Store · Security Awareness & Human Risk
Your most expensive attack of the year will not force your door. It will be invited in, in one click, by someone on your team.
Your backups, your antivirus and your firewall guard the machines. But the scam that costs you today does not break into a server: it sends a perfect email to a person, in a rushed moment, and asks for just a click, a password or a payment. The person is not the weak point for being careless. It is because no one ever let them practice against an attack built to fool exactly them.
Almost six in ten breaches today involve the human element: a person deceived, manipulated or who made a mistake (Verizon, Data Breach Investigations Report, 2025).
Phishing and impersonation are the single most reported type of digital crime, and one click can hand over the keys to the company (FBI, Internet Crime Complaint Center, 2024).
Business email compromise, where the scammer poses as a boss or supplier, cost companies about 2.8 billion dollars in a single year (FBI, 2024).
If a perfect email landed today in your team's inbox, asking for an urgent payment in a director's name, how many people would stop to confirm, and how many would just want to help quickly?
The real problem
Your security guards the machines. The scam comes in through the person, through the door that opens from the inside
The modern attack does not try to break your technical defense: it convinces a trusted person to open the door from the inside. Here is where the lack of practice and training costs you, and almost always when it is already too late:
The email that looked like it was from the boss
Someone in finance gets an urgent email, with a director's name and writing style, asking for an unusual payment or a change to a supplier's bank details. The person wants to help, acts fast, and the money goes to the scammer's account. By the time the fraud is found, the money almost never comes back.
The invoice with swapped bank details
An invoice arrives looking like one from a regular supplier, but with the destination account swapped. No one suspects anything, the payment goes out, and weeks later the real supplier asks for the same bill that was never paid. The company paid twice, and one of those went to a criminal.
The password typed into the fake page
An employee gets a notice that they need to sign in to email again and clicks a link that opens a perfect copy of the Microsoft 365 login screen. They type their username and password, and hand the credentials to the attacker, who then reads the company's email, resets access and moves across the network as if they were the person themselves.
The click that opens the door to ransomware
A seemingly harmless attachment or link is opened, and ransomware begins: the company's files are scrambled, work stops, and a ransom demand appears. The technical tools then fight to contain what a person, without meaning to, let in. The cheapest defense would have been the reflex of not clicking.
The annual training no one remembers
The company ticks the training box: a video shown in January that no one remembers in June. It changed an attendance certificate, not the behavior. The next phishing wave finds exactly the same open door, with the same people, in the same blind spot, because awareness is not an event, it is a habit you build.
None of these scenes is a lack of intelligence from whoever clicked. It is the lack of practice against an attack built to fool exactly that person, in that moment. That is exactly what simulation and ongoing training give your team, before the next real email arrives.
What it is
Your team stops being the open door and becomes your human firewall
Phishing Simulation and Security Awareness Training is the program that trains your company's people to recognize and stop the scams that arrive by email, phone and web. Instead of hoping no one clicks, your team practices against realistic attacks in a safe environment, gets short training exactly when they need it, and has their human risk measured person by person. It is the missing layer: the tools guard the machines, this program prepares the people who decide whether or not to open the door. Zamak sets it up, translates it into your language and supports all of it, under your brand.
Safe practice against the real attack
Your team meets the scam in a safe lab, in realistic email, phone and web simulations, instead of for the first time in a real attack. Whoever slips is not punished or exposed: the moment of the mistake becomes, right there, a lesson of a few minutes. The person learns with no harm done, and what would have been a fraud becomes practice.
The training that changes the habit, in your language
Instead of an annual video no one remembers, modules of a few minutes, in your language, automatically assigned to whoever slips, at the exact moment it makes sense. Short, constant content builds the reflex to doubt, check and report. Awareness stops being a once-a-year event and becomes part of the company's routine.
Human risk measured, and falling
You start seeing human risk by person and by team, and watch it fall with each practice cycle. Instead of a vague sense of being ready or not, there is an objective picture: who needs more training, where the blind spot is and how much the company improves over time. It is the proof, for the board, the insurer and the client, that the human factor is managed, not left to luck.
Not sure how your team would react to a real phishing email today? Zamak's free phishing test shows the first signs in a few minutes.
What is included
The practice and training the team uses, set up and supported by Zamak
The program is not a loose course or a piece of software dropped on HR. It is a complete platform, in your language and under your brand, that Zamak sets up, connects to your environment and keeps current, for your team to use day to day.
The practice and the training, in your language
Everything your team meets: the realistic simulations and the short training at the right moment.
- Realistic phishing simulations by email, by phone and through fake web pages, with ready scenarios in your language.
- A library of training modules of a few minutes, in video with a short quiz at the end.
- The right training automatically assigned to whoever falls for a simulation, at the exact moment of the slip.
- Game elements that engage the team: rankings, achievements and certificates for those who improve.
- A button for the person to report a suspicious email with one click, inside their own email.
The setup, the brand and the measurement, by Zamak
Everything that makes the program work underneath: the connection, your brand and the risk picture.
- The whole platform under your brand, in your team's language, without the look of an imported tool.
- The connection to your Microsoft 365 or Google Workspace, which keeps the list of people always current.
- Delivery of the simulations straight to the inbox, so the test is as honest as the real attack.
- The human risk dashboard, with a score per person and per team and the progress over time.
- The setup, the translation into your language and the ongoing support, alongside your team.
Tech specs
How the program works, under the hood
For those who want to look under the hood: the platform covers three simulation channels (email, voice and web), brings more than 130 ready scenarios and 60 training modules of under 10 minutes, in 75 languages, including Brazilian Portuguese. See the simulation channels, the training library, how the attack reaches the inbox, the integrations and what you can measure.
The three simulation channels
The simulation covers the three paths the scam arrives through: email, with more than a hundred and thirty ready scenarios; voice, with calls driven by artificial intelligence that hold a convincing conversation; and the web, with custom fake pages. Each test records the click, the password typed, the attachment opened and the reply, so you see exactly where the team is exposed.
The ongoing training library
There are sixty training modules of under ten minutes each, in video with a short quiz to reinforce, available in seventy-five languages, including Brazilian Portuguese. Whoever falls for a simulation gets the right module for that mistake right away, and the company builds tracks by role and by risk level, without having to gather everyone in a room.
Direct delivery to the inbox
The simulation is delivered straight to the inbox through the Microsoft 365 programming interface, without relying on allowlisting addresses and without landing in the spam folder. This makes the test honest: the email arrives the way a real attack that slipped past the filter would, not an exercise everyone knows is fake.
The integrations with your environment
The platform connects to Microsoft Entra ID and Microsoft 365, to Google Workspace and to the other tools the company already uses, so the list of people stays current with no manual work. It includes add-ins for Outlook and Gmail that give the person the report button, single sign-on and webhooks to wire the program into your own systems.
Human risk management
Each simulation and each training feed a dashboard that gives a risk score to each person and each team, shows the progress over time and compares your result to the industry average. Instead of guessing where the blind spot is, the manager sees who needs more practice and watches human risk fall with each cycle.
Native Portuguese and your brand
The whole experience, from simulations to reports, stays in your language and under your company's brand, with the option of a custom domain. The person never sees a reference to an outside vendor: they see a program from their own company, which makes the practice more believable and the report ready to present to the client, the insurer and the board.
The program is billed per employee, in a single subscription that brings together the simulation, the training and the risk measurement, which keeps the cost predictable as the team grows. The platform that holds and processes the data is independently audited to SOC 2 Type 2, complies with the GDPR and undergoes annual penetration testing.
It is the difference between hoping no one clicks and having a team that practices, recognizes the scam and reports it, with human risk measured and falling.
Take this documentation to present to decision-makers.
How it compares
Ongoing practice, next to the common ways of handling the human factor
Most companies handle the human factor in one of two ways: they do nothing beyond an occasional HR memo, or they tick the box with a compliance video once a year. See what changes with safe practice and ongoing training.
How people meet the attack
Zamak's delivery
Zamak's simulation and ongoing training
In a safe simulation, before the real scam
Nothing beyond an HR memo
For the first time in the real attack
The annual compliance video
In a video, outside the real context
When the training arrives
Zamak's delivery
Zamak's simulation and ongoing training
At the moment of the slip, short and specific
Nothing beyond an HR memo
It never really arrives
The annual compliance video
Once a year, generic
The language and the brand
Zamak's delivery
Zamak's simulation and ongoing training
Your language, under your brand
Nothing beyond an HR memo
Does not apply
The annual compliance video
Often translated and imported
What you can measure
Zamak's delivery
Zamak's simulation and ongoing training
Human risk per person and the progress
Nothing beyond an HR memo
Nothing
The annual compliance video
Only who watched the video
The proof for insurer, client and auditor
Zamak's delivery
Zamak's simulation and ongoing training
A managed human risk report
Nothing beyond an HR memo
None
The annual compliance video
An attendance certificate
The effect on behavior
Zamak's delivery
Zamak's simulation and ongoing training
Becomes a reflex and falls each cycle
Nothing beyond an HR memo
The same mistake repeats
The annual compliance video
Forgotten in a few weeks
Comparison between the common ways of handling the human factor in the market. The Zamak column describes only what we deliver and run for you.
From risk to impact
From the deceived click to business impact
An email poses as a director and asks for an unusual urgent payment.
The money is transferred to the scammer and almost never comes back (about 2.8 billion dollars in a year, FBI, 2024).
How the program responds
The team has already practiced this scam in the simulation and stops at the reflex of confirming through another channel before paying.
An employee types their password into a perfect copy of the Microsoft 365 login screen.
The attacker logs in with a valid credential, reads the emails and moves across the network as if they were the person.
How the program responds
The trained reflex recognizes the fake address and the person reports the email with one click, before typing the password.
The company did training with an annual video no one remembers months later.
Nothing changes in behavior, and the next phishing wave finds exactly the same open door.
How the program responds
Ongoing micro-training, assigned at the moment of the slip, turns awareness into a habit that lasts.
A large client or the insurer asks how the company handles the human factor.
There is nothing to show, and the contract or the policy is at risk over an unmet requirement.
How the program responds
A managed human risk report, with documented progress, answers the question with proof.
In all these cases, what changes is not luck. It is a team that practiced, recognizes the scam and reports it, before the real email arrives.
For every role
What changes for each role in your company
The same human layer, read through the eyes of whoever decides, owns the cost and runs the environment.
Owner and founder
Build it, protect it, grow its value.
The scam that most threatens the wealth you built comes in through a person, in one click. With your team trained, human risk measured and falling, and the proof in hand, protection stops being a bet and starts opening doors: it closes deals that require security, helps keep the company insurable and lowers the risk of a costly fraud, which weighs in your favor on the company's value.
Manager and director
Predictable cost. No surprises.
The human factor stops being your biggest invisible worry and becomes a number you present with confidence. For a fraction of what a single fraud would cost, you get the risk measured, the progress documented and the peace of mind of answering client questionnaires and insurer requirements without scrambling, with the proof in order.
IT lead and team
A secure extension of your team.
You stop being the lonely last line against the click. People become a filter that catches what slips past the technical tools, and whoever slips gets training right away, without you having to chase each one. It runs on the Microsoft 365 you already have, you stay in command, and you gain the human risk data to justify the security investment upstairs.
IT partner and provider
Offer awareness under your brand.
Bring your clients phishing simulation and awareness training under your own brand, in their language, without building the platform, the content and the operation yourself. You enter the conversation with the program ready, become the partner who also handles the human factor, and preserve the relationship; Zamak runs the backline at your side.
Why Zamak
Why Zamak
The human layer only works when it is run with care, in the team's language and alongside the technical defense, not as an imported tool dropped on HR. Zamak sets up the platform, translates it into your language, connects it to your Microsoft 365 and keeps it all current, alongside whoever already runs your IT and security, never in their place. The same team that protects your machines now helps protect your people, and the two layers complete each other.
In the end, it is the difference between hoping no one clicks, waiting for the next real email to arrive, and having a team that practiced, recognizes the scam and reports it, with human risk measured and the proof in hand.
Serving companies that cannot stop · Microsoft Solutions Partner · Addee (N-able) Elite Group · Great Place to Work.
Zamak runs the human layer alongside your technical defense, and the platform that processes the data is independently audited for security and privacy.
Frequently asked questions
Frequently asked questions
See also Managed Security Awareness Program (Zamak runs it for you) · Managed Email Security · Zamak managed cybersecurity
Start now
Stop hoping no one clicks. Start training your team against the real scam.
In a few weeks, your company goes from a team that never practiced to a human firewall: safe practice, training in your language at the moment of the slip and human risk measured and falling, under your brand. Talk to Zamak and watch the next scam email arrive with your team already prepared.
Request a proposal
Tell us in a few fields the size of your team and your moment. With no need to replace what you already use, a specialist from your country sizes the program and the price with you.
Talk to a specialist
Prefer to talk first? Book a conversation and we will understand your moment, the size of your team and what is at stake for your business.
Take the free phishing test
See in a few minutes how your team would react to a real phishing email, with no risk. It is the first picture of your human factor, and the starting point of the conversation.