Phishing

In a phishing campaign, the awareness of employees to phishing emails is tested and evaluated. This can be used as a determination of the current state, a basis for training or as a regular check and demonstration of progress as Phishing-as-a-Service.

If the following questions are still open in your company, a phishing is recommended:

  • Do our employees recognize phishing emails?
  • Do our employees react according to our policies?
  • Are our awareness trainings having the desired effect?
  • How much effort does an attacker need to achieve a successful phishing?

Process

Scoping

Goal and scope

The purpose of the scoping meeting is to define the goals of the password audit and to transfer sufficient knowledge about the authentications used so that the offer can then be created on this basis. The questions mostly revolve around the password policy and established measures and mechanisms for secure passwords and MFA.

 

Offer

Agreement

The offer is prepared on the basis of the scoping meeting. In addition to the objectives, methods, price and general conditions, it also contains a suggested timeframe for execution. Of course, nothing is set in stone and the offer will be adapted to your needs. In principle, we always charge according to the actual effort involved.

Scenario

Phishing-E-Mail

Based on the available information and the awareness level of the employees, suggestions for the phishig email are developed and discussed. This can be done in several iterations until everyone agrees with the phishing email.

Test Run

Delivery check

The delivery of the e-mails is checked in a test run. Any security mechanisms that could prevent delivery are softened for this specific campaign. This ensures that it is really the awareness and not the technical measures that are tested. Technical measures can be examined more efficiently in an attack simulation.

Dispatch

Campaign launch

The phishing e-mails are sent in several waves so that there is no overloading of the mail server or problems with delivery. Ideally, however, the intervals are kept as short as possible so that there is no falsification of the results by initial reactions.

 

Report

Analysis

The landing page is kept active until resolution (usually a few days). All clicks or interactions are registered and statistically processed. This makes it possible to evaluate the results in as much detail as possible. The results can also be evaluated by department or location, for example. This allows an even more targeted approach to improving awareness.

Training

use the effect

A phishing campaign is a perfect basis for training. Nothing achieves a greater learning effect than actual phishing emails that have been successful. There are also very good learning modules from our partners, which can be used for interactive learning.

 

Repeat

Sustained

A single phishing campaign can serve as a basis for training or as an eye-opener, but it rarely achieves a lasting effect. Ideally, phishing campaigns and training should be conducted on a regular basis. This is exactly what we offer in Phishing-as-a-Service.

Deliverables

All results are submitted in a final report (PDF, Excel and JSON). In addition to the desired statistics, the report also contains the phishing emails and their detection characteristics. Thus, the results can be used as a basis for training. The results are also made available via the Mesher platform, so you can easily keep track of all campaigns and awareness progress.

PDF
The final report in PDF format contains an introductory section, executive summary, evaluations, statistics and the phishing emails sent with detection characteristics.
 
EXCEL
The Excel contains all statistics and evaluations. Thanks to the editable format, this list is suitable for further processing of the results and additional information can be easily added.
JSON
The JSON file contains all statistics and evaluations. The JSON format is the most common format for the automated further processing of information and can often be fed into the existing tools with little effort.

Mesher

Via Mesher, your current security level is recorded and you can view the return on investment for the various measures. All results are also visualized here and can be linked to existing tools thanks to integrations. With the platform, technical measures can be directly assigned with tasks to the appropriate people and agile working without media breaks is made possible. Awareness campaigns can be easily recorded and progress can be shown.

More about the Mesher platform

Mesher Awareness

 

Phishing-as-a-Service

Phishing awareness can only be sustainably improved through regularity. With Phishing-as-a-Service, we regularly send different phishing emails and adapt them to the awareness level. After the initial effort of setting up the infrastructure and delivery verification, we can offer this at a lower price than individual campaigns. Ideally, the campaigns are supplemented by training or modules, thus continuously improving phishing awareness.

Code of Conduct

The aim of a social engineering audit is to check employees' awareness of and reactions to social engineering attacks. The simulated attacks are based on real attacks. In contrast to real attacks, however, simulated attacks must comply with legal and moral boundaries. The personal integrity and psychological well-being of the persons involved should not be affected in any way by a social engineering audit. The results of such an audit are only made available in anonymized form and should not allow any conclusions to be drawn about the identity of the individual persons tested and their behavior.