Social engineering exploits one of the weakest links in security. The technique uses persuasion and manipulation of people to acquire unauthorized access and/or obtain sensitive information. One of the most common vehicles of social engineering is via email in the form of a phishing attack.
Many of the recent breaches that have made news headlines were due, in part, to targeted “spear” phishing campaigns. As organizations have stepped up their perimeter security, hackers have pivoted to users and client side attacks to penetrate their targets. As an example, these phishing tactics were leveraged during both Operation Aurora and Operation Night Dragon. The list of publically known companies that have been affected by spear phishing attacks continues to grow and major companies have included Google, Adobe, Yahoo, Rackspace, Juniper Networks, Morgan Stanley, Symantec, Northrop Grumman, Dow Chemical, Exxon Mobil, Marathon Oil, ConocoPhillips, BP, and Baker Hughes.
A simulated phishing campaign provides two key benefits to a security conscious organization. First, the results will create a benchmark on the organization's vulnerability to a phishing attack, metrics on what percentage of their employee base is likely to fall victim, and the adequacy of compensating security controls to protect them. Second, a simulated phishing campaign provides structured, on the spot user awareness training where employees learn how to help keep the organization safe and secure. Because security awareness is an iterative process, a subscription-based model is available that provides continued training and metrics on improvement over time.