Retail banking, 18,000 employees

Building a phishing-resilience programme at an ASEAN retail bank

Designed and ran a multi-year phishing-resilience programme that moved click-rate from 24% to 6% and reporting-rate from 3% to 41% over eight quarters.

Sector. Retail banking, 18,000 employees

Engagement. Three-year framework agreement, quarterly delivery

Duration. Initial 12-month engagement, ongoing programme

The client had a baseline phishing-simulation tool deployed but no programmatic structure around it. Campaigns were run ad-hoc, click-rate was the only metric reported, and the bank's audit team had flagged the absence of formal evidence of behaviour change as a finding.

Our engagement scoped a four-quarter programme calendar with explicit objective-setting per quarter, a sector-aligned lure library, and a new metric framework focused on reporting rate as the primary executive metric.

Implementation took two quarters to bed in. We expected and observed an initial increase in click-rate as the simulation library was refreshed away from the predictable lures the workforce had already seen. By quarter three, both click-rate and reporting-rate were moving in the right direction.

By the end of the second year, reporting-rate had risen from 3% to 41% — a result that was notable enough to be cited in the bank's annual report. Click-rate dropped from 24% to 6% over the same period.

The programme continues as an annual framework engagement. The bank's audit team have closed the original finding.

Outcome

Click-rate down 75%, reporting-rate up 13x, original audit finding closed, ongoing annual programme.