The Challenge

Company A required an outside unbiased company to test and identify if phishing would be an attack vector. They had no previous experience of running a phishing campaign, but their users were educated on the dangers of opening emails.

Process Taken

Once the consultant had spoken with the management, it was decided to target two user groups; the finance department and the wider company; for the finance department, a general phishing exercise may not be the best approach as Company A were looking to test if particular processes and procedures were followed e.g. payments. A template and benign Spreadsheet were built for both the general targets and the finance targets. Suitable domains were used for both phishing Scopes. System administrators were notified prior to the test to help build a matrix of users who notified Company A of a phishing attack.

The Phishing exercise was run over a week to identify the users who were most vulnerable.

The Results

The results showed 6% of the users interacted with the links and 2% opening the attachments. Any of these actions could have lead to data loss or compromise of the systems. This was a slightly higher rate that the 4% on click through. A report was compiled with matrix such as: users who interacted with the email, IP addresses (location), date and times of the event(s).

Company A were able to gauge their risk from a phishing attack, identifying vulnerable users, targeting appropriate training and additional counter measures.

Call-To-Action

As the weakest link your users could offer the path of least resistance into the company’s systems. In a recent study 54% of managed service providers (MSPs) claimed Randsomeware was caused by Phishing emails [1]. Damage caused by randsomeware can lead to unspecified financial loss e.g. colonial pipeline or collapse of the company e.g. TravelEX.

There is no excuse for not running a phishing test, for a limited time we are offering free standard phishing test for your company thereby creating a safer online experience.

Further reading:

Statics: https://digitalintheround.com/phishing-statistics/

https://www.cisecurity.org/white-papers/security-primer-ransomware/

Targets: https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/

References:

[1] - https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/