FAQ : Awareness
Is phishing simulation useful for nFADP compliance?
Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires organizational security measures, including raising employee awareness of risks. In the event of a data breach, a company that cannot demonstrate it has trained its teams faces fines of up to CHF 250,000. PhishTrainer campaign reports serve as proof of due diligence: they document the simulations carried out, click rates over time, and the corrective actions implemented.
What are the different forms of phishing to know about?
There are 6 main forms of phishing:
- Classic phishing — mass emails imitating a bank, a delivery service, or a government agency. More than 3.4 billion fraudulent emails sent every day (Forbes 2024). Often recognizable by errors and artificial urgency.
- Spear phishing — targeted attack on a specific person, with real information (manager's name, ongoing project). Accounts for 66% of confirmed breaches (Verizon DBIR 2024).
- Whaling — variant of spear phishing specifically targeting executives and managers, to access finances or strategic decisions.
- Smishing — phishing via SMS. Typically imitates a banking alert, a parcel delivery, or a public service. SMS open rates exceed 90% — this vector is growing rapidly.
- Vishing — voice phishing by phone. The fraudster impersonates IT support, a bank, or a government agency to extract information or trigger immediate action.
- BEC (Business Email Compromise / CEO fraud) — identity impersonation of a manager or partner to order a bank transfer or obtain sensitive data. The primary source of financial losses related to cybercrime: 2.9 billion USD in 2023 (FBI IC3 2024).
What are the risks associated with a lack of awareness?
A lack of awareness exposes the company to very real risks: opening fraudulent emails, installing malware, data leaks, or even bad practices such as using unencrypted media or sharing passwords. These errors can lead to costly cyberattacks or even business interruptions.
In addition, untrained personnel can become the unintentional entry point for ransomware, data theft, or industrial espionage. In a context of increasing digitization, ignoring this aspect amounts to leaving a permanent flaw in the company's defense.
What is Bexxo Academy?
Bexxo Academy (academy.bexxo.ch) is Bexxo's cybersecurity training platform, dedicated to Swiss SMEs, their employees and the general public. It offers interactive modules, phishing simulators, quizzes, videos and educational games, accessible 24/7 from any device. It is complemented by in-person sessions at Bexxo's premises in Ins (BE), for up to 20 people.
What is PhishTrainer?
PhishTrainer is a Swiss phishing simulation software developed by Bexxo. It sends real simulated fraudulent email campaigns to a company's employees — with no real risk — to test their vigilance, identify vulnerable profiles, and measure the effectiveness of training. Data remains hosted in Switzerland, in accordance with the nFADP. PhishTrainer works in synergy with Bexxo Academy, Bexxo's e-learning platform.
What is cybersecurity training in the workplace?
Cybersecurity training in the workplace is a structured programme that teaches employees to recognise and avoid everyday cyber threats: phishing, social engineering, weak passwords, risky behaviours. Unlike purely technical solutions, it addresses the main vulnerability of organisations: the human factor. At Bexxo, training combines real simulation via PhishTrainer (fake phishing email campaigns) and interactive learning via Bexxo Academy (modules, quizzes, videos). 68% of data breaches involve human error (Verizon DBIR 2024).
What is phishing?
Phishing is an online fraud technique that involves sending emails, SMS, or messages that imitate legitimate communications (bank, government agency, employer) to trick the victim into revealing confidential information — passwords, banking details, professional credentials. Phishing is the most widely used attack vector: 91% of cyberattacks start with a fraudulent email (Proofpoint 2024).
What is spear phishing and why is it more dangerous?
Spear phishing is a targeted variant of classic phishing: instead of sending millions of generic emails, attackers personalize the attack using real information about the victim (manager's name, ongoing project, supplier name). This targeting makes the email far more credible. Spear phishing accounts for 66% of confirmed data breaches (Verizon DBIR 2024). With AI, attackers can now generate these personalized emails at scale — the cost of a targeted attack has dropped considerably.
What is the company's responsibility in the event of an incident caused by a poorly informed employee?
If a security incident occurs due to risky behavior by a poorly informed employee, the company remains largely responsible. The law, including the nLPD in Switzerland and the GDPR in Europe, requires organizations to take the necessary measures to protect data and reduce risks. This includes training and awareness for staff.
In the event of a dispute or investigation, a company unable to demonstrate that it has implemented preventive actions (such as regular training, awareness campaigns, or reminders of best practices) could be deemed negligent. This can lead to fines, damage to reputation, and a loss of trust from customers and partners.
What is the difference between Bexxo Academy online training and in-person sessions?
Online training (academy.bexxo.ch) is available 24/7, individual and self-paced — ideal for regular awareness, ongoing tracking and geographically dispersed teams. In-person sessions in Ins (BE) are recommended when you wish to train 5 to 20 people simultaneously, run interactive workshops with real-life scenarios, or anchor a security culture during a company event (seminar, thematic day). For teams of more than 10 people, we generally recommend a combination: initial online awareness, then an in-person session to consolidate learning and address issues specific to your organisation.
What is the difference between PhishTrainer and Bexxo Academy?
They are two complementary tools:
- PhishTrainer works through practice: it sends fake phishing emails to your employees and measures who clicks and who reports the attack. This is the behavioural approach — learning by experience. The dashboard shows the click rate, the reporting rate and the trend over time.
- Bexxo Academy works through knowledge: video modules, interactive quizzes, educational games on cyber threats. Available 24/7 online, complemented by in-person sessions in Ins (BE). Ideal for onboarding new employees and updating knowledge.
Both tools together cover the complete loop: raise awareness → test → measure → improve.
What is the difference between PhishTrainer and Bexxo Academy?
PhishTrainer and Bexxo Academy are two complementary tools: PhishTrainer tests (attack simulation, vulnerability identification, click rate measurement), Bexxo Academy trains (e-learning modules, quizzes, videos, in-person sessions). They work in synergy: PhishTrainer results identify at-risk teams or profiles, Bexxo Academy provides the adapted training paths. For effective protection, Bexxo recommends using both tools together following the Simulate → Train → Measure method.
What is the difference between security awareness and technical training?
Security awareness aims to spread a general security culture, accessible to all employees, regardless of their profession or technical level. It covers concrete topics: phishing, passwords, mobility, social networks, vigilance in teleworking, etc. The goal is to make everyone an actor in security in their daily uses.
Technical training, on the other hand, is aimed at more specialized profiles (IT teams, devs, admins) and focuses on specific skills such as system hardening, secure development, or incident management. It often requires prerequisites and aims to strengthen security through technical mastery.
What should I do if I clicked on a phishing link?
Act immediately: (1) disconnect from the company network (Wi-Fi, cable); (2) report the incident to your IT department or security officer without delay — by phone, not by email; (3) change your password from another secure device; (4) do not delete the suspicious email, it is needed for forensic analysis; (5) enable MFA if not already done. The faster you act, the more the damage can be limited.
Who should be trained in an SME?
In an SME, all employees should be trained, at least on the basics of cybersecurity. Every profile is concerned: the administrative staff who manage sensitive documents, the sales representative who exchanges emails with external parties, or the technician who accesses management tools. The training must be adapted to the role and the risks associated with each position.
In addition, technical teams, security referents (when they exist), and management must undergo more in-depth training to understand the issues, manage decisions, and react effectively in the event of an incident. In an SME, where resources are limited, training intelligently and progressively is often more realistic than aiming for exhaustiveness.