PHaaS – The Business Value of Phishing as a Service

By January 9, 2015October 29th, 2020PHaaS

In 2013 37.3 million users experienced phishing attacks leading to direct loss and reputational damage. As 2015 opens, phishing attacks continue to plague organizations across the globe with great success, but why?

Cybercriminals have figured out how to target the human element of organizations, and they are evolving techniques to use an organization’s own employees as the first point of entry. No company, no matter the size or prestige, is immune to these types of attacks. In 2014, Microsoft employees fell victim to several targeted phishing attacks in which attackers were able to compromise internal email access, in addition to social media and blog accounts. Recently, the Sony attack has been a stark reminder of the public humiliation a company can face in the wake of a security breach.  The reputational fallout could be irreparable.

Gone are the days when phishing emails consisted of broken English, poor grammar, or simple “click now” to win these outrageous prize offerings.  In fact, the most skilled phishers are now able to send highly-sophisticated emails that appear to be from a legitimate source.  In fact, some of the most effective phishing emails are now sent from a “fellow employee,” a specific department such as HR, or even a third-party partner.  They leverage everything from an organization’s logo and layout to internal lingo. Highly targeted spear-phishing attacks go after a specific individual’s personal interests.  These days, phishing emails are so good that they establish immediate credibility, and users don’t even think twice before acting. One of our clients just told us how they were duped by the attackers actually sending emails from their very own domain! By then it’s too late.

Train the way you fight, because you will fight the way you have trained.

It’s time for businesses to take a page from martial arts when it comes to training for security breaches.  By putting effort into the way employees are trained, organizations equip their employees with the skills to help defend the organization’s intangible assets.  In martial arts, sparring is a mechanism for testing techniques learned in the studio.  A martial arts practitioner may master a technique standing still but find the technique much more difficult to execute when facing a moving opponent. When an individual experiences a real-world attack, they go into fight or flight mode.  Someone who masters martial arts practices, but has never executed against a determined aggressor, may find those skills difficult to apply in the heat of the moment. This can be likened to a well-crafted phishing email.  An employee may know better, but when faced with an authentic-looking email, sent from an internal source, that confirms submission of incorrect information, the individual’s initial reaction may be to respond and hand over the “correct” data.

In sparring, some techniques work better when combating tall people but don’t work too well when combating a more compact and more robust individual. Martial artists must learn to continually adapt. Sparring not only enables martial artists to grow confident with learned techniques, but it affords them the opportunity to grow from actual mistakes.  An organization can sermonize the importance of security until kingdom come, but until employees are actually faced with a believable attack vector, they will not learn how to adequately respond.

With the roll out of our new Phishing as a Service (PHaaS) offering for 2015, the team at Social-Engineer, LLC is committed to helping organizations combat sophisticated, targeted threats.

Just like military experts train their soldiers to fight in a worst-case scenario, organizations can also educate and train staff to detect social engineering attacks as a way to improve overall security.  While the concept of phishing your own employees has been around for a few years, the concept of a custom and continuous Phishing as a Service offering is new. From start to finish, Social-Engineer helps an organization’s most unpredictable asset (the human) become the first line of defense.  If an employee understands the value of reporting suspicious activity to their internal security department, they will likely react to real-world scenarios the same way.  Rather than simply training staff to look for suspicious activity, the Social-Engineer team teaches users to apply critical thinking, to recognize phishing emails, and how to properly report and respond to them.  It’s important for employees to understand the assets they are responsible for protecting and how they can better protect them.  Security starts with each individual user.

By sending an initial wave of well-crafted phishing emails, Social-Engineer creates a baseline for an organization’s susceptibility to these types of attacks.  From there, our team conducts a thorough debrief focusing on remediation and education.  This process is repeated with enhanced and advanced methods of phishing awareness education.  By conducting ongoing and regular phishing campaigns, organizations can quickly begin the process of phishing awareness and education. Our service can also provide advanced metrics such as click and reporting rates, repeat offenders, and trend data in order to identify specific areas of improvement and, eventually, ROI.

Securing Your Organization with Social-Engineer’s Phishing as a Service

When it comes down to it, employees who know they are being tested are more apt to report and respond appropriately to questionable emails and activity.  By keeping employees on their toes, organizations are able to vastly improve overall security posture. Organizations who have  implemented our PHaaS program have experienced:

  • increased positive dialogue between employees and IT teams;
  • a dramatic decrease in known malware incidents and malware infection rates (one client experienced a 70% reduction);
  • decreased frequency of computer re-imaging;
  • a reduction in drive-by downloads and adware; and
  • less disruption to the corporate network.

The results are real, but don’t just take our word for it.

The chart below illustrates data from one of our clients who implemented  PHaas in July 2014.  Prior to working with Social-Engineer, this organization was running a phishing education program on their own using a popular phishing tool.  They were sending out regular emails and testing their whole population.  On the surface, everything was the way it should be for a phishing program.  After one year of trudging through it on their own, they contacted Social-Engineer to offer assistance in enhancing their program.

What were the results?

More than a 370% increase in catching phishing emails.

This particular organization came to Social-Engineer after spending a year of trying to maintain their own internal phishing program.  Despite efforts, the organization simply did not experience the results they thought they would.  This chart demonstrates the tremendous value of the Social-Engineer phishing program after just one month’s time.  Now, over 6 months into the program, the organization continues to experience tremendously successful results.

Businesses spend hundreds of thousands on IDS systems, firewalls, and other protection mechanisms to monitor the network, but one skilled phishing attack can lead to total devastation without the attacker having to hack one thing. It’s a matter of when, not if, your organization will be targeted.  Implementing a well-managed phishing and education program is a cost-effective mechanism for preparing your employees for real-world situations and keeping your business out of the headlines.  For more information on Social-Engineer’s Phishing as a Service offering, please visit or email [email protected]

Leave a Reply