Phishing/Trojan Email
Phishing and trojan email attacks will carefully provide a crafted message to entice a company employee to open attachments or click embedded hyperlinks. The employees will be entirely unknown to the security consultant.
Spear Phishing
Spear phishing attacks are similar to phishing attacks but are targeted at specific employees who are known to the security consultant. These are customized attacks on individual employees.
Baiting (USB drops)
Baiting is an attack using a “found” physical device, such as a USB drive, to install malware or ransomware onto an employee’s computer. In this simulation, the security consultant will leave a malware-infected storage device in a location where it is likely to be found and used by a company employee.
Tailgating
Tailgating attacks are named for the act of following an authorized employee into a secure location. In this simulation, the security consultant will aim to access unauthorized physical locations by getting help from a company’s employee(s).
Support Staff and Technical Expert
Technical expert attacks happen when a bad actor impersonates a technical support agent to gain access to a computer or network. In this simulation, the security consultant will act as support staff or as a technical staff to attempt to access computers or networks with an employee’s credentials.
The team at InfoSystems Cyber follows a distinct, phased approach to social engineering and phishing simulation that allows us to deliver actionable guidance so you can drive tangible security improvements in your organization.
The experts at InfoSystems Cyber can perform various types of social engineering attacks, phone scams, baiting, and many other simulated attacks to test your cybersecurity defenses. Contact us today to discuss what options are ideal for your organization.
Simulated phishing is an effective method used to educate and train team members about the dangers of phishing attacks. Phishing is an attempt to infiltrate enterprise networks or extract private information using email, text, social media, or other channels. Typically, the sender asks the recipient to download an attachment or click a link that contains malware. Once the malware gains access to a personal device, it attempts to spread across a network and compromise additional devices and data.
Simulated phishing replicates the sequence of a true attack but does so from within an organization. Simulated phishing campaigns are typically conducted by the IT department, the cyber team or through a trusted third-party vendor like InfoSystems Cyber. Employees are exposed to deceptive communication, which may request private information or data transfer. Through the use of simulated phishing tools, which gather metrics on click rates, organizations can gauge employees’ behavior and reactions during a simulated phishing exercise and analyze data for vulnerabilities.
A simulated phishing effort’s success requires that employees are not aware that a simulation is taking place, ensuring that individuals behave normally and react in a way that models an accurate representation of awareness and education. Attacks come in many forms. The five most common attacks are:
Phishing Emails: Cybercriminals send emails to a broad number of people (often utilizing a domain that is similar to the recipient’s enterprise domain) in an attempt to impersonate a fellow employee or partner to access logins, data, or financial data.
Spear Phishing: These attacks target a specific group. Often, the sender knows the recipient’s name, job title and other relevant information that makes the message and request appear legitimate.
Whaling: In this scenario, criminals primarily target executives and use coercive language to trick the recipient into sharing sensitive information. For example, criminals will engage in correspondence about tax returns to gain access to documents that contain personal information that they can use to exploit the victim.
Smishing & Vishing: Scammers call their targets on mobile phones. While the delivery method may be different, the goal is the same: to persuade the recipient to share sensitive information. In the most common ploy, the attacker impersonates a credit card fraud detection service and claims they are investigating a bogus charge and need account information to remediate it.
Angler Phishing: Social media is the vehicle for angler phishing scams. Cloned websites, misleading URLs and malware disguised as photos are typical methods. These attacks, while less prevalent than email phishing scams, are currently on the rise.
Phishing tests can be used to better educate team members on the commonalities of phishing attacks, such as an email that, at first glance, may appear innocent or legitimate. Through phishing tests, employees can be taught to verify email requests for information through secondary means. Phishing tests can also be used to meet compliance training requirements.
It is crucial to conduct simulation tests regularly. InfoSystems Cyber has the expertise and resources to ensure an organization’s staff knows how to respond (or not respond) to phishing scams. Our experts can support simulated phishing needs through comprehensive managed services or by providing the tools and training necessary for in-house teams to conduct their own phishing campaigns.
Phishing scams pose significant and imminent threats and need to be taken seriously. When regular simulated phishing exercises are conducted with a trusted partner, you empower your employees to maintain a strong security posture.
We’ll identify your Situation, Objective, Assessment, and Plan.
Since 1994, we’ve helped thousands of companies build reliable, secure IT systems. How?
© 2023 InfoSystems, Inc. All Rights Reserved.
