One of the primary modern attack vectors is to target the user rather than the computer. While purely technical attack vectors are sometimes still viable, the vast majority of successful attacks contain an element of social engineering. Secure Ideas understands that clients may require social engineering phishing campaigns to be conducted against employees. We do this by performing a comprehensive social engineering phishing assessment, which challenges the user population and provides senior management with the necessary information to make risk-based decisions concerning client-side attacks from today’s attackers.
To effectively test the resiliency of a client’s employees, we require full cooperation in making sure our phishing test emails are whitelisted and getting to those employees. If not, we are simply testing the client’s spam filters ability to recognize a malicious email, and not the employees ability to recognize, and thwart a social engineering attack if one did happen to get through the spam filter. Secure Ideas’ source IP’s and/or email addresses will need to be whitelisted for this activity to provide value, and truly validate how well the client’s workforce perform during this exercise. All scenarios require pre-approval from our clients before an attack is launched.
- The phishing campaign uses a template system to build and send phishing emails. Each template is created from a real world phishing attack and includes:
A hidden tracking image, which notifies Secure Ideas when the email has been opened and HTML content has been allowed
An obfuscated link to a Secure Ideas server that notifies Secure Ideas when the link has been clicked and forwards the target to the phishing campaign target page for credential entry
- The phishing campaign target page conducts several activities within the client browser that are conducted faster than the human eye can notice and provide a seamless transition between clicking the link and forwarding the target to the end user content.
- Standard metrics include: Sent, opened, clicked, and submitted data.
Note: Entered data is not captured by default. Entered data may (optionally) be captured upon request.