Improving employee security behavior can create a lot of questions - hopefully we have answers to your questions below.
Can I choose the email that gets sent?
Yes. As part of the requirements and design process, we’ll generally present multiple scenario ideas for you to choose, allowing you to fine tune for your organization and audience. The email can be a basic plain or rich text email, or more complex HTML messages, and fully responsive allowing a fluid experience on tablet and mobile devices.
What aspects of phishing attacks can you test?
We are able to track the messages themselves being delivered, as well as being opened and links being clicked to a potential dangerous website. Once on the website, we can capture credentials (usernames and passwords), as well as simulate a malicious payload download.
What training do you provide?
At the end of each assessment, each employee that chooses to click the email, or follow the actions as per your scenario, can have training delivered at the point where it matters most, right after any click, credential capture or download action.
We can also offer classroom sessions and online training courses, with modules customized for your organization.
We’d like a real download – what types do you offer?
We can offer payload downloads in a variety of formats, including Word and Excel macros through to full PowerShell enabled downloads for more complex engagements.
Should we tell our employees they are about to be phished?
To measure the impact and provide a real snapshot of your organization under the same conditions a real attack would occur, we recommend that you don’t pre-warn your employees.
In some situations, it may be advisable to give key stakeholders advanced warning if they are not directly on the target list, for example, helpdesks or IT support.
What is considered a good or bad result?
The answer depends on many factors – your organization (and whether they have already had security awareness training), the complexity of the scenario chosen, as well as whether the simulation was clicks only, credentials capture or included a download.
Is clicking a phishing email link so bad?
In short, yes. A click alone on a malicious email could yield an attacker with a wealth of information for follow up attacks. Not only would this confirm the email was delivered successfully to a real, active email account, but it would reveal the operating system and browser, as well as any installed plugins. This information would then be useful to tailor future attacks.
Second to this, an attacker could leverage browser or 3rd party exploits once the specific version had been identified, which could open up your corporate network to larger scale cyber attack.
Teaching employees on how to spot phishing emails through our simulated attacks and training helps protect your confidential corporate data from online threats.
Who will be my point of contact through a campaign?
Every client is assigned a delivery manager, who will be your point of contact in case you need to ask anything, at any time, regarding your assessment. If you need to change the wording of an email, re-schedule the start time or adjust the training pages, simply let them know and we’ll take care of it our end.
Can I see the results as they happen?
Yes, our client dashboard allows you to monitor the progress through the design and setup phases, through to real-time reporting as the emails are sent and acted upon. User logins can also have target data anonymized so you can give different access to different departments throughout the engagement.
Security and Privacy
Do you have to capture login credentials?
No. We offer you the option of not storing credentials at all, storing them in a secure hashed format or storing them as clear text. Storing them in hashed or clear text formats allows us to check if passwords have remained the same between assessments, however, we're still able to perform basic password auditing (checking length, complexity etc) without storing the passwords at all.
If you do capture credentials, are they stored securely, and for how long?
If permitted to store them, we store them only until the next assessment (up to a maximum of 6 months) and are able to provide a certificate of secure deletion after erasing the stored credentials. We store all credentials as secure, salted SHA-512 hashes. Access to hashes is controlled – only relevant employees that hold HMG Security Clearance have the ability to access captured credentials.
Can passwords be intercepted between employees and the phishing website?
Your security is paramount to us. We use industry standard secure 128-bit SSL encryption for all data between employees and the phishing websites, including credentials, to prevent interception of sensitive data.
Do you identify individual employees within the reports?
No, unless specifically requested by a client. Susceptibility is reported by organisational departments, offices and geographic regions but does not name specific individuals unless requested. We can also split results across multiple reports based on employees if required.
Do you use malicious payloads / viruses / exploits?
No, unless specifically requested by a client. Our Phishd: Assess service is designed to have as minimal an operational overhead as possible for our clients, so we don’t supply payloads or perform any exploitation/ activities that could have a negative impact on your business or its assets. If exploitation or a real payload is required, we have the capacity to do this – talk to us for more details.
How do you measure Incident Response?
We ask client’s incident response / IT security teams to bcc email@example.com / firstname.lastname@example.org into an email that they send out to employees when a phishing attack is detected. phish’d automatically identifies these emails and records the time that the response was issued. This lets us track response speeds historically, compare them against an industry average and also test the effectiveness of the response (i.e. did your employees still click on the link within the email after an internal response?).
The Phishing Assessment
What is measured during the Phishing Assessment?
Phishd: Assess monitors employees who click the link, those who enter credentials and those who click on a ‘download’ link (no payload is generally supplied, unless requested).
How do you search ‘high visibility’ emails?
We perform a basic automated search for high visibility email addresses as part of the phish’d: Assess service, and use a blended automatic/manual approach for our phish’d: Threat Intelligence service to provide a much more comprehensive coverage.
We look to identify any email addresses belonging to your organisation that can be found in public and private sources of information online; generally these email addresses will be more likely to be targeted as part of a real-world phishing attack.
What about staff who are out of office or off-site?
The phishing sites used by MWR are specifically designed never to perform attacks against the actual computer (i.e. by exploiting vulnerabilities in client-side software). However, as an optional extra level of assurance, MWR is able to restrict the location(s) from which employees can access the phishing websites if they do click on the link. These restrictions are based on whitelisting IP addresses, and provide assurance to clients that employees can only access the phishing websites from known client offices and networks.
In addition, we are able to detect and report upon the numbers of employees who have an ‘Out of Office’ autoreply set.
Can the email scenarios sent be customised?
Yes. Bespoke scenarios can be made for individual companies on request and the phishing emails can be customised to include company specific data. We generally use spear-phishing emails similar to those by APT actors, but if you want something different, just ask!
How long does a Phishing Assessment run for?
Generally our Phishing assessments run for 3 working days, however, this can be decreased or extended as required for no additional cost. After an assessment ends, the phishing website is taken offline.
We want a payload, can you do this?
Yes. Generally we advise clients not to use payloads to minimise internal resource overhead, however, if you would like us to use live payloads in the assessment then this is something we can do on request. Payloads can do anything from simply taking a screenshot, through to giving us complete remote access to employee workstations. Talk to us for more details.
Resourcing and Management
How much resource do I need to give phishd?
None. One of the great aspects of our phishd services is that they are fully managed in-house here at MWR so no resource is needed from you to perform assessments, training or threat intelligence research; not even the IT department.
Some of our larger clients, generally those with very specific requirements, prefer to run our phishd services as a virtual/physical appliance inside their own infrastructure, which is available on request.
Do I have to tell my IT team an assessment is taking place?
Yes, whilst we always advise our clients to keep knowledge of the assessment to a bare minimum, in order to keep it as realistic as possible we recommend that a number of key personnel are kept informed: CSO/CIO, Heads of IT & Heads of Incident Response Teams. We advise that these employees are given a contact email within your organisation for any concerns during the assessment, and we also assign a contact inside MWR during your assessment who is happy to be approached by these employees to help address any concerns or issues they might have.
What do you need from us?
All we need to commence an assessment is a list of email addresses, ideally with department and office information.
We can supply a sample spreadsheet for you to complete and return on request.
I am already using another Phishing service. Can I move my historical data across?
Yes. phishd is set up for successful data migration between phishing platforms, we’ll handle the migration for you free of charge.
How much do your phishd services cost?
The pricing is variable depending upon which individual service(s) you require, and the number of employees to be
For our phishd: Assess and phishd: Training services,pricing is based on the number of employees included and depends on frequency of the assessments desired, which can be quarterly, bi-annually or annually.
For our phishd: Threat Intelligence service, pricing is based upon the level of service (basic or complete) and the frequency, which can be monthly, quarterly, bi-annually or annually.
How are the results broken down for phishd: Assess?
The end report is broken down into internal and external threat results.
The internal results compromise of susceptibility measurement; which performs a range of analysis including susceptibility by geographical region, office, department and device type. The internal results section also includes an analysis of your internal incident response speed and effectiveness. For clients that perform more than one assessment, we breakdown these results and also include historic trending to allow you to determine susceptibility over time.
The external threat section details basic external threats including verbose information within WHOIS lookups, domain squatting opportunities and publicly disclosed employee email addresses. For those clients who also choose to utilise our phishd: Threat Intelligence service, the external threat section of the report will be a comprehensive breakdown on external threats. Reports can be broken up differently on request.
Can't find your answer?
If you're still left with questions about improving your employee security behavior then simply fill out the below form and a member of the team will contact you straight away.