Phishing Simulation Test

Image - Phishing Simulation Test

What is phishing?

Protection against accidental or deliberate loss of information from an organisation or its customers, as well as prevention of any obstruction of operations, are critical factors for its success.

When a company becomes the target of cyber-attack, the main penetration technique originally targets the organisation’s users. Studies show that attacks involving unintentional user contribution account for 90% of all attacks accused of being the “weakest link”.

Social engineering refers to any method that targets the human mind, and is not necessarily technically implemented. An example could be a malicious phone call where the attacker pretends to be someone else and tries to gather information about the company or a user, in order to use collected information for a later stage of a fraud, or guessing passwords and usernames.

Almost all social engineering attacks targeting companies involve email rather than other mediums. Moreover, there is a significant rise in targeted sophisticated attacks for the maritime industry, where we see thousands of campaigns involving agents, brokers, vessel sale and purchase, cash to master services and more.

In combination with BEC (business email compromise), there have been several man-in-the-middle and identity spoofing attacks witnessed by most maritime companies. In this pattern, attackers start with the hacking of a mail server of one company (i.e. a broker or an agent) and gather intelligence about all the correspondents of the hacked entity. They now know of domain names, email addresses, employee and manager names, email signatures, logos, vessel names etc, just by gaining access to a single company’s inbox. They will then patiently wait for an upcoming financial transaction before stepping in the middle and carefully intervening in communication. In addition they will use gathered intelligence mentioned above to make more targeted phishing campaigns against more companies to compromise them in turn.

The ultimate goal of these attacks is to directly steal money, by altering IBAN numbers or similar actions. Another, indirect method of stealing money is using the phishing campaign to install ransomware and gain money as ransom to unlock files.

Phishing Simulation

In this engagement, Cygnus’ experts will craft a series of phishing, spear-phishing and social engineering campaigns customized to your business environment that aim to deceive staff into clicking something and possibly submitting sensitive data.

The engagement is an all-custom, highly sophisticated project that includes purchase of required domains and mail servers, familiarization with the customer’s everyday communications and creation of tailor-made original content and scenarios in a series of custom crafted campaigns, to maximize the emulation’s success.

The duration of the engagement is usually one to two months, comprising of up to seven campaigns. In the end an extensive report is provided to the customer including an executive summary for management.