Background

A non-banking financial company that deals with large amounts of confidential data recognized that there’s only so much that technology can do to reduce potential risks, as the bulk of the rrsponsibility would be up to their employees. Hence, educating their employees and raising awareness on situations employees are likely to experience daily woul ultimately help the organization mitigate those risks.

They wanted to gauge how susceptible their employees were to phishing attacks, but they did not want something quite so simple.

What We Did

We sent out 4000 emails over a period of one year, with different scenarios delivered across various simulations. One such scenario appeared to have purportedly come from a major credit card provider. The email was a classic scam, commonly seen in PayPal and eBay related phishing attempts. It told recipients that the credit card company had noticed “suspicious activities” in their accounts and instructed them to click on the link to verify and update their personal information.

The landing page would then ask for the usual information such as name, email, address, occupation, etc. Credential phishing was just the first step that the attackers would need to figure out the rest and home in on the targeted organization.

Occasionally, trickier and more difficult simulations were sent to ensure that users did not become complacent over time.

Outcome

Prior to the phishing campaign, the susceptibility rate to phishing attempts was approximately 31% with an almost non-existent reporting culture. The susceptibility rate dropped down to around 7% with significant improvements on the organization’s reporting culture. A 92.96% compliance rate was achieved towards the final quarter of the phishing campaigns.