Robert Bosch uses LUCY for Phishing Simulations

Customer Story – Experiences with the use of the LUCY Phishing Awareness Training Server at Robert Bosch

An interview with Patrick Zeller, Senior Manager Enterprise Security, Robert Bosch LLC.

Robert Bosch uses LUCY for Phishing SimulationsMarch 2017 – “Bosch” is one of LUCY Security’s first major customers. Thanks to its support, the LUCY Phishing and Awareness Training Server was able to develop rapidly. At the beginning of the year 2017, we interviewed Mr. Zeller on the use and experiences with the products.

Mr. Zeller, how and to what extent does Robert Bosch use the LUCY server?

Patrick Zeller: We use Lucy to educate our employees around the world, on the dangers and risks of phishing and to raise awareness about this. Our employees are given the opportunity to gain experience on this topic, within a safe environment.

And since when is the product been used by Bosch? Can you tell us something about the volume of the already-conducted campaigns?

P.Z.: After an initial evaluation in autumn 2015, we have been using the LUCY Phishing Awareness Training Server since spring 2016. We have conducted various campaigns in more than 10 different languages, with up to 300,000 recipients. Also, since the end of 2016 we have been using the new function of “USB phishing”.

Can you now say something on the benefits of the phishing simulations; has the awareness against cyber risks actually increased among the employees?

We have not yet performed enough campaigns to have proving evidence, with regard to the “click-through rates”. We expect the first KPIs by the middle of the year. However, the feedback of our employees on the respective campaigns is very positive. What we can say with certainty is that we have noticed a significant increase in the notification rates / reports on phishing emails to our internal CERT, as a result of the phishing campaigns carried out so far. This indicates an increasing general awareness of our employees.

Do you remember the incidents; have there been fewer breaches, infections, or something similar?

These are internal data on which I unfortunately cannot comment on. However, since security have always been a top priority for Bosch, we have traditionally been very well positioned here. We see the topic “Security Awareness Phishing” as a complementary tool and measure in our IT security portfolio.

Thank you, Mr. Zeller. Let’s now get to the product itself: why did Robert Bosch GmbH opt for LUCY?

In addition to its excellent price / performance ratio, the decisive factor was the fact that we could completely run the LUCY Phishing Awareness Training Server in-house or on-premise. This is important to us, as it ensures that no sensitive data from our employees leaves the company. Overall, this equally helped us to obtain approval from our worker`s council, since we could convincingly demonstrate and ensure that no employees are monitored. LUCY gives us the flexibility to individually design campaigns and to execute them completely anonymously. It is our goal to train our employees and not to carry out performance checks on them!

And how were the experiences so far?

Overall, it is very positive; as such, we’ve decided to continue with the LUCY Phishing Awareness Training Server. We appreciate the close contact with LUCY’s developers, who can directly support us in case of problems and who are always open for new feature requests. With the version 2.x, we had some performance issues at the beginning, but since the version 3.0, the product has significantly matured and it runs reliably. Unfortunately, the report generator can only be used to a limited extent, because we have very specific requirements, which is due to the size and complexity of our organization. Fortunately however, we can solve this by exporting the results, which we then appropriately prepare for ourselves, through our database applications.

Can you tell us about your favorite features or templates and how are you satisfied with the product?

To be honest, we rarely used pre-made templates in the past. We have too much fun in implementing our own ideas. In general, LUCY’s flexibility is certainly a feature which we greatly appreciate. Also, the “Randomized Phishing” and the “Double Barrel Attacks[1]” are among our favorite features, since they are very efficient and easy to configure. Currently we are looking at the new Phishing Incident Plugin for Microsoft Outlook (Note: Phishing alert button). Overall I can say that LUCY is a very efficient tool for my team, for creating awareness amongst our employees and it meets all our requirements!

Thank you very much for this interview, Mr. Zeller.

[1] In a double barrel attack, the system first sends the user a lure email with a teaser text. The system then waits for some time, before the actual phishing email is sent to the user.

About the LUCY Phishing Awareness Training Server

The LUCY Phishing Awareness Training Server is used for the simulation of technical social engineering attacks and it is universally applicable from SMEs (Small Application Areas Phishing LUCY Server Robert Boschand Medium size Enterprises) right up to large customers. The product can locally be installed at the customer’s location; a cloud variant is also available. The Swiss solution provides dozens of preconfigured phishing templates and training modules, which can be independently used by the end user. Through the “Phishing Incident Plugin” for Microsoft Outlook, the user is opportune by his/her quick reception of an alert, in the event of an attack; this thus reduces the work put in by the security team in the analysis of the threat.

For further information please contact LUCY Security at +41 44 557 19 37 or at


You want to copy an existing Website for a Social Engineering Scam? (Simulation) – We show you how it’s done

After 2 (two!) minutes you have a cloned website for your Phishing Scenario. LUCY Social Engineering Simulation Server empowers you when you set up an IT-Security Awareness Campaign [Screencast].

Advanced Phishing Simulations: Clone a Website and add your own Login Form – Do you want to create a phishing simulation and you want to use an social engineering simulation with LUCY - Cloning an existing Website and inserting a login form for data capturealready existing website as a landing page? This 2 minute video shows you quickly how to create a custom landing page with the website copy feature and adding a custom login form for data capture.

Just create a new scenario and select an empty Web based scenario. You can also select any other Web based scenario template for the social engineering simulation you want to customize, because the “Website Copy Feature” overwrites the default Landing Page of the template.

The steps described in the webcast are

  1. In LUCY, create a new campaign, edit the basic settings and save it
  2. Create a new scenario by selecting a Web based attack template (or chose an empty one), populate all mandatory fields and save it.
  3. Go to the Landing Page Menu Item of the scenario you created just before
  4. Push the “Copy Website Button”, the ‘WebSiteCopy’ dialogue appears
  5. Fill out the fields:
    • URL – The source website you want to copy
    • Language – With that you’re defining your language version (LUCY allows multiple languages in the same campaign)
    • File – Select the appropriate value in the poplist, choose f.e. index.html
  6. Push the “Start” Button and the Website Copy is executed. Even really big sites can be copied. And it’s fast!
  7. After the copy is finished, use the Back Button of the dialoge (not of the browser)
  8. Go into the editor, place the cursor where you want to add the login form, push the button “Insert Login Form”
  9. The System provides you three predefined login forms. Select an appropriate one and press OK. If you want to modify it later on, you can do that manually.
  10. The login form appears on the landing page from you social engineering simulation / phishing scenario. Save your setup of the landing page and you’re done with it!


Thank you for using LUCY. If you want to see the full end-to-end process from setting up the campaign until sending out and tracking the phishing simulation messages, the just watch the longer webcast below.

Watch the full and more detailed Scenario: Social Engineering Simulation Webcast




Phishing Reports: How to read and analyze Stats of a Ransomware Simulation or a File based Phishing Attack

How do you read the results of a Phishing Campaign containing an file attachment or even of a Ransomware Simulation? A hands-on example explains how to get campaign insights and how to read LUCY Phishing Reports.

The initial situation and the question

You prepared a file based phishing scenario. The attachement is a word file containing a ‘malicious’ macro. And now you want to track the results.

Say you sent 50 messages, 20 were clicked (good campaign!), vou got 2 file downloads and 1 user activated the macros.

The Question: How can you list the users who downloaded the file, but didn’t activate the macros? For example you’re should have a list of 2 users somewhere for this but you can’t find it.

The Answers: Analyzing the Phishing Reports

1. Who downloaded the File and who did activate the macros? You can see who clicked, and who executed the file (success) in CSV for example (here’s an example of mixed scenario with macro) and the success condition set to “Data Submit”. As you can see it’s only the last user who downloaded AND executed the file has a ‘success entry’. The user who only accessed the file has only a success entry at link click (column ‘clicked):

Who clicked on the File Link? Who even activated the Word Macro in the File - Analyzing Campaign Reports generated by LUCY Anti-Phishing Server

2. Download summaries are visible in overall stats:

Summary Report on the amount of people who downloaded a attachement from a LUCY Phishing Simulation / Attack

3. See in detail how downloaded what and how was the success: But if you want to see in detail who downloaded a file you can sort the phishing report list by a variable that only appears if the user accessed the webpage (e.g. plugins) and then you can see in the details if the user downloaded the file and executed the file (= The check mark at “Successful Attack”)…

details if the user downloaded the file and executed the file. This is a success event of a file based phishing simulation

…or only accessed the link, downloaded the file, but did not execute the file (no success check mark):

A user downloaded the file but he didn't activate the word macro. This means that this particular phishing attack was not successful. Success Checkmark is empty - Antiphishing Simulation with LUCY Server

5. Alternative: Analyze transmitted Data back to LUCY – Another possibility to track only users who executed the simulation is to actually see under “Collected Data”. Such an event when a user is clicking a link/file is reported back to LUCY: 

When a user clicks on a link or a file, this information is send back to LUCY Phishing Server and is available for further analysis under the Menu "Collected Data"

Happy Reporting with LUCY Anti-Phishing and Awareness Training Server!

Avoid Ransomware - Locky in Action

18 Strategic and Creative Ways to Avoid Ransomware

How to configure an IT Security Awareness Training with LUCY Interactive Training Templates

Security Awareness Training – Screencast How to customize your own Training using the Mixed Interactive Template

Use Malware and Ransomware simulations from LUCY: Screencasts, examples and tutorials

Create and run malware simulations – LUCY Screencasts

Social Engineering and Phishing made easy with LUCY. F.e. the comparison feature is available now in the free edition

Easy social engineering, phishing and more for free! Empowered LUCY Community Edition V 3.1

150 most influencial blogs and contributors in information security - Cyber Security Ranking

150+ Most Influencial Blogs and Contributors in Cyber Security


It Starts with a Phishing Attack: 10 Steps to a Global Financial Meltdown

‘Too big to fail’—But the financial industry remains vulnerable. Just look at the ‘Carbanak attacks’ or the ‘Bangladesh SWIFT Hack’. A global financial meltdown due to hacker attacks is a realistic possibility: A poll taken at Black Hat 2016 indicates that 72% of security experts expect a ‘major issue’ to occur in the next 12 months. This post explains how cyber criminals launching a phishing attack could cause a global financial meltdown.

The Carbanak attacks and the Bangladesh Swift Hack: It is possible!

The Carbanak attacks targeted some 100 banks, capturing 8M USD on average from each, while the Bangladesh Swift Hack stole over 80M USD. Both prove one thing: Banks remain vulnerable. It should not be the case, but it remains a fact. Obvious weaknesses were and are still regularly exploited, with some experts even convinced that Carbanak remains active today. From this viewpoint, it is not surprising that a poll taken at Black Hat 2016 showed that two-thirds of the IT-security specialists surveyed expect a ‘major incident’ in the next 12 months.

Who gets attacked when cyber criminals want to strike the financial industry at its core?

Financial Market Infrastructures (FMIs) are the main targets. These are the banks and organizations that money flows through, including clearing banks, payment systems, SWIFT departments, and so on. Once hacked, FMIs unwittingly give gangsters the ability to manipulate an account’s balance upwards and remit the difference without altering the initial balance—the account owner’s balance remains the same.

Who attacks why?

Three (outside) attacker types are the most obvious: (1) Criminal groups who want to steal money, (2) state hackers who seek to manipulate economic and power politics, and (3) activist groups who act for supposedly ethical or idealistic reasons.

Financial meltdown: How the collapse of the financial system works?

There are 10 steps that could lead to the fall of the financial industry. The entire process would unfold over the course of months, and it would all start with social engineering

  1. Beginning with a Phishing attack or other social engineering trick (SMiShing, USB Trojans, etc.), gangsters gain access to a banking network and infiltrate it using malware. This malware then spreads ‘laterally’ as, say, the infection quickly moves among workstations.
  2. Exploration. The malicious software spies on the network and the way people work on it. User screens are recorded over months, as are keystrokes. Gradually, attackers learn which transactions must be executed to manipulate accounts and transfer funds.
  3. Attack. The attack is carried out. The attacker, e.g., raises the beginning balance of account X from $2000 to $20,000, then transfers the difference of $18,000 to a third location. Another example would be attacking an ATM, causing it to spit out oodles of money (ATM jackpotting). Optimally, an attack is one of many that happen simultaneously, effecting many accounts at many banks. The Carbanak Gang mastered this procedure by making cash withdrawals that were only big enough that the effected banks did not have to report irregularities and could continue to make their daily closings. Here is where the attack actually ends.

  4. Recognition. The targeted Banks note the irregularities because account balances are not increasing or decreasing as they should be. The central FMI banks also note the irregularities through their regular monitoring. But since neither side is communicating with the other, nobody knows how much money is missing and at which bank the initial break-in occurred.
  5. Open bank accounts and/or incorrect account balances bring the flow of money to a standstill. Now the meltdown begins to move fast. Because the banks no longer trust their numbers, they may not close their books or know exactly what their customers’ balances are. Therefore, banks become reluctant to wire customer transactions. The flow of money stops.
  6. Trade comes to a halt. Without reliable payment infrastructure companies and businesses can no longer function properly. Supply chains come to a standstill and trading begins to sputter.
  7. Panic and mass withdrawals. The financial meltdown begins: Now everyone realizes that something is wrong. Many account holders immediately try to withdraw their money.
  8. The first banks collapses. The outflow of funds (customers’ savings) leads to liquidity shortages and the banks ‘collapse’.  Central banks normally help in such situations by providing banks with liquidity. But since no one knows exactly why something is wrong, and because many banks are effected at the same time, it becomes doubtful that central banks will be able to save the situation at all.
  9. The recovery of the backups fail. Since it is unknown exactly when the attack and the tampering began, there is an increased likelihood that the back-played backups are already corrupted too. A rapid recovery in business activity and decent banking operations are suddenly no longer possible.
  10. The ‘doomsday of the financial system’: weeks of bank holidays and a lack of public confidence. The financial institutions have no other option than to shut their systems down and proclaim a bank holiday. The industries’ envisaged “recovery time” of 2 hours degenerates into a farce. The financial meltdown and the unavailability of banking leads directly to the corresponding damage to the global economy. The long-term damage is even worse: The world’s confidence in the financial system has effectively been destroyed. In addition to the lengthy amount of work needed to find out what actually happened, it takes even longer to rebuild and restore public confidence, if such a thing is even possible any longer. It’s easy to imagine that such an incident could force the economy into a global recession and that market participants could walk away from the traditional financial institutions and turn to alternative clearing and payment systems.

Conclusion: phishing or social engineering are almost always the catalysts

financial meltdown with phishingThis bleak scenario is not so far-fetched. For us, it’s proven that if such a scenario unfolded, a successful phishing attack would be the catalyst. With phishing or other social engineering technical measures, attackers gain access to the networks and computer infrastructures of financial institutions. Once attackers gain access, they inject malware and the APT begins. And our twenty years of penetration-testing experience has shown that social engineering, along with malware, always leads to a successful infection.

Use LUCY Server to prevent successful phishing attacks

By using LUCY you increase employee awareness against cyber attacks and social engineering. Our people testing and technology assessment server can be installed on premise or be used in the cloud. The solution allows users to perform DIY

  • Phishing / SMiShing / Bad-USB simulations
  • Malware simulations
  • Ransomware simulations
  • SIEM stress tests
  • IT-security awareness education and training

A free community edition is available. We already have more than 2400 active installations. Just visit to learn more.  LUCY Security – Increase IT Security, maintain Cybersecurity Awareness and prevent the financial meltdown!



    1. IT-Security experts are expecting a major issue next year
    2. Carbanak steals more than 1 Bn 
    3. Carbanak: 8 Mio USD on average
    4. Bangladesh Hack 
    5. Bangladesh Swift Bank Hack
    6. Carbanak is still active  
    7. ATM-Jackpotting
    8. Policy: Two-hour recovery time 
    9. What is an APT?
    10. Phishing and Malware are always working together! – LUCY Manifesto

LUCY Functional Overview