Phishing Simulation services, also known as Spear Phishing Simulation services, are used by organizations of all types that want to reduce their exposure to ransomware, data breaches, account takeover and other attacks that often start with phishing.
The threat of data breaches and phishing has never been higher. The Identity Theft Resource Center reported an all-time high in 2018 for number of compromised data records at nearly 450 million. One of the methods hackers and fraudsters use to infiltrate systems and steal data is phishing, which can mislead employees to install spyware or handover their credentials.
Sometimes a phishing attack's sole intent is to obtain the victim's email credentials for sending a targeted spear phishing email campaign from an internal email address.
The damage from phishing can be even worse than a data breach, believe it or not. Fraudsters are stealing business' intellectual property and often times sensitive data which they hold for ransom.
The point is that businesses are frequently attacked with phishing and the potential for financial and brand damage is significant. While employees may be trained, actually testing them can show where there is susceptibility to phishing risk.
Those who fall for the simulated phishing attack can be educated on identifying phishing emails such as the one they opened, and receive further training.
When used continuously, employees will think twice before clicking links in any email not just to avoid real phishing scams, but to avoid failing any internal phishing tests.
According to a 2018 survey, 88 percent of Fortune 500 companies are use phishing simulation services.
THE FRAUD PRACTICE
KEY NOTES
Alternative Solutions - None, other than doing this in-house.
Building this In-House - It is possible to create and send out a simulated phishing attack created internally, but managing the results and reporting can require extensive effort..
Estimated Cost - Inexpensive
Sample Venders - PhishMe, Barracuda Networks, KnowBe4, Wombat, PhishLabs
PHISHING SIMULATION SERVICES TECHNIQUE OVERVIEW
Phishing Simulation services send and track innocuous phishing campaigns to identify employees susceptible to these attacks, providing the opportunity to intervene and train them to not fall victim to these or real attacks in the future. Key considerations when implementing or buying this functionality include:
How customized are emails purporting to be from your organization?
How much effort is required on the part of the user to manage the phishing simulation setup and results?
How many different types of phishing attacks can be attempted? i.e. Click link vs. open/download attachment
What types of reporting features are offered to review pass/fail rates and other data?
How should those who fail the phishing simulation be handled?
Does the service offer training for those who fail?
HOW DOES IT WORK?
The service provides simulated phishing attacks sending fake email attacks that can be general or customized, such as mimicking the organization or an internal email. The phishing emails can look very convincing, but when the recipient fails the test by clicking a link or opening an attachment no harm is done. The organization has to manage using the service in terms of selecting or uploading email addresses to receive the fake phishing attacks, as well as pulling results reports and potentially creating custom reports.
HOW DO YOU USE THE RESULTS?
Those who succumb to the simulated phishing attack may be notified immediately or later. They can be instructed on what characteristics in the faux phishing attack they should've noticed. Employees who fail the test can receive further training and/or be required to use 2-Factor Authentication (2FA). Incentives can be offered to those who do not fall for any of the simulated phishing attacks sent to them over the year.