In a phishing campaign, the awareness of employees to phishing emails is tested and evaluated. This can be used as a determination of the current state, a basis for training or as a regular check and demonstration of progress as Phishing-as-a-Service.
If the following questions are still open in your company, a phishing is recommended:
The purpose of the scoping meeting is to define the goals of the password audit and to transfer sufficient knowledge about the authentications used so that the offer can then be created on this basis. The questions mostly revolve around the password policy and established measures and mechanisms for secure passwords and MFA.
The offer is prepared on the basis of the scoping meeting. In addition to the objectives, methods, price and general conditions, it also contains a suggested timeframe for execution. Of course, nothing is set in stone and the offer will be adapted to your needs. In principle, we always charge according to the actual effort involved.
Based on the available information and the awareness level of the employees, suggestions for the phishig email are developed and discussed. This can be done in several iterations until everyone agrees with the phishing email.
The delivery of the e-mails is checked in a test run. Any security mechanisms that could prevent delivery are softened for this specific campaign. This ensures that it is really the awareness and not the technical measures that are tested. Technical measures can be examined more efficiently in an attack simulation.
The phishing e-mails are sent in several waves so that there is no overloading of the mail server or problems with delivery. Ideally, however, the intervals are kept as short as possible so that there is no falsification of the results by initial reactions.
The landing page is kept active until resolution (usually a few days). All clicks or interactions are registered and statistically processed. This makes it possible to evaluate the results in as much detail as possible. The results can also be evaluated by department or location, for example. This allows an even more targeted approach to improving awareness.
A phishing campaign is a perfect basis for training. Nothing achieves a greater learning effect than actual phishing emails that have been successful. There are also very good learning modules from our partners, which can be used for interactive learning.
A single phishing campaign can serve as a basis for training or as an eye-opener, but it rarely achieves a lasting effect. Ideally, phishing campaigns and training should be conducted on a regular basis. This is exactly what we offer in Phishing-as-a-Service.
All results are submitted in a final report (PDF, Excel and JSON). In addition to the desired statistics, the report also contains the phishing emails and their detection characteristics. Thus, the results can be used as a basis for training. The results are also made available via the Mesher platform, so you can easily keep track of all campaigns and awareness progress.
Via Mesher, your current security level is recorded and you can view the return on investment for the various measures. All results are also visualized here and can be linked to existing tools thanks to integrations. With the platform, technical measures can be directly assigned with tasks to the appropriate people and agile working without media breaks is made possible. Awareness campaigns can be easily recorded and progress can be shown.
Phishing awareness can only be sustainably improved through regularity. With Phishing-as-a-Service, we regularly send different phishing emails and adapt them to the awareness level. After the initial effort of setting up the infrastructure and delivery verification, we can offer this at a lower price than individual campaigns. Ideally, the campaigns are supplemented by training or modules, thus continuously improving phishing awareness.
The aim of a social engineering audit is to check employees' awareness of and reactions to social engineering attacks. The simulated attacks are based on real attacks. In contrast to real attacks, however, simulated attacks must comply with legal and moral boundaries. The personal integrity and psychological well-being of the persons involved should not be affected in any way by a social engineering audit. The results of such an audit are only made available in anonymized form and should not allow any conclusions to be drawn about the identity of the individual persons tested and their behavior.
