Phishing is a deceptive communication that disguises as a legitimate one and is perhaps the best known type of cyber attack. Section has over a decade of experience with designing and executing targeted phishing campaigns against SME's and large enterprises, with a track record of thousands of phishing emails.
Simulated Phishing Attacks
The dangers of phishing are well-documented, constituting approximately 91% of all cyber attacks in the wild: As delivery method for everything from malicious backdoors to evil ransomware attacks. To combat malicious phishing emails, employees need hands-on training on how to effectively identify, mitigate and report phishing emails. Section provides simulated phishing attacks that are 100% similar to real phishing emails. We believe in providing as close to real attacks as possible. However, our malware is benign, and causes no harm, making the phishing tests completely safe for your company and your employees.
When performing simulated phishing attacks, Section applies a black box testing approach, which involves conducting the attack from the outside of the client environment and with no prior knowledge required of the target(s), thereby simulating a real-world attack scenario. Most phishing tests are conducted from the inside of the firewall, but at Section we believe it will reduce a phishing test to merely testing the human factor of cyber security - we want to test the technical aspects as well, including firewall, endpoint security, spam filter and mail server configuration.
We engage with our clients before conducting a phishing test in an effort to understand their requirements, and we perform an initial assessment to define the scope of the phishing campaign. Some clients only require 3-5 phishing attacks a year, while others prefer continuous attacks to ensure a constant high awareness level amongst their employees, amounting to hundreds - or even thousands - of yearly phishing attacks.
Prior to conducting the attacks, Section performs intial cyber reconnaissance in an effort to locate information that can be utilized in the attack phase. The information collected may contain usernames, email addresses, company assets, and more.
Once we have collected the necessary information, we begin initial probing of the target company, which will reveal information that helps us ensure the phishing attacks are successfully delivered.
Once ready, we design the targeted phishing emails and execute the attack by sending the phishing emails to the employees, which may contain benign simulated malware that is intended to emulate real malware.
the results of the phishing campaign are analysed and reported back to the client in full with identification of vulnerabilities, their employees' susceptibility to phishing emails (anonymized) and associated risks as well as an action list of recommendations.
Once a baseline phishing susceptibility level has been established, clients will typically select our awareness training, where employees are taught practical methods to identify phishing attempts. You can read more about our awareness training here.