The call comes in from your head of IT. All across your organization, people are opening strange emails designed to look like company correspondence. In some cases, your employees are falling for the dupe and clicking on the URL in the body of the email.
As they do, a string of hidden code embeds itself into their computers. This code then reproduces itself until it has created a backdoor into your entire network. As you listen, you know the hacker on the other end has gained access to your company’s database and will begin rooting around for information and further insecurities to attack. The hacker could cause any amount of harm. You smile; the plan has worked perfectly.
As you hang up the phone you think about the hacker your company hired to test its vulnerabilities. This is a friendly phishing attack to root out vulnerabilities. Regardless of what holes he or she finds, you know your first move must be to educate your employees about the importance of cybersecurity.
What Is Phishing?
Phishing is a term to describe one of the methods hackers use to breach a company’s network. It’s known as a social engineering attack and it works by targeting people, rather than networks themselves.
Phishing may take the form of fraudulent emails posing as legitimate correspondence and be targeted at a company’s employees in general, or in more extreme cases, at an individual. “Your password is about to expire, you must click this link within 24 HOURS or lose access to your account” is a common example.
By tricking an employee to click on a malicious link that leads to the installation of malware—without the target knowing—the hacker now has access to begin breaking into your company’s network to steal data, login credentials, and credit card numbers.
How Could Phishing Ever Be “Friendly”?
The reason you smiled when you got the call from your IT department was because this particular phishing attack was actually a well-designed attack by a company you hired to test your vulnerability to phishing. There’s no better way to assess your current risk of a phishing attack than by actually committing one.
By purposefully conducting a phishing attack on your own company, you’re simulating the kind of attack a hacker may attempt. Except in this case, rather than breaking in to steal, destroy, or blackmail, it’s a friendly user who will be tracking who, when, and where these phishing emails are being opened and their links clicked on.
Okay, a Friendly Hacker. But—Why?
The best reason to engage in a friendly phishing “scam” is to assess your current level of vulnerability. By testing it yourself, you can learn not only how vulnerable you are, but where these vulnerabilities exist. You can take appropriate measures to educate or fix the vulnerability.
Did your entire accounting department open the email? Now you know it’s a good time to run the department through some educational workshops on spotting fake emails. Most companies that can run a friendly phishing attack will let you customize your templates to create really crafty emails. Perhaps you’ve been considering offering more training to your staff regarding good cybersecurity protocols. What better way to show everyone they need it than with data that demonstrates they’ve already failed an attack?
Phishing attacks happen every day. No matter how secure your network is with firewalls and other cybersecurity measures, your greatest weakness will always be human vulnerabilities. It’s better to learn where you’re the least secure now by committing your own phishing attack that will end in workshops than to find 1,000 employees have released their login credentials and you’ve got a dozen hackers hiding in your network.