Why Template Phishing Assessments Don’t Prepare You For Real World Threats

Not a week goes by where we don’t see a headline in the press mentioning something along the lines of “sophisticated phishing attack” or “new phishing attack approach”. As long as we embed technological innovations into our processes and increasingly rely on them, malicious individuals are continually improving their approaches and looking for weaknesses to exploit.

There are plenty of basic phishing campaign platforms which provide templated phishing campaigns. These generally include standardised emails which are sent to every employee within your business. Whilst these are good for providing basic awareness of phishing threats, they don’t account for the more sophisticated spear phishing threats where an attacker has extensively researched your organisation and the attacks are not filled with obvious red flags, making them easy to identify and contain.

Why Tailored Phishing Assessments Are A More Effective Option

Basic, templated Phishing Assessments fail to take into account the vast number of approaches a cyber criminal could use to attack your organisation. They also fail to recognise that each member of your team has different levels of technical skill, awareness and knowledge when it comes to phishing threats. Therefore, tailoring Phishing Assessments to varying levels of technical skill and awareness enables you to raise overall awareness throughout your organisation.

To ensure we’re providing our clients with realistic scenarios in our tailored Phishing Assessments. We keep track of all the latest scams in the media, in crime reports and on the dark web. We also monitor attacks directed at our systems and third parties. This ensures that when clients request help in gaining an understanding of the level of their employees' awareness of phishing threats, we can take our knowledge of the approaches threat actors are taking and apply it to our clients' particular situation, sector, sizes, processes and so on.

Recently, a client of ours requested us to make their phishing campaign as difficult as possible because they were aware that threat actors aren’t going to hold back if they want to succeed. As a result of the Phishing Assessment, our client learned that:

• There was a lot of publicly available information about their organisation which a malicious individual could easily access and use against them, including email addresses, internal processes and events.
• A truly convincing email resulted in 84% of their staff clicking on a link within the email and 74% entering their username and password.
• On a more positive note, of the recipients who entered their details, only one employee did not have a password that met the organisation’s minimum password requirement.

Importantly, the point of a phishing assessment is to identify where further education is required. After clicking and entering information, employees at this organisation were provided with training that would enable them to spot phishing campaigns in future and how best to report to their security team.

What Your Employees Need

Spam filters won’t identify every phishing email that comes through. Cyber criminals are spending more and more time crafting their approach to increase the success rate of their attacks. Your employees are your last line of defence, so they need to be equipped to manage the risk, which involves being able to:

• Identify that something isn’t quite right. That might be an email address that looks incorrect or wondering why a person you weren’t expecting an invoice from sent you one.
• Report phishing emails. Perhaps to an IT team or a cyber security team; regardless, the simple act of reporting a phishing email that has made it through the cracks of the first line defence is vital to managing the problem in the long term.

Talk To Us About Phishing Assessments

Do you know how your people would deal with a phishing email? Get reassurance that they will take the right actions and you are helping them to help you and themselves at work and at home.

If you do think you have been the victim of a phishing attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.

This article was published in partnership with our cyber security partner PGI.

© SES Secure Limited and ses-escrow.co.uk, 2021. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.