case study

WaterAid automates clean and safe inboxes with Hoxhunt

Client logo

WaterAid is an international not-for-profit, determined to end the global water, sanitation and hygiene crisis for everyone, everywhere.

Location: Based in 34 countries including  the UK, Canada USA, Australia, India, Japan, Sweden

Employees: 2,000


As a global non-profit, Wateraid receives numerous phishing attacks across a large attack surface and, after stagnant results with a legacy SAT tool, the IT Security Team sought to maximize their resilience with minimal resources.


Within months of launching Hoxhunt and integrating the threat feed with Abnormal Security’s email gateway, a pair of Hoxhunt users caught a phishing attack, which was remediated and removed from the system within seconds by the SOC team, demonstrating next-level behavior change and risk reduction that has continued to improve.

Key takeaways:
Featured image


  • Success rate: 60% (doubled from baseline)
  • Failure rate: decreased 50%
  • Real threat detection: increased 162% in the past 181 days, for which data is available. Increase from baseline is higher.
“I’m so confident in our staff now with Hoxhunt that if people ask me how many cybersecurity officers I've got, I say ‘2000.’ I know that everybody is going to be reporting threats and doing their job. We're flipping that human layer from being the biggest weakness to the biggest strength.” -- Mark Sedman, Global Headof Cybersecurity

Resilience without resources: Integration and automation

Cybersecurity used to keep Global Head of Cybersecurity, Mark Sedman up at night. But that was before he started using Hoxhunt.

The thing that really stands out about Hoxhunt is the light touch. It’s all automated and it’s always delivering dozens of phishing simulations with high quality content and no effort. And the second thing that’s special about Hoxhunt is the culture aspect. People everywhere are talking about Hoxhunt all the time. They love it. People who you’d never expect would be interested in cybersecurity are talking about Hoxhunt simulations and the real phishing emails they’re reporting.”

Charged with maintaining safe and smooth operations at the global non-profit, Wateraid, Mark sought a “light touch” security behavior change solution to overcome the limited resources at his disposal. To optimize security operations, Mark and his team lean on a selection of vendors and MSPs to prevent phishing breaches and respond quickly to incidents.

Since December 2022, Hoxhunt has been integrated with the Abnormal Cybersecurity API architecture, along with several other security platforms. Suspicious emails are reported by Wateraid employees via the Hoxhunt button and then analyzed in real-time by Abnormal. Mark cited a specific example that captures how the Hoxhunt/Abnormal integration lets him sleep a little easier.

A BEC attack had slipped through the email filters and landed in 39 employee inboxes. This is bound to happen, no matter how tight the technical perimeter may be. An IT team member called Mark to report the dubious email, which Mark had also just seen. Mark instructed his IT team member to report the email to Abnormal via the Hoxhunt button , and he went back to analyzing the threat himself. But the protect-detect-respond gears were spinning so fast that Mark was pleasantly surprised to find the BEC threat had already been removed from the system within a minute of its detection; before anyone else in the company had opened it. Time is essential in incident response, and this was a case study in how speedy threat detection can accelerate SOC response and reduce risk.

With human threat intelligence connected to the SOC, the BEC attack was stopped in seconds, preventing its spread

“That experience with the BEC attack was just fantastic. Right away it proved to everyone, including my IT Director, how effective this new system was that we’d invested in. It showed how Hoxhunt can work with Abnormal hand-in-glove to connect behavior change training and human threat detection with incident response and remediation.”

Goodbye SAT. Hello Behavior Change.

Wateraid’s legacy SAT tool—a feature of their legacy email gateway system—had been delivering stagnant results. Moreover, there was too much pushback from them over platform integrations with Hoxhunt; they wanted to maintain a closed system despite the inferior results of their SAT model. Mark’s cybersecurity consultant at Orange, Steve Taylor, recommended Hoxhunt as an innovative new option.

It was like finding something I’d never known I’d always wanted. I didn’t know that all the things Hoxhunt offered were possible. If I’d known, I’d have chosen it sooner… When we talk about ‘awareness,’ it’s really all about behavior change, and that’s what Hoxhunt delivers.”

A few months later during their POC with Abnormal, multiple attack emails were discovered to have slipped past the legacy email gateway over the past four months. Abnormal’s analysis showed that several employees had fallen for the CEO fraud phishing attack from a hacker posing as their CEO, but with a gmail account of KylieMinogue69.

“It was a really basic, classic phishing email. The fact that so many people fell for Kylieminogue69 at gmail, and that the breach went unnoticed for so long motivated us to make changes. Our awareness program needed to be improved and we needed to tap into our threat intelligence better.”

Fast forward a few months. Prior to WaterAid's adoption of Hoxhunt, hackers had infiltrated the email account of one team’s marketing partner and then, using the compromised account, orchestrated a BEC attack.

The wire fraud campaign took place over at least three months of surveillance. It started with fraudulent emails that demanded upfront payments to a new bank account for legitimate services rendered. Using classic social engineering techniques, the hackers disoriented, manipulated, and coerced a particular WaterAid employee to make the up-front payments to a fraudulent account. The scam came to light several months later when the legitimate bill came due from the real service provider.

Mark noted that had Hoxhunt's training been in place, the outcome would have been vastly different. The hacked employee voluntarily reached out to him and expressed how, armed with Hoxhunt's training, she would have easily identified the urgency, language inconsistencies, and other telltale signs of the BEC attack.

I can’t overstate how great Hoxhunt has been for our security culture. This employee just reached out to me and said, without any coaxing or prompting, that if she had gotten this email now, after training with Hoxhunt, she never would have fallen for it. She would have flagged it immediately, and our incident response system would have automatically kicked in and removed the danger.”

Future-proof and positive culture

Where the previous gateway provider’s product development was as stagnant as its awareness results after three years, Mark has been delighted with Hoxhunt’s evolution alongside the rapidly shifting threat landscape.

“Other products are like a one-off: you buy them and then they just stand still. But with Hoxhunt, it’s like getting a whole new product every few months, and that’s really exciting.”

Changing behavior at scale goes hand in hand with embedding cybersecurity culture across a global organization. Wateraid is particularly enthusiastic about specific features with Hoxhunt:

  • Light touch: AI-enabled automation and adaptive learning model makes the ongoing delivery of dozens of individualized microtrainings a plug-n-play operation for admins, and a fast-and-fun training experience for employees.
  • Measurable behavior change
  • Multilingual
  • Personalized: Training can be specified to prioritized needs of individuals and the organization
  • Statistics: Hoxhunt secures high engagement and trains everyone on failure and on success, providing exponentially more data that’s visible in auto-generated CXO reports
  • Gamificaiton: Everyone at Wateraid likes it.

“I’m a member of quite a few cybersecurity groups where we discuss what options are out there and I talk about this product a lot because it’s just way, way ahead of  anything else and nothing has come close to catching up with Hoxhunt… It's been a great journey and it's been ticking all the boxes we wanted to, and more. There's so many benefits that Hoxhunt has given us that we didn't even imagine were possible.”

Table of contents

Want to match these results?
Hoxhunt adaptive phishing training dramatically increases training engagement and security resilience.
Request a demo