Contact us: +45 32 67 26 26
English
Back to blog
4 min read

Nobody Can Resist Chocolate: What Our Latest Easter Phishing Campaign Showed Us

Sandie Thieu Bui
By: Sandie Thieu Bui Cyber Security,Phishing Training | 29 April

Every Easter, we run an Easter-themed phishing simulation for some of our customers.

Every year, we learn something new about human behavior under pressure.

This Easter proved it once again: free chocolate is still all it takes to get access.

Here's what we keep seeing, and why it still surprises us.

What the email looked like

We ran a simulated phishing email campaign across multiple organizations during Easter.

The premise was simple: employees received a personalized email telling them their company had partnered with a benefits portal, and that they could log in to choose a free chocolate easter egg. Limited quantities. Act fast.

The email was polished. The branding looked legitimate. The offer felt plausible. And crucially, it arrived at exactly the right moment, when people are already thinking about Easter, already in a slightly distracted, pre-holiday headspace.

It was, in other words, a very good phish.

Easter campagin

The numbers

Across the organizations, click rates on the phishing email peaked at 21.7%, with a strong cluster in the 8–15% range.

But the click rate isn't even the most striking number.

The data submit rate peaked at 23,8%.

In other words, 23,8% of the employees didn’t just click. They took it a step further and actively entered their information into a fake login page to claim a chocolate egg.

And here's the detail that should concern every security leader: the report rate across the campaign was there. But it was nowhere near enough. Most organizations saw reporting in the 1–7% range.

So, for every person who flagged the email, several others had already clicked through and handed over their information.

The safety net existed, but it had big holes in it.

Why it worked

This wasn't a sophisticated technical attack. 

It worked because it was psychologically well-constructed. We identified six reasons why employees fell for it:

  1. A reward was on offer. People respond to gifts. The promise of something free and personal lowers critical thinking almost immediately. Especially something as universally liked as chocolate.
  2. It felt easy. The action required was minimal. Just log in and pick your egg. Low friction = high conversion.
  3. Urgency was baked in. "Limited quantities available" is one of the oldest tricks in the book, and it still works. The fear of missing out overrides the instinct to pause and verify.
  4. The email looked legitimate. Near-perfect grammar, a plausible partnership story, personalized greeting. There were no obvious red flags to catch.
  5. The timing was perfect. Easter is already on people's minds. An Easter-themed email in the week before the holiday doesn't feel out of place. It feels timely.
  6. Trust was established upfront. The email referenced a company partnership, implying internal sign-off. If someone senior approved it, surely, it would be fine?

Each of these factors alone is enough to get some people clicking. Combined, they created a near-irresistible package.

The gap between organisations

One of the most instructive parts of the data isn't the peak numbers. It's the spread.

Some organizations came through with 0% click rates and 0% submit rates. Others hit 20%+ on both.

That gap is significant, and it isn't random.

The organizations that performed best tend to be those running regular, ongoing security awareness training. Not just a one-time annual session, but a consistent, drip-fed education that keeps phishing recognition sharp.

 

The Uncomfortable Truth

We'd like to tell you that the solution is simply to train your employees to never click unexpected links. But reality is more nuanced than that.

The best phishing emails used in real life are designed to exploit moments when our brains are not in security mode. An offer of a free gift, arriving at a culturally relevant moment, from what appears to be a trusted source, will catch people off guard.

That's not a failure of intelligence. It's a feature of being human.

What training does is shorten the window. It gives people a reflex. A moment of "wait, let me check this" before they act.

The organizations in our dataset with near-zero rates didn't get there because their employees are smarter.

They got there because they had been trained, repeatedly, to notice the feeling of being nudged. And to treat it as a signal to slow down.

What To Do About It

If you looked at those numbers and thought "that sounds like it could happen to us", here's where to start:

Run simulations regularly. A phishing test once a year tells you very little. Monthly or quarterly simulations, varied in theme and format, keep awareness active rather than theoretical.

Use seasonal and topical lures. Real attackers do. Your simulations should be too. Easter eggs today, summer holiday offers in July, Black Friday deals in November. If your training only covers generic phishing, your employees are underprepared for the real thing.

Watch the submit rates, not just click rates. Clicking a link is bad. But handing over information is worse. It’s a potential breach. Track both and treat the submit rate as your primary risk indicator.

Make reporting easy and celebrated. Reporting happened. But in most organizations it was outpaced 3 or 4 to 1 by people who clicked or submitted. That ratio matters. If only a fraction of your employees flags a phishing email, your security team is working with an incomplete picture. Reporting should feel easy and low stakes, not embarrassing.

Celebrate the reporters. Make it clear that flagging a phish is exactly the right behavior. Even if it turns out to be a false alarm.

Don't shame the clickers. Punitive responses to phishing failures make people less likely to report future incidents. The goal is behavior change, not blame.

 

A Final Note

We share this data not to embarrass anyone. Chocolate is genuinely hard to resist. But the numbers make a compelling case for taking security awareness seriously as an ongoing discipline rather than a one-time exercise.

The attackers running real campaigns this Easter used exactly these techniques. The only difference between our simulation and a genuine attack is that we told you about it afterwards.

Next time, a real attacker won't.

Free phishing campaign Your first one is on us!    Book 15 minutes with Benjamin, our product owner, and we’ll create a custom campaign to give you clear insights into your security level.   We’ll run the campaign and send you a detailed report. All it takes is a quick chat and a little bit of your time.  

 
Back to blog
Recent articles
CyberPilot Platform Summer Releases - Auto Phishing, Benchmarking and More

Auto phishing is here. Benchmarking is here. Stories are here. Read about all the cool new features you get access to in the CyberPilot App.

Anders Bryde Thornild 3 min read - By Anders Bryde Thornild
Compliance Personal Data and Email: The Leading Cause of Security Breaches

Email is the biggest reason for security breaches. We attach the wrong files. We send it to the wrong contact. Here's all you should know

Sajerathan Vincent 2 min read - By Sajerathan Vincent
Phishing Training Ransomware: What It Is And How You Can Avoid It?

Ransomware is a type of malware which is used to blackmail companies. Here's are some concrete tips on how to avoid it.

Joanna Kwong 5 min read - By Joanna Kwong