What is Phishing?
Phishing is quite a common attack vector that most people have heard of at one point or another. Despite that, it is a type of attack which can rarely be avoided due to the diversity of roles within an organisation, many of which can be targeted and exploited. Even with the rising security postures of organisations, it is very difficult for them to avoid a phishing attack, with the attack vectors in some cases being the employees of said organisation.
Targeted phishing attacks, frequently target new employees. Many sophisticated attacks subtly exploit these employees psychologically, without them even arising any suspicion.
Phishing attacks (in particular, spear-phishing attacks) frequently aim to gain access to sensitive information, such as usernames, passwords and personal data for malicious purposes, by masquerading as a ‘trustworthy’ entity. The most frequent types of attack vector are phishing emails, which persuade users to follow links, open files and enter information, which could have disastrous effects for the victim, and the organisation as a whole.
For many organisations, it’s incredibly important to them that they isolate and prevent phishing attacks occurring either off-site or on-site. If sensitive information like consumer or client data, or personnel information were to be compromised, or malicious software found its way into systems or networks, it could prove damaging to a company’s reputation. Not to mention the fact it can be a costly burden to bear. As an important first step in detecting potential phishing attacks, is to undertake a phishing assessment.
What is a Phishing Assessment?
Phishing assessments are a type of ethical hacking, carried out by security-tested professionals within Bridewell Consulting, to assess how susceptible an organisation is to a damaging phishing campaign. An assessment like this essentially follows the same process as an attack, where malicious and deceptive phishing emails are sent to employees in an attempt to coerce them to divulge personal and sensitive information about themselves, the organisation or systems. These emails would be carried out as a real-life attacker would.
With social engineering attacks proving to be the most prevalent attack vector these days, it is becoming increasingly difficult to spot how attackers, potentially even on the business premises, gain access to critical business information. Phishing emails can land in an employee’s inbox, and within a few minutes, if that employee mistakenly provides info or takes the action that the attackers want, that entire device could be compromised, which could have huge implications for the company infrastructure. Phishing assessments serve to minimise that initial detection time and incident response.
What is Involved in a Phishing Assessment?
Bridewell Consulting will assist by testing your employees through simulated phishing attacks to help them detect ongoing threats. Once the test has been completed, we can assist in training on key areas that need improvement across the organisation, to mitigate the risk of a potential real-life phishing attack. This training can be done in numerous ways, such as a cloud-based security awareness course delivered instantly to users who follow links in a simulated attack.
As part of our ongoing security testing and awareness training service, additional phishing assessments can be carried out if you feel they would be necessary. We will work with you and your organisation to define the exact assessment goals, and there are numerous phishing attacks we can carry out, which align with your principal security concerns.
Types of Simulated Phishing Attack
Traditional phishing emails to gain information or even system access by casting a wide net in hopes of catching unsuspecting victims
Spear Phishing Attack
Targeted attack against an organisation or specific individual or group of people, to find valuable information about them
Whale Phishing Attack
Targeted at high-value individuals due to their status within an organisation, coining the name “Big Phish” or “Whale”
Each phishing assessment will be bespoke to your organisation, with the testing occurring during the pre-agreed testing window agreed at the consultation stage.
Should you provide email addresses during the scoping phase, or via the use of Open Source Intelligence (OSINT), we can create a targeted campaign which will be suited to your business and goals. Bridewell Consulting will provide you with a full rundown of the security testing information we’ve discovered, and recommended next steps for you to improve your security posture.
Phishing assessments are vital components of social engineering penetration testing. As opposed to infrastructure penetration testing or that of mobile devices, applications or wireless networks, social engineering penetration testing seeks to help organisations improve how they isolate, identify and resolve threats from people using social engineering tactics.
The Use of Open Source Intelligence (OSINT)
Open Source Intelligence, OSINT for short, refers to data and information that’s been collected from numerous sources to be used for intelligence purposes. OSINT is valuable and widely-used by security professionals to help them carry out their services, assessments and security testing procedures.
Ready to Take the Next Step?
We’re here to help, so to speak with our team and learn more about how Bridewell can benefit your organisation, just complete the below form and one of our experts will be in touch.
Bridewell Consulting may contact you from time to time to keep you informed of security news and events.