Skip to main content
Phishing

The Point (and Click) of Phishing Exercises

By November 2, 2022No Comments

When we speak with companies about performing phishing tests, one of the most common responses is “We know a lot of people will click, so why bother?” There are two issues with that mindset. First, yes, many employees might click a link in an email depending on the pretext used. However, counting link clicks is not the most important thing in a campaign. What we like to see is how many people will report a phishing email.
Second, how can the employees and the company get better without training and testing? Most businesses are aware that they need to periodically test their servers for weaknesses (often referred to as a penetration test, or pentest) and know there is a likelihood that issues will be found. When you know the issues that exist and their severity, you can weigh and address the risk. These same considerations should be taken when thinking of social engineering against employees.

A Multi-Layered Approach

For proper protection we recommend phishing awareness training among employees, but it should not be the only line of defense. A defense-in-depth approach is always recommended. In addition to employee education, the mail servers should have proper spam filters in place. Those filters should be able to catch emails with insecure links and malicious attachments. The mail server should quarantine those files appropriately. Workstations should have up-to-date anti-virus in place, in case a malicious file does make it to the email inbox and is executed. Accounts should have multi-factor authentication in case credentials are leaked. The network should also have proper monitoring and alerting in place for when accounts are performing abnormal activities. Networks should be properly segmented so accounts in one segment cannot easily cross boundaries into other unnecessary segments. Accounts should follow the principle of “least privilege,” meaning only give accounts the minimum necessary permissions.
If all these steps are properly followed, one employee clicking on a malicious email link should not do widespread harm to the company. But let’s talk a little more about a phishing education program.

What We Are Really Testing

Too many phishing education campaigns focus on clicked links, the number of times a link gets clicked in a malicious message. Our focus is on the reporting of malicious emails.
When we perform a phishing campaign, our system measures:

  • How many emails were sent
  • How many emails were opened
  • How many emails had the links clicked
    • How many of these were reported as malicious
  • How many emails were reported without a link being clicked

We like to see a very high percentage of the opened emails reported. In one recent phishing campaign for a financial institution, we saw 6,826 of our phishing emails opened. Out of those, 6,465 (94.7%) were reported as malicious. This is an outstanding number!

Why Reporting Matters More Than Click Rates

Most companies have a team that focuses on protecting their networks and responding to incidents. This staff is very good at their job, if they know there is an intrusion or if employees are under attack. When these teams are notified, they can spring into action by looking for indications of compromise. Your IT staff can immediately delete the malicious email from all other inboxes and find any rogue processes running. System administrators can force a password reset and look for any unexpected attempts to access the network. When these incidents go unreported, it gives the malicious actors more time locate sensitive data, increase their network access and build upon their attacks.

What We Do Differently

At Social-Engineer, our focus is on report rates and on education. When an employee clicks a link in a phishing test, we show them a web page that tells them this was a test. Additionally, we use that moment to educate them on the various hints that were intentionally included in the phishing email. Some tips that we point out may include, the URL the email came from does not match the company’s domain or the request is stressing urgency with a tight deadline. Instead of this being a “gotcha!” moment, we want this to be a learning moment. People want to do the right things and the best way to help them is to use education and empathy, not shame or fear.
Lastly, we are flexible in the types of phishing campaigns that we offer. Our Managed Phishing Service campaigns are customized and built by our team of certified and trained social engineers, not an automated email plucked from a library of templates. If there are specific attacks or campaigns that are unique to your industry, we will work with you and build a campaign that best fits your needs.

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now