PHAAS – Phishing As A Service – Employee Security
May 24, 2016
Edited: June 15, 2018
Author: Jon Salisbury | Oct 12, 2015
PHAAS – Phishing as a Service – Train your users to defend the organization from Cyber Threats!
First off I wanted to say a big thank you to NKU (Dean Kirby, CIO Tim Ferguson, and Professor Yi Hu! Nexigen was a GOLD sponsor at the NKU Cyber Security Symposium this past week and wow was it fun. Great speakers were ready to deliver wonderful information and a crowd of roughly 400 showed up to soak it all in. I wanted to use this post to thank NKU for the wonderful job they did in holding the event and helping the crowd/sponsors get maximum value from the event. Truly NKU is a university that sets itself apart year after year.
Now after the thank you messages are done I wanted to write this article about something I thought was really needed at this event and that is user Education. Employees inside of organizations are the number one entry point for the majority of attacks. Employees are being hammered by sophisticated phishing scams which are making email and internet surfing harder and harder handle from a protection standpoint. I would think most agree that an educated user base inside an organization will protect the organization better than any tool on the market!
Nexigen has been providing Security Services for more than 10 years and we have introduced a wonderful new product which provides simulated Phishing attacks as a service to help you train your employee’s.
How it works:
The organizations IT department contacts Nexigen and asks for PHAAS (Phishing as a Service) and we sign appropriate papers. Nexigen then sends our client a Security best practices document that should be circulated through the organization so that users will be educated regarding company policies and have been given examples of emails not to open. Nexigen is also open to flexible arrangements should an IT staff have specific needs / wants regarding the engagement.
Nexigen sets up our phishing campaign in our engine which communicates client specific emails on a randomly scheduled basis. Emails are sent on random dates using information nexigen has gained using DNS and social investigation externally. We mimic what a legitimate hacker would do. Here is an example email that would be sent to a customer who we found using Office 365:
This email will come from the real HR manager as we will find that person on LinkedIn easily and we can fake the email from address.
Most users do not notice the domain (shouldiclickonthis.net) and will continue to log in.
The information they enter is actually captured and then sent to the real Office 365 while our web portal collects the information and logs them into office 365. This way the user really has no idea they actually went to the wrong site and are looking for the HR manual that somehow does not seem to exist.
All of this information is logged on Nexigen’s Phishing as a Service Engine and is available to the Clients chosen leader of the initiative.
After we collect the data which normally has an extremely high success rate on the first round we encourage the customer to provide maximum visibility to its employee’s. Each employee that clicked the link, put in the username and password and click submit is recorded. Those same users are not as likely to commit the violation the second time.
Nexigen has seen initial results of higher than 50 percent click, and user/pass collection. Normally we are seeing results after proper education and good communication inside the organization drop to lower than 10 percent after just 3 passes with this system. It is important to keep this service occurring on a regular basis to ensure employees are tested for competency against real phishing emails/websites. This service will dramatically reduce your organizations attack surface.
This entire system helps your organization stay focused and alert about fraudulent emails which will be the number one attack surface hackers are going to utilize to attack you.
For more information please email us at firstname.lastname@example.org or click the button below!