Free phishing awareness quiz for UK businesses. Covers email, social engineering and pretexting. Instant score with targeted training recommendations.
A free, scored self-assessment of your organisation's human-layer security: awareness training, phishing simulations, reporting, business email compromise (BEC) controls, technical defences and governance. You get a 0 to 100 readiness score and dimension-by-dimension feedback, anchored to NCSC guidance and Cyber Essentials. It is a starting signal for a board, not a substitute for a full review or audit.
No. A phishing simulation sends safe, controlled test emails to your staff to measure who clicks and who reports. This quiz instead assesses whether you run simulations and the other controls around them. We can help you design a proper simulation programme as part of awareness support.
NCSC guidance points to regular, relevant training for everyone, including leaders, not a one-off. The Cyber Security Breaches Survey 2025 (DSIT) found only 19% of UK businesses ran any staff training in the past year, so even a simple annual programme puts you ahead of most.
Because reporting is the control you can most improve. People will always click sometimes (the Verizon 2024 DBIR found the median time to click a phishing link is around 21 seconds). What protects you is fast, blame-free reporting so the response can start before the damage spreads.
Business email compromise is phishing aimed at money: fake invoices, CEO payment requests, supplier bank-detail changes. The FBI Internet Crime Complaint Center (IC3) reported close to 2.8 billion US dollars in BEC losses in 2024 alone. The defence is human and procedural (out-of-band verification, dual approval), so it belongs in a human-layer assessment.
NCSC "Phishing attacks: defending your organisation", the NCSC 10 Steps to Cyber Security (the engagement and training step), the UK Cyber Governance Code of Practice (DCMS, 2024), the NCSC Suspicious Email Reporting Service, and the five Cyber Essentials controls (NCSC and IASME). Sources are listed in the methodology note.
No. It is an honest self-assessment based on your own answers. It is not a Cyber Essentials certification, an audit, an assurance statement or a guarantee against attack. Treat it as a board-ready signal of where your human-layer effort should go next.
We capture your name, work email, company and consent so we can send your result context and relevant guidance. Starkhorn is an independent advisory consultancy. We do not sell phishing tools, training platforms, insurance or certification, and we take no commission, so the recommendations are not steering you towards a product.
It is only as honest as your answers, and it cannot see what a real test would reveal. Its value is in surfacing the obvious gaps quickly and giving a board a shared, structured starting point. A real phishing simulation and a controls review are the next step, not this quiz.
Start with the cheapest, highest-impact fixes: MFA everywhere, a one-click report button with a named owner, and out-of-band verification for every payment or bank-detail change. Then build a simple annual training programme and begin coaching (not blaming) phishing simulations. The result page points you to the relevant NCSC guidance, and Starkhorn can help you prioritise.