Strengthen resilience with phishing tests
Phishing is the most common attack vector to infect employees’ computers with malicious code. The attack method is that someone (often by mail) claims to be, for example, an employer, bank, authority or another company in order to access sensitive information. Another common variant is to hijack computers by exploiting frequently known security deficiencies, e.g. in browsers, for users who click links in phishing e-mails.
To strengthen the resistance to phishing attacks, Sentor offers phishing tests. As part of Sentor’s phishing test, we design and implement one or more custom phishing campaigns in a controlled way. These campaigns target a recipient list – either specified by the customer or established by Sentor through Threat Intelligence, and by mapping the customer’s organisation through publicly available sources.
Provides a clear picture of current status and improvement areas
The result of a phishing campaign consists of a number of metrics that indicate clearly the current status and potential improvement of the customer. One of the deliverables consists of a report containing the following measurement values:
CTR – Click-Through Rate – Percent of users clicking on links.
ILR – Information Leakage Rate – Percent of users who fill in potentially sensitive data on the linked phishing page.
BPL – Browser Patch Level – Percent status of patch level in browser that opens the phishing page.
FOR – File Opener Rate – Percent of users who open attachments.
OMER – Office Macro Execution Rate – Percent of users who open attached Office files and run macros
ESR – External Source Rate – Percent of CTR users connecting from other IP addresses than the customer’s own
Increases the awareness of susceptible employees
Customers who click on phishing links in our campaigns end up on an information page where the user is informed about how to avoid the same trick next time, reducing the likelihood that the user will be fooled again.
We conduct two campaigns with two different levels in parallel. One campaign that is easier to detect for vulnerable users and one that is harder to recognise. The aim is to measure the organisation’s resilience to different types of attackers, both lower qualified ones who target a wide range of goals at the same time, but also to attackers who tailor-made campaigns to attack selected individuals in a particular organisation with higher precision.
Delivered in subscription form or as separate tests
We deliver phishing tests either as a separate test or in a subscription form with campaigns performed at a selected frequency – e.g. monthly or quarterly. Customers with phishing subscriptions can clearly see trends in metrics such as Click-Through Rate over time, showing how much more resilient the organisation has become through the specific training that each phishing test entails.
In addition, we also provide Security Awareness Training, where results and ”War stories” from the recent phishing test can be presented to achieve the ”aha” effect of employees. Security Awareness Training provides an increased level of resilience for subsequent phishing tests or real phishing attacks.