A leading business firm in India needed to assess the susceptibility of
their staff from phishing attacks. “Enticing our employees to enter their login credentials or
click on links was simply too run-of-the-mill,” one of them told us.
They wanted to gauge how
susceptible their employees were to phishing attacks, but they did not want something quite so
simple.
We found out that an internal conference involving the senior leadership was being organized at an external venue. We crafted a phishing email that appeared to have come from their HR and asked them to dress in red tops and black pants during the conference. The results couldn’t be any clearer. Anyone who fell for the simulated phishing attack would dress as the email told them to.
A leading business firm in India needed to assess the susceptibility of
their staff from phishing attacks. “Enticing our employees to enter their login credentials or
click on links was simply too run-of-the-mill,” one of them told us.
They wanted to gauge how
susceptible their employees were to phishing attacks, but they did not want something quite so
simple.
A non-banking financial company that deals with large amounts of confidential data recognized that there’s only so much that technology can do to reduce potential risks.
We sent out 4000 emails over a period of one year, with different scenarios delivered across various simulations. One such scenario appeared to have purportedly come from a major credit card provider. The email was a classic scam, commonly seen in PayPal and eBay related phishing attempts. It told recipients that the credit card company had noticed “suspicious activities” in their accounts and instructed them to click on the link to verify and update their personal information.
The landing page would then ask for the usual information such as name, email, address, occupation, etc. Credential phishing was just the first step that the attackers would need to figure out the rest and home in on the targeted organization.
Occasionally, trickier and more difficult simulations were sent to ensure that users did not become complacent over time.
Prior to the phishing campaign, the susceptibility rate to phishing attempts was approximately 31% with an almost non-existent reporting culture. The susceptibility rate dropped down to around 7% with significant improvements on the organization’s reporting culture. A 92.96% compliance rate was achieved towards the final quarter of the phishing campaigns.