Robert Bosch uses LUCY for Phishing Simulations

Customer Story – Experiences with the use of the LUCY Phishing Awareness Training Server at Robert Bosch

An interview with Patrick Zeller, Senior Manager Enterprise Security, Robert Bosch LLC.

Robert Bosch uses LUCY for Phishing SimulationsMarch 2017 – “Bosch” is one of LUCY Security’s first major customers. Thanks to its support, the LUCY Phishing and Awareness Training Server was able to develop rapidly. At the beginning of the year 2017, we interviewed Mr. Zeller on the use and experiences with the products.

Mr. Zeller, how and to what extent does Robert Bosch use the LUCY server?

Patrick Zeller: We use Lucy to educate our employees around the world, on the dangers and risks of phishing and to raise awareness about this. Our employees are given the opportunity to gain experience on this topic, within a safe environment.

And since when is the product been used by Bosch? Can you tell us something about the volume of the already-conducted campaigns?

P.Z.: After an initial evaluation in autumn 2015, we have been using the LUCY Phishing Awareness Training Server since spring 2016. We have conducted various campaigns in more than 10 different languages, with up to 300,000 recipients. Also, since the end of 2016 we have been using the new function of “USB phishing”.

Can you now say something on the benefits of the phishing simulations; has the awareness against cyber risks actually increased among the employees?

We have not yet performed enough campaigns to have proving evidence, with regard to the “click-through rates”. We expect the first KPIs by the middle of the year. However, the feedback of our employees on the respective campaigns is very positive. What we can say with certainty is that we have noticed a significant increase in the notification rates / reports on phishing emails to our internal CERT, as a result of the phishing campaigns carried out so far. This indicates an increasing general awareness of our employees.

Do you remember the incidents; have there been fewer breaches, infections, or something similar?

These are internal data on which I unfortunately cannot comment on. However, since security have always been a top priority for Bosch, we have traditionally been very well positioned here. We see the topic “Security Awareness Phishing” as a complementary tool and measure in our IT security portfolio.

Thank you, Mr. Zeller. Let’s now get to the product itself: why did Robert Bosch GmbH opt for LUCY?

In addition to its excellent price / performance ratio, the decisive factor was the fact that we could completely run the LUCY Phishing Awareness Training Server in-house or on-premise. This is important to us, as it ensures that no sensitive data from our employees leaves the company. Overall, this equally helped us to obtain approval from our worker`s council, since we could convincingly demonstrate and ensure that no employees are monitored. LUCY gives us the flexibility to individually design campaigns and to execute them completely anonymously. It is our goal to train our employees and not to carry out performance checks on them!

And how were the experiences so far?

Overall, it is very positive; as such, we’ve decided to continue with the LUCY Phishing Awareness Training Server. We appreciate the close contact with LUCY’s developers, who can directly support us in case of problems and who are always open for new feature requests. With the version 2.x, we had some performance issues at the beginning, but since the version 3.0, the product has significantly matured and it runs reliably. Unfortunately, the report generator can only be used to a limited extent, because we have very specific requirements, which is due to the size and complexity of our organization. Fortunately however, we can solve this by exporting the results, which we then appropriately prepare for ourselves, through our database applications.

Can you tell us about your favorite features or templates and how are you satisfied with the product?

To be honest, we rarely used pre-made templates in the past. We have too much fun in implementing our own ideas. In general, LUCY’s flexibility is certainly a feature which we greatly appreciate. Also, the “Randomized Phishing” and the “Double Barrel Attacks[1]” are among our favorite features, since they are very efficient and easy to configure. Currently we are looking at the new Phishing Incident Plugin for Microsoft Outlook (Note: Phishing alert button). Overall I can say that LUCY is a very efficient tool for my team, for creating awareness amongst our employees and it meets all our requirements!

Thank you very much for this interview, Mr. Zeller.

[1] In a double barrel attack, the system first sends the user a lure email with a teaser text. The system then waits for some time, before the actual phishing email is sent to the user.

About the LUCY Phishing Awareness Training Server

The LUCY Phishing Awareness Training Server is used for the simulation of technical social engineering attacks and it is universally applicable from SMEs (Small Application Areas Phishing LUCY Server Robert Boschand Medium size Enterprises) right up to large customers. The product can locally be installed at the customer’s location; a cloud variant is also available. The Swiss solution provides dozens of preconfigured phishing templates and training modules, which can be independently used by the end user. Through the “Phishing Incident Plugin” for Microsoft Outlook, the user is opportune by his/her quick reception of an alert, in the event of an attack; this thus reduces the work put in by the security team in the analysis of the threat.

For further information please contact LUCY Security at +41 44 557 19 37 or at

Avoid Ransomware - Locky in Action

18 Strategic and Creative Ways to Avoid Ransomware

Use Malware and Ransomware simulations from LUCY: Screencasts, examples and tutorials

Create and run malware simulations – LUCY Screencasts


It Starts with a Phishing Attack: 10 Steps to a Global Financial Meltdown

‘Too big to fail’—But the financial industry remains vulnerable. Just look at the ‘Carbanak attacks’ or the ‘Bangladesh SWIFT Hack’. A global financial meltdown due to hacker attacks is a realistic possibility: A poll taken at Black Hat 2016 indicates that 72% of security experts expect a ‘major issue’ to occur in the next 12 months. This post explains how cyber criminals launching a phishing attack could cause a global financial meltdown.

The Carbanak attacks and the Bangladesh Swift Hack: It is possible!

The Carbanak attacks targeted some 100 banks, capturing 8M USD on average from each, while the Bangladesh Swift Hack stole over 80M USD. Both prove one thing: Banks remain vulnerable. It should not be the case, but it remains a fact. Obvious weaknesses were and are still regularly exploited, with some experts even convinced that Carbanak remains active today. From this viewpoint, it is not surprising that a poll taken at Black Hat 2016 showed that two-thirds of the IT-security specialists surveyed expect a ‘major incident’ in the next 12 months.

Who gets attacked when cyber criminals want to strike the financial industry at its core?

Financial Market Infrastructures (FMIs) are the main targets. These are the banks and organizations that money flows through, including clearing banks, payment systems, SWIFT departments, and so on. Once hacked, FMIs unwittingly give gangsters the ability to manipulate an account’s balance upwards and remit the difference without altering the initial balance—the account owner’s balance remains the same.

Who attacks why?

Three (outside) attacker types are the most obvious: (1) Criminal groups who want to steal money, (2) state hackers who seek to manipulate economic and power politics, and (3) activist groups who act for supposedly ethical or idealistic reasons.

Financial meltdown: How the collapse of the financial system works?

There are 10 steps that could lead to the fall of the financial industry. The entire process would unfold over the course of months, and it would all start with social engineering

  1. Beginning with a Phishing attack or other social engineering trick (SMiShing, USB Trojans, etc.), gangsters gain access to a banking network and infiltrate it using malware. This malware then spreads ‘laterally’ as, say, the infection quickly moves among workstations.
  2. Exploration. The malicious software spies on the network and the way people work on it. User screens are recorded over months, as are keystrokes. Gradually, attackers learn which transactions must be executed to manipulate accounts and transfer funds.
  3. Attack. The attack is carried out. The attacker, e.g., raises the beginning balance of account X from $2000 to $20,000, then transfers the difference of $18,000 to a third location. Another example would be attacking an ATM, causing it to spit out oodles of money (ATM jackpotting). Optimally, an attack is one of many that happen simultaneously, effecting many accounts at many banks. The Carbanak Gang mastered this procedure by making cash withdrawals that were only big enough that the effected banks did not have to report irregularities and could continue to make their daily closings. Here is where the attack actually ends.

  4. Recognition. The targeted Banks note the irregularities because account balances are not increasing or decreasing as they should be. The central FMI banks also note the irregularities through their regular monitoring. But since neither side is communicating with the other, nobody knows how much money is missing and at which bank the initial break-in occurred.
  5. Open bank accounts and/or incorrect account balances bring the flow of money to a standstill. Now the meltdown begins to move fast. Because the banks no longer trust their numbers, they may not close their books or know exactly what their customers’ balances are. Therefore, banks become reluctant to wire customer transactions. The flow of money stops.
  6. Trade comes to a halt. Without reliable payment infrastructure companies and businesses can no longer function properly. Supply chains come to a standstill and trading begins to sputter.
  7. Panic and mass withdrawals. The financial meltdown begins: Now everyone realizes that something is wrong. Many account holders immediately try to withdraw their money.
  8. The first banks collapses. The outflow of funds (customers’ savings) leads to liquidity shortages and the banks ‘collapse’.  Central banks normally help in such situations by providing banks with liquidity. But since no one knows exactly why something is wrong, and because many banks are effected at the same time, it becomes doubtful that central banks will be able to save the situation at all.
  9. The recovery of the backups fail. Since it is unknown exactly when the attack and the tampering began, there is an increased likelihood that the back-played backups are already corrupted too. A rapid recovery in business activity and decent banking operations are suddenly no longer possible.
  10. The ‘doomsday of the financial system’: weeks of bank holidays and a lack of public confidence. The financial institutions have no other option than to shut their systems down and proclaim a bank holiday. The industries’ envisaged “recovery time” of 2 hours degenerates into a farce. The financial meltdown and the unavailability of banking leads directly to the corresponding damage to the global economy. The long-term damage is even worse: The world’s confidence in the financial system has effectively been destroyed. In addition to the lengthy amount of work needed to find out what actually happened, it takes even longer to rebuild and restore public confidence, if such a thing is even possible any longer. It’s easy to imagine that such an incident could force the economy into a global recession and that market participants could walk away from the traditional financial institutions and turn to alternative clearing and payment systems.

Conclusion: phishing or social engineering are almost always the catalysts

financial meltdown with phishingThis bleak scenario is not so far-fetched. For us, it’s proven that if such a scenario unfolded, a successful phishing attack would be the catalyst. With phishing or other social engineering technical measures, attackers gain access to the networks and computer infrastructures of financial institutions. Once attackers gain access, they inject malware and the APT begins. And our twenty years of penetration-testing experience has shown that social engineering, along with malware, always leads to a successful infection.

Use LUCY Server to prevent successful phishing attacks

By using LUCY you increase employee awareness against cyber attacks and social engineering. Our people testing and technology assessment server can be installed on premise or be used in the cloud. The solution allows users to perform DIY

  • Phishing / SMiShing / Bad-USB simulations
  • Malware simulations
  • Ransomware simulations
  • SIEM stress tests
  • IT-security awareness education and training

A free community edition is available. We already have more than 2400 active installations. Just visit to learn more.  LUCY Security – Increase IT Security, maintain Cybersecurity Awareness and prevent the financial meltdown!



    1. IT-Security experts are expecting a major issue next year
    2. Carbanak steals more than 1 Bn 
    3. Carbanak: 8 Mio USD on average
    4. Bangladesh Hack 
    5. Bangladesh Swift Bank Hack
    6. Carbanak is still active  
    7. ATM-Jackpotting
    8. Policy: Two-hour recovery time 
    9. What is an APT?
    10. Phishing and Malware are always working together! – LUCY Manifesto

LUCY Functional Overview


LUCY in the Press

LUCY has received an incredible amount of press coverage in a variety of different publications. Thanks so much! We didn’t expect to receive so much wonderful attention in 2015.

*Updated JUN-27-2016 to reflect additional press coverage


IT-Security Basics: Hacking for Dummies