A phishing assessment attempts to gain sensitive information or access from a target user through coercive emails. This method of engagement is particularly effective, as attackers can often leverage public information to craft compelling emails while impersonating someone trustworthy—perhaps even individuals within the target organization.
The primary concern with a well-organized phishing campaign is that attackers often use this as a stepping-stone for larger attacks. Similarly, Rhino Security Labs expertly tailors each phishing assessment to your organization’s personnel and explores the full potential of a successful compromise with unparalleled depth, ending with a detailed social engineering report.
Phishing is the act of sending malicious emails to a target. Usually, attackers accomplish this under the guise of a credible individual or organization. The attacker may go to great lengths to establish some degree of credibility and then prompt the target to surrender personal information such as passwords or PIN numbers.
Despite being an older technique, phishing attacks continue to be very effective and remain a consistent threat digital security.
More Than Just an Automated Service
While a number of “point-click” tools out there tell you how likely users are to click a link, there’s always a critical piece missing: potential impact. Without leveraging the phishing engagement into a large campaign, how do you know the real risk to the environment? We go beyond automated testing with a full attack simulation to identify the impact of social engineering.
Detailed Risk Breakdown Report
Risk boils down to two factors: the likelihood of an attack vector and the potential impact it would have. If a phishing service does not include both pieces, it cannot fully measure risk. We are the only social engineering provider who includes both elements in our social engineering assessment reports.
Targeted Spearphishing Capabilities
Spearphishing is a highly targeted phishing attack to a specific user (rather than a generic pretext to a group of people). Starting each engagement with reconnaissance and information gathering, we offer these highly-targeted capabilities into each social engineering assessment.
1 – Reconnaissance and Information Gathering
The collection of information is a critical stage of social engineering and often determines the success of the rest of the phishing assessment. Using a ‘black box’ approach, our security experts perform in-depth research to extract information on the target company.
2 – Create Pretext Scenarios and Payloads
Once we have fully enumerated the target, the focus turns to crafting the payload. These specifics include identifying departments, user roles, and associated pretext scenarios. These details ensure each user is researched thoroughly for the most successful, targeted engagements.
3 – Engage Targets
Using carefully structured tactics and pretext, Rhino Security Labs’ security analysts engage employees via phishing emails. These emails often prompt the user to interact by clicking a link or downloading a malicious file. The emails and subsequent landing pages are crafted to appear authentic, often mimicking other sites and services.
4 – Assessment Reporting and Debrief
After completing the campaign and aggregating results, a final report is delivered, providing both executive summary and specific details. The report also includes a thorough breakdown of risk, as well as remediation steps and documentation of successful phishing attempts. Training guides are also offered, guiding the client in resolving the training and policy issues identified.
5 – Optional: Employee Education
As an optional addition, Rhino Security Labs provides user training sessions for client employees. Whether hosted in a recorded online webinar or an in-house training session, Rhino Security provides quality security awareness training by the same experts who performed the original engagement.
In a real-world social engineering attack, hackers don’t limit their approach. In addition to phishing, they may use vishing (Voice Phishing), SMShing (SMS text message phishing), and On-Site capabilities, physically attempting to gain access to building resources. Integrating all of these allows a much more thorough and accurate assessment of phishing risk.