How Can Singapore SMEs Run Free Phishing Simulations with IMDA's Cyber2SME Programme?
Singapore SMEs can run phishing simulations at little to no cost through IMDA's Cyber2SME initiative, which packages SME-friendly cyber resources — including simulated phishing exercises — so that lean teams can test how their staff respond to realistic scam emails before a criminal does. A simulation sends a harmless fake phishing email to your team, tracks who clicks, and gives you a clear picture of your real exposure. For a 10-to-50-person company with no IT department, it is the single highest-value cyber exercise you can run this quarter, because it tests the layer attackers actually target: your people.
Why is a phishing simulation more useful than another security briefing?
Most SME cyber training fails for a simple reason: it is abstract. Staff sit through a slide deck about "suspicious links," nod along, and go back to clearing 80 emails a day. Under time pressure, the brain falls back on habit — and the habit is to click.
A phishing simulation replaces theory with evidence. Instead of asking "would our team fall for a scam email?", you find out. Typical first-run results across SMEs are sobering: it is common for 20–30% of employees to click a well-crafted simulated phish, and for a meaningful share to go further and enter credentials on the fake login page. That number is not a reason for shame — it is a baseline. And baselines are what let you improve.
This matters more in 2026 than ever. As we covered in our earlier post on why SMEs have become ransomware soft targets, attackers have shifted downmarket: large enterprises have hardened, so phishing kits and ransomware affiliates now aim at smaller firms with valuable data and thin defences. The opening move in the overwhelming majority of those incidents is a phishing email.
What does IMDA's Cyber2SME initiative actually give you?
Cyber2SME is IMDA's umbrella effort to make cybersecurity practical for small businesses, sitting alongside the broader Digital Enterprise Blueprint expansion announced in May 2026. For phishing specifically, the value is threefold:
- Self-assessment and awareness resources that help you understand your current posture before you test it.
- Access to phishing simulation exercises designed for SMEs — pre-built scam templates localised to the Singapore context (fake IRAS notices, delivery rescheduling scams, bank alerts, fake invoice approvals) rather than generic Western templates your staff would spot instantly.
- A path to follow-up support, including pointers toward the Cyber Essentials mark and programmes such as the Singtel Cyber Protect Programme run with ESG and IMDA backing, which bundle managed protection for firms that want ongoing cover rather than a one-off exercise.
The practical effect: instead of paying a global vendor US$2,000+ a year for a simulation platform sized for enterprises, an SME can start with supported, Singapore-relevant exercises and only graduate to paid tooling if the scale demands it.
How do you run your first phishing simulation without demoralising your team?
The biggest risk in a phishing simulation is not technical — it is cultural. Done badly, it feels like entrapment, staff feel humiliated, and your next genuine security request meets resistance. Done well, it becomes a shared game of "beat the scammer." Follow four rules:
1. Tell leadership, not staff. Owners and managers should know a simulation is coming (and should be included as targets — directors are phished more than anyone). Staff should not know the date, or the test measures nothing.
2. Start with a medium-difficulty template. A misspelled, obviously fake email teaches nothing; a flawless spear-phish on day one just demoralises. A realistic delivery-notification or invoice-approval email is the right opening difficulty for most teams.
3. Make the landing page a lesson, not a verdict. Anyone who clicks should land on a short, friendly page: "This was a simulation. Here are the three signs you missed." Sixty seconds of teaching at the exact moment of the mistake is worth more than an hour of slides.
4. Never publish individual names. Report results as percentages to the whole company. The goal is a lower click rate next quarter, not a wall of shame. The one exception: repeat clickers in high-risk roles (finance, anyone with admin access) should get quiet, additional coaching.
What should you do with the results?
A simulation that ends with a report nobody acts on is theatre. Treat the click rate as the start of a 30-day fix cycle:
- Week 1: Share the anonymised results and run a 30-minute debrief showing the actual email used and the tells staff missed.
- Week 2: Close the technical gaps the simulation exposed. If people entered credentials, multi-factor authentication on email and accounting systems is no longer optional — it goes in this week.
- Week 3: Fix the process gaps. Most invoice-fraud phishing works because there is no rule that payment detail changes must be verified by phone. Write that rule. Two sentences in your SOP can stop a five-figure loss.
- Week 4: Schedule the next simulation for the following quarter, with a harder template. Falling click rates across quarters are the metric that tells you training is working.
This cadence also produces exactly the evidence of "cyber hygiene practices" you need if you pursue CSA's Cyber Essentials mark — a certification we have argued is worth it for SMEs bidding for corporate or government work. Simulation records, training logs and an MFA rollout tick several of its requirements in one motion.
How does this fit your broader 2026 funding picture?
Phishing simulations are deliberately cheap, but the remediation work they trigger — MFA rollout, endpoint protection, email security gateways, managed detection — can be funded rather than paid out of pocket. PSG's 2026 expansion covers pre-approved cybersecurity and AI-enabled solutions, the Singtel Cyber Protect Programme offers a subsidised managed route, and training for your team can draw on SkillsFuture support, including the SFEC balance many firms still hold ahead of the H2 2026 EWTP transition. The sensible sequence: simulate first (nearly free), then spend grant money on the specific gaps the simulation proves you have — not on a generic security bundle a vendor wants to sell you.
Frequently Asked Questions
How often should an SME run phishing simulations?
Quarterly is the sweet spot for most SMEs. Annual tests let habits decay; monthly tests breed fatigue and resentment. Run one each quarter, vary the template style each time, and track the click rate as a trend rather than judging any single result.
Is it legal to send fake phishing emails to my own staff in Singapore?
Yes — simulations sent by an employer (or its appointed vendor) to staff for training purposes are a recognised security practice, and government-supported programmes like Cyber2SME exist precisely to encourage them. Good practice is to note in your employee handbook or IT policy that security testing, including simulated phishing, may occur. Avoid templates that impersonate real colleagues' personal identities or touch sensitive personal matters.
My team is only six people. Is a simulation still worth it?
Arguably more so. In a six-person firm, one compromised mailbox can expose the entire customer base and the company bank account, and there is no IT department to catch it. The exercise takes one person an afternoon to set up, and the follow-up conversation can happen over a single lunch. Small teams also change behaviour fastest — a six-person firm can go from 30% click rate to near zero in two quarters.
Ready to Transform Your Business?
Let Digital Perpetual help you automate, streamline, and grow.
Get Started with Digital Perpetual →