FAQ : Awareness
Are smishing (SMS) and vishing (phone) as dangerous as email phishing?
Yes, and they can be more effective, precisely because people expect them less.
Smishing (SMS): SMS have an open rate above 90%, compared to 20 to 30% for emails. Messages typically imitate a delivery alert (postal service, DHL), a banking warning, or a government message. The link redirects to a fake login page. On mobile, the URL is often truncated and difficult to verify.
Vishing (voice): the attacker calls their victim directly, posing as IT support, a bank, or Microsoft. Real-time pressure and the human voice bypass the usual defenses. AI-generated voice deepfakes can now imitate the voice of a known colleague or manager.
The golden rule in both cases: never provide sensitive information following an unsolicited message or call — call the organization back directly via a known official number.
Are technical prerequisites required to follow a training course on Bexxo Academy?
No. Bexxo Academy's learning paths are designed to be accessible to all levels, from employees with no IT background to IT managers. Each path adapts to the participant's profile. Short modules (10 to 20 minutes) integrate easily into a working day without disruption.
Does MFA (multi-factor authentication) really protect against phishing?
Yes, in the vast majority of cases. Even if an attacker obtains your password via a phishing page, they cannot log in without the second factor (SMS code, authenticator app, physical key). MFA blocks 99.9% of automated account attacks (Microsoft 2024). The only exception is real-time phishing (MITM / Adversary-in-the-Middle attack) which intercepts the MFA code in the same instant — this vector remains marginal for SMEs. The recommendation: enable MFA on all professional accounts without exception.
How can you measure the effectiveness of cybersecurity training?
The effectiveness of cybersecurity training can be measured concretely using behavioural indicators:
- Click rate on simulated phishing — before/after training. A good programme reduces this rate by more than 70% within 6 months.
- Reporting rate — the number of employees who actively report a suspicious phishing attempt.
- Academy completion score — percentage of completed modules and quiz results.
- Trend over time — PhishTrainer dashboard with 12-month history.
These metrics are available in the Bexxo dashboard and can be exported for nDSG compliance reports.
How do I organise a Bexxo Academy training session for my company?
Two options: direct access to the online platform (academy.bexxo.ch) with account creation for your employees and a tracking dashboard; or tailored in-person training at our premises in Ins (BE) or directly at your company. Contact us via the form on this page for a free, no-commitment consultation — we will define the programme best suited to your size and objectives together.
How do you effectively train teams against phishing?
Theoretical training alone is not enough: studies show that employees forget 70% of training content within the week following the session (Ebbinghaus, replicated in numerous e-learning studies). The most effective approach combines simulation and corrective training: send real simulated phishing campaigns (via PhishTrainer), identify employees who click, then automatically redirect them to targeted training (Bexxo Academy). This method reduces the click rate by 60 to 70% in six months (Proofpoint 2024). Regular simulations (4 to 6 per year) maintain the level of vigilance over time.
How do you recognize a phishing email?
The main warning signs are: a sender address slightly different from the original (e.g. support@rnazonl.com instead of @amazon.com), a sense of urgency or threat pushing you to act quickly, a request for your password or banking information, a link URL that does not match the expected site (hover before clicking), spelling or formatting errors. Warning: AI-generated emails are now perfectly written — grammar alone is no longer enough to detect them.
How does a simulation campaign with PhishTrainer work?
In a few clicks, you configure a campaign: select recipients, choose a fraudulent email template (fake Microsoft login, parcel delivery, HR request…), define the timing. Emails are sent to employees. Every action is recorded: opening, clicking a link, entering data. Employees who interacted immediately receive an educational message. A detailed dashboard presents results by team, department, or business unit.
How does the Bexxo Academy phishing simulator work?
The phishing simulator is integrated into Bexxo Academy and works in synergy with PhishTrainer, our dedicated software. Simulated fraudulent email campaigns are sent to employees — with no real danger. Clicks and actions are recorded, and each employee who clicked immediately receives corrective training. Managers have access to detailed reports by department or team to target training actions. AI-generated phishing emails have a click-through rate 4 times higher than manual emails (APWG / Keepnet 2025).
How is artificial intelligence transforming phishing attacks?
Generative AI has radically changed the phishing threat since 2023. Three major developments:
- Perfectly written emails — gone are the spelling mistakes that used to help detect phishing. LLMs generate flawless emails in perfect English, adapted to the tone of the targeted company. AI-generated emails have a click rate four times higher than manually crafted ones (APWG / Keepnet 2025).
- Personalization at scale — AI can analyze a target's LinkedIn profile, public posts, and company website to create an ultra-realistic spear phishing in seconds. What used to take a human attacker hours now takes seconds.
- Voice and video deepfakes — vishing calls imitating a manager's voice, or entire video conferences with deepfake avatars, have already been used to trigger fraudulent bank transfers (documented cases in 2024 in Hong Kong: 25 million USD lost).
The direct consequence: human vigilance alone is no longer sufficient. Regular simulation (PhishTrainer) and continuous training (Bexxo Academy) are indispensable to maintain a level of defense adapted to the current threat.
How is the effectiveness of simulations measured over time?
PhishTrainer generates detailed reports after each campaign: open rate, click rate, data entry rate — by team, department, and employee. By running multiple campaigns over 6 to 12 months, you observe the progression: companies that simulate regularly reduce their average click rate by 60 to 70% (Proofpoint 2024). These reports document the evolution of your organization's cybersecurity maturity and can be presented during internal audits or FDPIC controls.
How long does it take to train an SME with 20 to 50 employees?
For an SME with 20 to 50 employees, the typical programme runs over 3 to 6 months:
- Week 1: set up PhishTrainer, send the first baseline phishing campaign.
- Months 1-2: Bexxo Academy access for all employees, introductory modules (30 to 45 min per module).
- Months 3-6: monthly phishing campaigns, targeted reminders for at-risk employees, progress report.
The setup is handled by Bexxo — no internal technical skills required. Monthly administration time is less than 2 hours for the HR or IT manager.
Is PhishTrainer hosted in Switzerland?
Yes. PhishTrainer is 100% Swiss: developed by Bexxo (Ins, canton of Bern) and hosted on servers in Switzerland. No data transfer abroad. Your employees' data and campaign results remain on Swiss territory, in compliance with nFADP requirements. PhishTrainer optionally offers client-side encryption: data is encrypted in the user's browser before being transmitted to our servers. In practice, even our infrastructure cannot access the data in plain text — this is a maximum confidentiality guarantee that few simulation tools can offer.
Is cybersecurity training mandatory for SMEs under the nFADP?
The nFADP (new Federal Act on Data Protection, in force since September 2023) requires organisational data protection measures, including raising employee awareness of risks. If a data breach occurs and the company cannot demonstrate that it has trained its teams, it faces fines of up to CHF 250,000. Training reports generated by Bexxo Academy serve as evidence of due diligence in the event of an FDPIC inspection.
Is cybersecurity training mandatory under Swiss nDSG?
The nDSG (Swiss Federal Act on Data Protection, in force since September 2023) requires companies to implement organisational measures to protect personal data. Staff training is explicitly recommended by the Federal Data Protection and Information Commissioner (FDPIC) as an essential organisational measure. In the event of a data breach, the absence of documented training may increase the company's liability. Bexxo provides a monitoring report that serves as proof of due diligence in the event of an FDPIC audit. Fines of up to CHF 250,000 for data controllers in the event of a breach.