Phishing Simulation: Test whether your people recognise and resist a real attack.

Targeted phishing simulations in any language, designed for regulated enterprises across APAC. Theos Cyber tests how your people respond to targeted social engineering, identifies the gaps, and gives your organisation actionable findings to close them.

Campaigns designed in any language, tailored to your industry and your threat landscape.
Talk to Theos
OVERVIEW

What is a phishing exercise?

A phishing exercise is a controlled simulation that tests how your people respond to realistic social engineering attacks. Theos designs targeted phishing campaigns that replicate the tactics, techniques, and pretexts used by real threat actors, then measures how your employees respond across click rates, credential submission, and reporting behaviour.

The exercise tests whether your people catch what technical controls miss. In most breach scenarios involving email, the attacker succeeded because a human made a decision that opened the door. A simulated phishing attack tests whether training translates into behaviour under realistic conditions.

What a Theos Phishing Exercise Includes:
  • Realistic pretexts tailored to your industry, your organisation, and the threat actors active in your market
  • Campaigns designed in English, Mandarin, Tagalog, Bahasa, Cantonese, and other regional languages
  • Department-specific spear phishing or organisation-wide awareness testing
  • Tracking employee response across multiple campaign touchpoints
  • Immediate post-click education delivered to employees who engage with the simulation
  • Click rates, credential submission rates, reporting rates, and department-level breakdown with prioritised recommendations
Business Outcome: 

Your organisation knows exactly where human-layer risk sits and which teams or individuals require targeted awareness intervention. Your security awareness programme is focused where it will reduce the most exposure. Your board and regulators have evidence that human-layer controls have been tested.

THE PROBLEM 

Technical controls stop automated attacks. Phishing targets the decisions your people make.

Business email compromise, credential phishing, and spear phishing are consistent initial access vectors across APAC breach scenarios. The adversaries behind these attacks invest in making their campaigns convincing. They research targets, impersonate trusted contacts, and design pretexts that create urgency and bypass critical thinking.

Periodic security awareness training tells employees what phishing looks like in theory. A phishing exercise tests whether that knowledge translates into different behaviour under realistic conditions. Phishing exercises across APAC consistently surface the same patterns in human-layer risk. Most organisations find the gap between training and behaviour is significant.

What purple teaming surfaces in unvalidated detection programmes:

Click rates on well-crafted pretexts, including among technically experienced staff
Credential submission by employees who clicked through without recognising the risk
Reporting rates: the proportion of employees who identify and report the simulation
Department-level variation: finance, HR, and executive assistants typically show higher susceptibility rates
Language-specific gaps: employees are more susceptible to phishing campaigns in their primary language
THEOS APPROACH 

Campaigns that reflect how adversaries target your organisation.

Theos phishing exercises are designed by practitioners with direct knowledge of the social engineering techniques used against APAC enterprises. Every campaign begins with an understanding of who your organisation is, what your employees receive, and what pretexts an adversary would use to gain access.

Pretext Design

Theos designs campaign pretexts around the threat actors and techniques most relevant to your industry and market. Financial services clients receive campaigns that reflect the credential harvesting and BEC techniques targeting that sector. Technology companies receive campaigns that mirror supply chain and software-themed pretexts.

Multi-Language Capability

APAC organisations operate across multiple languages and cultures. Theos designs phishing campaigns in the languages your employees actually work in, including English, Mandarin, Tagalog, Bahasa Indonesia, Bahasa Malaysia, Cantonese, and other regional languages. Language-specific campaigns reveal susceptibility patterns across your full workforce.

Targeted and Broad-Based Formats

Theos delivers both targeted spear phishing campaigns against specific individuals or departments and broad-based awareness simulations across the full organisation. The format is agreed based on your objectives: targeted campaigns provide high-fidelity data on specific risk populations; broad-based campaigns provide a baseline across the full workforce.

Findings That Drive Programme Improvement

Every exercise produces a structured findings report covering click rates, credential submission rates, reporting rates, and department-level breakdowns. Recommendations are prioritised by exposure: which departments need immediate intervention, which pretexts produced the highest engagement, and what changes to your awareness programme will reduce risk most effectively.
BENEFITS 

What a Theos Phishing Exercise delivers for your organisation.

Baseline measurement

Know exactly where human-layer risk sits and direct intervention accordingly.

Department-level insight

Identify which teams and roles carry the highest social engineering risk.

Language-specific testing

Reveal susceptibility patterns across your full workforce.

Awareness programme focus

Direct employee security awareness training where it will reduce the most exposure.

Regulatory evidence

Documented evidence of human-layer security testing increasingly recognised under MAS TRM, HKMA iCAST, BNM RMiT, and BSP frameworks.

Programme intelligence

Phishing findings feed directly into red team pretext design and security awareness programme development.

HOW IT WORKS

How a Theos Phishing Exercise is delivered.

1

Scoping

Theos works with your team to define the campaign scope, the target population, the format, and the pretexts to be used. Rules of engagement are agreed, including notification protocols and any scoping constraints. 

2

Campaign Design

Theos designs the campaign assets: phishing emails, landing pages, and credential harvesting infrastructure. All assets are built to reflect actual adversary techniques and tested for deliverability before launch.

3

Campaign Execution

Campaigns are launched across the agreed target population on a defined schedule. Theos tracks response in real time: clicks, credential submissions, and reports from employees who identify the simulation.

4

Immediate Education

Employees who engage with the simulation receive immediate post-click education explaining what they encountered, what the indicators of the simulation were, and what to do when they encounter a real phishing attempt.

5

Findings Report

Theos delivers a structured findings report covering campaign results by department, pretext, and language. Click rates, credential submission rates, and reporting rates are documented with benchmark context and prioritised recommendations for awareness programme improvement.

CAMPAIGN TYPES

Campaign formats Theos delivers.

  • Credential harvesting

    Simulated login pages capturing username and password submission rates

  • Attachment-based

    Simulated malicious attachment campaigns measuring open and execute rates

  • Link-based

    Simulated malicious URL campaigns measuring click-through rates

  • Spear phishing

    Targeted campaigns impersonating known contacts, vendors, or leadership

  • Business email compromise

    Simulated payment instruction or wire transfer request campaigns

  • Vishing (voice phishing)

    Telephone-based social engineering simulation where in scope

  • Smishing (SMS phishing)

    SMS-based phishing simulation for mobile-heavy workforces

USE CASES

Organisations measuring human-layer risk for the first time

Organisations measuring human-layer risk for the first time

If your organisation has run security awareness training and has yet to test whether it changed behaviour, a phishing exercise provides the baseline measurement your programme needs. Findings direct intervention where it will reduce the most exposure.

Regulated enterprises with human-layer compliance requirements

MAS TRM, HKMA iCAST, BNM RMiT, and BSP frameworks all include human-layer security controls as a component of a mature security programme. Theos delivers phishing tests in Singapore structured to meet MAS TRM human-layer security requirements. Phishing exercise documentation provides the evidence that those controls have been tested.

Organisations with multilingual workforces

For APAC organisations operating across multiple countries and languages, Englishonly phishing testing produces an incomplete picture. Theos multi-language capability reveals susceptibility patterns across the full workforce.

Security teams preparing for red team engagements

Red team engagements frequently use phishing as an initial access vector. A phishing exercise run before a red team engagement provides a realistic baseline of human-layer susceptibility, informing how the red team designs its social engineering campaign.

WHY THEOS

Why Theos Phishing Exercises

Campaigns built for APAC, in the languages your people work in

Adversaries targeting organisations in this region invest in campaigns that reflect the languages, cultural contexts, and pretexts that make their targets act. Theos does the same.

Connected to your broader offensive security programme

Phishing exercise findings feed directly into red team pretext design, social engineering scope, and security awareness programme development. For organisations working with Theos across multiple service lines, the intelligence compounds. A susceptibility gap identified in a phishing exercise becomes a social engineering vector in the next red team engagement.

Practitioner-designed campaigns

Theos phishing campaigns are designed by practitioners with direct knowledge of the social engineering techniques targeting APAC enterprises.

GET PROTECTED TODAY

Security is not a product you buy. It is an outcome you earn.

Theos Phishing Exercises tell you where human-layer risk sits and what to do about it. Real campaigns. Measurable findings. Awareness programme improvement that targets the gaps that matter.

We deliver outcomes.

Talk to Theos
FAQ

Frequently Asked Questions

The questions regulated enterprises ask most often before commissioning a phishing exercise.

What is a phishing exercise and how does it work?

A phishing exercise is a controlled simulation that tests how your employees respond to realistic social engineering attacks. Theos designs targeted campaigns that replicate adversary techniques, launches them against your agreed target population, and measures response across click rates, credential submission, and reporting behaviour. The findings identify where human-layer risk sits and direct awareness programme investment to where it will reduce the most exposure.

Will employees know the exercise is happening?

The notification approach is agreed during scoping. Most organisations choose to inform a small group of senior stakeholders while keeping the broader employee population unaware, so response reflects genuine behaviour under realistic conditions. Theos works with your team to agree the right notification structure before the campaign launches.

What languages can campaigns be delivered in?

Theos delivers phishing campaigns in English, Mandarin, Tagalog, Bahasa Indonesia, Bahasa Malaysia, Cantonese, and other regional languages on request. Multi-language campaigns reveal susceptibility patterns across the full workforce, particularly in APAC organisations operating across multiple countries.

How are campaign results measured?

Theos measures click rates, credential submission rates, attachment open rates (where applicable), and reporting rates across the target population. Results are broken down by department, pretext, and language. Each metric is benchmarked against the campaign context and accompanied by prioritised recommendations for awareness programme improvement.

Does Theos provide awareness training as part of the exercise?

Yes. Employees who engage with the simulation receive immediate post-click education explaining what they encountered and what to do when they face a real phishing attempt. Theos also provides recommendations for ongoing awareness programme development based on the exercise findings.

How does a phishing exercise connect to other Theos services?

Phishing exercise findings feed directly into red team pretext design, social engineering scope, and security awareness programme development. Organisations that work with Theos across multiple service lines find that susceptibility gaps identified in a phishing exercise inform the social engineering vectors used in the next red team engagement.

How often should phishing exercises be run?

Most regulatory frameworks recommend or require periodic testing of human-layer controls. Theos recommends a cadence based on your workforce size, your industry, and the pace at which your threat landscape evolves. Annual exercises provide a baseline; more frequent testing tracks improvement over time and maintains awareness as your workforce changes.

LET US HELP YOU!

Sed in blandit dolor. Cras gravida dictum tincidunt. Talk to Us

LET US HELP YOU!

Sed in blandit dolor. Cras gravida dictum tincidunt. Under Attack