Phishing simulations
Phishing simulations
Recognizing Phishing emails and acting appropriately is very important for reducing the likelihood of a cybersecurity incident. After all, the majority of cybersecurity incidents are caused by email. In addition, phishing emails are becoming more sophisticated and can hardly be distinguished from authentic emails. This explains why it is very lucrative for hackers to carry out phishing attacks. A phishing simulation tests your employees’ ability to recognize phishing emails and act appropriately after receiving a phishing email. The simulation is thus an effective way to measure and maintain awareness and alertness among your employees.
Why have a phishing simulation performed?
Phishing is the most common attack scenario by which criminals attempt to gain access to an organization. By sending phishing emails, criminals try to obtain login credentials or infect a computer with malware. Your employees can receive a phishing email at any time. When one of them clicks on a trefected link or attachment, it can potentially cause a cybersecurity incident. With a phishing simulation, a similar attack attempt is performed by experts without causing any damage to you or your organization.
Realistic, professional and customized
NFIR works with you to simulate the most realistic attack scenario possible. Through an intake meeting between you and our experts, possible scenarios are discussed and it is mapped out which scenario fits your organization best. In doing so, customization is possible. You can choose between generic- or company-specific phishing. In addition, you have the choice between a phishing attack with a rogue attachment or phishing attack with rogue link where login credentials are retrieved. In this way, the phishing simulation will mimic an authentic phishing attack as much as possible.
What types of phishing simulations do we perform?
Mail phishing and spear phishing
You can target a phishing simulation to the entire organization (classic phishing) or specifically target a particular group of employees (spear phishing). We explain that distinction below.
- Classic mail phishing simulation: This phishing simulation aims to train employees and create more awareness among them. The purpose of this phishing simulation is to test employees’ ability to recognize a phishing e-mail. Do they respond appropriately to receiving the phishing e-mail? Are data being entered or attachments being opened? The classic mail phishing simulation has two variants: an email that contains a rogue link and an email that contains a rogue attachment. In consultation with you, we determine the scenario, domain name and sender. That way, we can deliver each phishing simulation customized to your needs.
- Targeted spear phishing simulation: The term spear phishing refers to the traditional method of fishing that involved targeting a single fish. In line with this method, spear phishing targets one or a select group of individuals within the organization. OSINT (Open Source Intelligence) is used to reach this group. Thus, through public information, attempts are made to release and collect data about the organization and these employees. This involves creative and sophisticated techniques. It then attempts to penetrate the organization’s business-sensitive systems. In doing so, the researchers looking for email addresses and suitable scenarios themselves.
Phishing services are often combined with a pen test to also test technical resilience. In addition, the phishing service is part of our Awareness Program. This program helps your organization raise long-term awareness levels and offers a diverse set of annual activities for both employees and management.
Do you also want to be resilient against phishing?
Phishing is among the most frequently chosen attack scenario by cybercriminals.
Run a phishing simulation of your choice and gain immediate insight into the resilience within your organization.
Also check out our other security awareness services
Frequently asked questions
Why should our organization conduct phishing simulations? We have two-factor authentication set up so unauthorized people cannot get on our network anyway.
Phishing simulations are not always used to obtain login credentials for employee accounts. Hacker groups also often place malware on a network by sending rogue attachments to email. So this too can lead to a cybersecurity incident. So practicing how to recognize rogue attachments and know how to deal with them appropriately is very useful.
How often should we send a phishing simulation to our employees to effectively improve awareness?
The exact frequency depends on the level of awareness among employees. However, it is advisable to conduct it periodically and practice different scenarios. The power of repetition is very important. We therefore recommend repeating this exercise at least twice a year.
Is it advisable for us to make the phishing simulations known to employees?
The purpose of the phishing simulations is to make employees aware of phishing emails and to train them to recognize the signs of a phishing email. This awareness should ensure that they do not ultimately fall for authentic phishing emails. When employees know that they could receive a phishing email simulation at any time, they will be constantly alert. A beneficial side effect of this is that they are generally more alert to all incoming email traffic. Important here is not to mention the number of phishing simulations you have performed per year.
How is the outcome of the phishing simulation measured?
To chart the success of the phishing simulation, we provide a report. This report provides an overview of the most important results. The report indicates how many unique mailboxes the simulated phishing email was sent to, how often it was opened, and what actions employees took. Examples of actions include clicking on a link, leaving data, and opening an attachment.
Can we control the content of the phishing email?
NFIR works with a number of formats in which we can incorporate your requirements. Together with you, we will devise the form and content of the phishing simulation and ensure that the simulation fits your organization.
Do all phishing simulations contain a link or are there other forms of phishing that are applied?
Several formats can be chosen for the phishing simulations. It is possible to choose a simulation in which an infected link is simulated. However, there are other forms of phishing that we encounter in practice. Nowadays, it is also common for phishing emails to contain an untrusted attachment. For example, a Word document may be attached in which a macro is disguised. The moment this attachment is opened, malware can be activated by this macro.
