing (target a handful of senior individuals in a position of influence) Ransomware Simulation, Personal Phishing (simulations aimed to use well-known brands like Amazon, Apple, eBay, etc.), and many more techniques. These measurements allow improvement to be identified and tracked. The consultative approach our team takes will ensure all phishing simulations and campaigns are bespoke to the threats facing your organization. Prior to the phishing simulation, the needs and objectives are clarified and coordinated with the planned activities. The goal is to define the key elements of the campaign:

  • Attack or educate first? A simulation test may start with introductory training where employees are educated about e-mail safety and phishing implications. An organization may also set up an anti-phishing e-mail account where employees can readily share their experiences, suspicions, and other requirements concerning cyber threats before starting the simulation.
  • Frequency of the simulation: Simulation frequency should be adjusted based on perceived threats. User coverage and simulation frequency should be determined in correlation to the perceived risk (e.g., Finance & Payments – 2 themes / X months, senior leadership – 1 theme / X months). High risk functions / departments and individuals handling important roles in the organization should be covered more frequently as part of the simulation.
  • Length of the simulation: Most phishing simulation tests are usually planned out over a period of 12 months. However, there can be certain ad-hoc campaigns which are situational.
  • Timing—when to send e-mails? When planning the campaign for each function / department or individual, phishing e-mails should be innitiated with the elements “Day of the week” and “Time of the day.”
  • Following Up: A phishing simulation campaign may need to be followed up by relevant e-mails from the IT department informing involved employees about the reality of phishing e-mails and what is expected of them in return. If users are repeatedly failing, plan a discussion with them to understand what difficulties they are experiencing and why. Accordingly, arrange for awareness / training sessions for those users.
  • Consistency with current policies: Once implemented, the process needs to be executed evenly to everyone in scope. Integration into existing information security policies and procedures will also help to give additional importance to the campaign.
  • Choose the right phishing theme: Please see next section.
  • Corporate communication: Before initiating the phishing simulation campaign, work out a communication plan about the phishing simulation with the head of function / department. Employees need to be made aware of the new process, what the expectations are, what the consequences of non-compliance include, and when it takes effect.
  • Targeted group: If the campaign targets a large group of users belonging to the same function / department, they might inform others in the group. Therefore, phishing e-mails should not be forwarded to the entire company as it sparks suspicion. Instead, the process should be organic and must target a small group of select employees at any one time.
  • Ensure top level commitment: Management support is critical to ensuring that the process is effective. Therefore, higher-tier users need to have a willingness to follow through.
  • Technical preparations: White-listing of phishing domains, creation of test accounts, mail delivery tests are some of the activities that need to be carefully planned.


Select your theme for the simulated attack

In every phishing simulation activity the theme plays an important part in meeting the end objective of educating users on real threats. To provide a real-world experience and awareness the selected phishing simulation theme should align with an event or context relevant to the targeted individual or group. Here are some points to consider for effective simulation activities:

  • Any theme chosen for a phishing simulation should be aligned with business context and perceived risk to the user’s role / function / department.
  • The selected phishing simulation theme should have relevance to the targeted individual or group.
  • To achieve better results and learning experience, the complexity of the selected theme should be gradually brought to a higher level.
  • Starting with a highly complex phishing theme will make many fail and will not achieve the end objective.
  • Each deceiving element of a phishing e-mail needs to be combined with other tricks typically used by attackers (e.g., look-alike domain with camouflaged hyperlink, spoofed domain with double extension file, etc.).
  • Each simulation activity should be time bound; contextual themes conducted outside of a defined timeline will lose their value.


Select your additional services

The LUCY phishing simulation can be combined with services that will help the company to better assess the risk. Here are a few examples:

  • Individual trainings: Each employee can be individually trained in advance or directly as a follow-up to the attack simulation. The contents of the training courses can be adapted to the existing company policies. Interactive tests can record the level of knowledge.
  • Mail and web filter test: It provides technical analysis of the possible entry channels for malware. Which file types can be delivered via e-mail? Which dangerous file types can be downloaded?
  • Local security test: What is the effective risk if an employee executes a dangerous file type? How well does technical protection work to prevent data leakage?
  • Analysis of attack potential: Which sensitive employee information can be viewed on the Internet? What do employees communicate via a company e-mail address when on the Internet?
  • Analysis of security culture: The current security culture is to be recorded and evaluated by means of interviews, surveys, and analyses of existing guidelines.
  • Darknet analysis: We search the Darknet for existing data leaks and thus show a comprehensive risk picture, which does not only include the inside view.
  • Fully managed repeating campaigns: Do you prefer recurring campaigns that are completely managed by us? You are welcome to outsource the topic IT Security Awareness completely to us.


Get started!

We are happy to advise you on the most suitable services. Please contact us via the form below or call us at +1 512-917-9180 (USA) or +41 44 557 19 37 (Europe).

in our

in Lucy