Case Study: How Phishing Simulations Transformed Security Culture at Axiom Financial

Executive Summary

Axiom Financial, a mid-sized wealth management firm based in Charlotte, North Carolina, faced a critical challenge that many financial services organizations encounter: despite investing heavily in technical security controls, their employees remained vulnerable to sophisticated phishing attacks. With over 240 employees managing approximately $3.2 billion in client assets, a single successful phishing incident could have devastating consequences for both the firm and their clients. In early 2023, Axiom partnered with Abraxas Cyber Solutions to implement a comprehensive phishing simulation program that would fundamentally transform their security posture and employee awareness.

The Challenge

Axiom's Chief Information Security Officer, David Chen, recognized that his organization's greatest vulnerability wasn't their firewall or encryption protocols—it was human error. "We had all the right technology in place," Chen explained, "but we were still seeing employees click on suspicious links, download questionable attachments, and even respond to emails requesting sensitive information." The firm had experienced two near-miss incidents in the previous year where employees nearly compromised credentials to what appeared to be legitimate requests from senior executives. While their technical controls had ultimately prevented a breach, Chen knew they were operating on borrowed time.

The financial services sector is particularly attractive to cybercriminals, with phishing attacks becoming increasingly sophisticated and tailored to exploit industry-specific scenarios. Axiom needed more than generic security awareness training—they needed a solution that would test their employees in realistic conditions, identify specific vulnerabilities, and provide actionable intelligence to strengthen their human firewall. Traditional annual training sessions weren't moving the needle on actual behavior change, and Chen was searching for a partner who could deliver measurable results.

Why Abraxas Cyber Solutions

After evaluating several cybersecurity providers, Axiom selected Abraxas Cyber Solutions based on their specialized expertise in phishing simulations and their comprehensive approach to security awareness. Unlike vendors offering one-size-fits-all solutions, Abraxas demonstrated a deep understanding of the financial services industry and proposed a customized program that would address Axiom's specific risk profile. "What impressed us most was Abraxas's commitment to making this a learning experience rather than a punitive exercise," Chen noted. "They understood that our goal wasn't to embarrass employees who made mistakes, but to create a culture where everyone felt empowered to be part of our security defense."

Abraxas's methodology aligned perfectly with Axiom's needs. Rather than launching immediately into aggressive testing, the Abraxas team conducted a thorough assessment of Axiom's existing security awareness levels, analyzed their industry threat landscape, and developed a graduated program that would build skills progressively. This strategic approach, combined with Abraxas's reputation for excellent reporting and follow-through, made them the clear choice for this critical initiative.

The Abraxas Approach

Abraxas Cyber Solutions designed a twelve-month phishing simulation program for Axiom that would evolve in sophistication over time. The program began with baseline testing using relatively obvious phishing attempts to establish benchmark metrics and identify employees who needed immediate additional support. These initial simulations helped Abraxas understand the current state of awareness across different departments and roles within the organization. The results were eye-opening: the initial click rate was 34%, meaning more than one in three employees clicked on simulated phishing links.

The Abraxas team then implemented a multi-phase approach that combined regular simulated phishing campaigns with targeted micro-learning modules and personalized coaching. Employees who clicked on simulated phishing links weren't simply flagged—they immediately received brief, engaging educational content explaining what indicators they missed and how to recognize similar attempts in the future. This just-in-time training proved far more effective than traditional classroom-style sessions because it delivered relevant information precisely when employees were most receptive to learning from their mistakes.

Throughout the program, Abraxas gradually increased the sophistication of their simulations to mirror the evolving tactics used by real threat actors. Early campaigns used generic scenarios like fake package delivery notifications and password reset requests. As employee awareness improved, Abraxas introduced more sophisticated attacks including spear-phishing attempts that referenced actual Axiom projects, spoofed communications from real executives, and even simulated business email compromise scenarios targeting the finance department. This graduated approach ensured continuous improvement while preventing employee fatigue or cynicism about the program.

Real-World Scenarios and Industry-Specific Testing

One of the most valuable aspects of Abraxas's service was their ability to craft simulations that reflected actual threats facing the financial services industry. In month four of the program, Abraxas launched a simulation mimicking a regulatory compliance notification from the SEC, complete with professional formatting and language that closely resembled legitimate communications. This scenario was particularly relevant given Axiom's regulatory environment, and it successfully identified several employees who needed additional training on verifying regulatory requests.

Another sophisticated simulation involved a fake invitation to an industry conference that many Axiom employees regularly attended. The email included accurate details about the conference venue and speakers, making it highly believable. Employees who clicked were taken to a safe landing page that explained the simulation and highlighted the red flags they should have noticed, such as a slightly altered sender domain and an unusual urgency in the call-to-action. These realistic scenarios helped employees understand that phishing attacks could be extraordinarily convincing and that skepticism and verification should become habitual responses.

Abraxas also tested Axiom's employees with simulated attacks delivered through multiple channels, including SMS phishing (smishing) and voice phishing (vishing) scenarios. This multi-channel approach reflected the reality that modern threat actors don't limit themselves to email. One particularly effective simulation involved a phone call claiming to be from the IT help desk requesting credential verification, which helped identify employees who might be vulnerable to social engineering over the phone.

Measuring Progress and Transforming Culture

The results of the Abraxas phishing simulation program exceeded Axiom's expectations. Over the twelve-month engagement, the organization's click rate on simulated phishing emails dropped from 34% to just 6%, representing an 82% reduction in risky behavior. Equally impressive, the reporting rate—the percentage of employees who actively reported suspicious emails to the security team—increased from 12% to 47%. This dramatic improvement demonstrated that employees weren't just avoiding dangerous clicks; they were actively participating in the organization's security efforts.

Beyond the quantitative metrics, Axiom experienced a fundamental shift in security culture. Employees began voluntarily sharing information about suspicious emails they received in their personal lives and discussing security awareness with colleagues. The IT help desk reported a significant increase in employees calling to verify unusual requests before taking action, even when those requests appeared to come from legitimate sources. "We went from a culture of clicking first and asking questions later to one where healthy skepticism became the norm," Chen observed.

Abraxas provided Axiom with detailed monthly reports that broke down performance by department, role, and individual campaign. These reports allowed Chen and his team to identify patterns and tailor their supplementary training efforts. For example, they discovered that their youngest employees performed significantly better than average, likely due to greater familiarity with digital communication risks, while some senior advisors struggled with newer attack vectors. This intelligence enabled targeted interventions that addressed specific knowledge gaps rather than wasting resources on generic training that didn't address actual vulnerabilities.

The Business Impact

The improved security awareness delivered tangible business benefits beyond reduced click rates. During the program, Axiom employees identified and reported three actual phishing attempts that had bypassed the organization's email filters. In one instance, an employee received what appeared to be a wire transfer request from a client—a business email compromise attempt that could have resulted in significant financial loss. Because of the awareness developed through Abraxas's simulations, the employee recognized suspicious elements in the request and reported it to the security team before taking any action.

The program also supported Axiom's compliance obligations and risk management efforts. As a registered investment advisor, Axiom must maintain robust cybersecurity programs and demonstrate ongoing employee training. The comprehensive documentation provided by Abraxas, including training completion rates, simulation results, and remediation efforts, proved invaluable during regulatory examinations. Examiners were particularly impressed by the organization's proactive approach and the measurable improvements in employee security behaviors.

From a cost perspective, the investment in Abraxas's phishing simulation program represented a fraction of what a successful breach could cost Axiom in terms of regulatory fines, client notification expenses, reputational damage, and potential litigation. Chen estimated that preventing just one successful business email compromise attack would more than justify the entire annual cost of the Abraxas engagement.

Lessons Learned and Best Practices

Reflecting on the program's success, Chen identified several factors that contributed to positive outcomes. First, executive sponsorship was crucial. Axiom's CEO participated in the simulations alongside all other employees and publicly discussed the importance of security awareness in company meetings. This top-down commitment sent a clear message that cybersecurity was a business priority, not just an IT concern.

Second, the decision to frame the program as educational rather than punitive proved essential. Employees who clicked on simulated phishing links were not disciplined or publicly called out. Instead, they received supportive, constructive guidance on improving their awareness. This approach created psychological safety that encouraged employees to report mistakes and ask questions without fear of embarrassment or retaliation. As one employee shared in an internal survey, "I actually appreciate the phishing tests now because they help me stay sharp without the real-world consequences of making a mistake."

Third, the partnership with Abraxas provided expertise that Axiom couldn't have developed internally. The Abraxas team stayed current on emerging phishing techniques, understood how to craft realistic scenarios without causing undue stress or confusion, and provided valuable benchmarking data that helped Axiom understand how their performance compared to industry peers. This external perspective and specialized knowledge elevated the program beyond what could have been achieved with internal resources alone.

Looking Forward

Following the success of the initial twelve-month program, Axiom has continued their partnership with Abraxas Cyber Solutions with a renewed commitment for ongoing phishing simulations and expanded cybersecurity services. The second phase of the program incorporates even more sophisticated scenarios, including coordinated multi-channel attacks and simulations designed to test specific incident response procedures. Abraxas has also helped Axiom develop a security champion program, where employees who consistently demonstrate excellent security awareness receive additional training and become advocates for cybersecurity best practices within their departments.

Chen and his team have also begun sharing their success story with industry peers, participating in financial services security forums to discuss the importance of human-focused security controls. "Technology alone will never solve the cybersecurity challenge," Chen emphasizes in these presentations. "We need to invest in our people and make them true partners in protecting our organizations. Abraxas gave us the tools and methodology to make that happen."

The phishing simulation program has become a cornerstone of Axiom's overall cybersecurity strategy, complementing technical controls with a resilient, aware, and engaged workforce. As phishing attacks continue to evolve in sophistication, Axiom feels confident that their partnership with Abraxas Cyber Solutions positions them to adapt and maintain strong defenses against this persistent threat. The transformation from a vulnerable organization with a 34% click rate to a security-conscious culture with robust reporting and verification practices demonstrates the power of comprehensive, expertly managed phishing simulations to create lasting organizational change.

For more information about how Abraxas Cyber Solutions can strengthen your organization's defenses through realistic phishing simulations and comprehensive cybersecurity services, contact our team today. Let us help transform your employees into your most effective security asset.