Phishing is a form of social engineering attack that leverages email to solicit information, typically by posing as a reputable organization. An attacker may send an email, seemingly from a reputable credit card company, or online shopping site, requesting account information (often suggesting that there is a problem with the account).
Common phishing emails:
- Fake communications from online payment and auction services
- These emails claim there is a “problem” with your account and request that you access a (usually malicious) web page to provide personal and/or account information.
- Fake communications from an IT Department or Support Department
- These emails will attempt to steal passwords and other information that phishers can use to penetrate your organization’s networks and computers.
- Bogus business opportunities
- These scams promise the opportunity to make a great deal of money with very little effort.
- Health and diet scams
- Prey on the insecurities some people have about the state of their well being.
- Discount software offers
- These scams frequently consist of advertisements for cheap versions of commercial software which can contain malware such as Trojan horses.
When the target responds with the requested information, attackers can use it to gain access to the accounts with the information provided by the victim.
The NCI Approach:
NCI’s custom phishing exercises take social engineering to a next level. NCI customizes a phishing campaign pertinent to the specific organization to assess the clients’ user base, and determine their effectiveness in handling a targeted attack on different levels of sophistication.
NCI will work with you to craft specially targeted emails to your employees using a domain similar to the legitimate organization or trusted 3rd parties. We will monitor user response to determine click through rates and/or entered confidential information. The outcome of this phishing campaign will determine the effectiveness of the organizations security education training and awareness program, and how prepared the client is to handle a targeted phishing attack.
Included in the engagement is to register a “similar” corporate or trusted 3rd party domain, of which ownership can be transferred to the client after the engagement. NCI also purchases a verified SSL certificate on your behalf to ensure any transmission of credentials will be protected in transit.
NCI’s test of your organizations’ resistance to human base attack vectors provides our clients with deliverables that contain phishing metrics and recommendations on improving your security program. Our goal is to facilitate a clear understanding of your organizations’ security awareness posture and areas for improvement.
How prepared is your team to handle a Phishing attack?
Contact us to find out: