Steve from accounting sat down at his desk at 7:30 a.m, just like every other morning. He was alone in the office and would be for several more hours. He booted up his computer, sipped his coffee, squeezed his stress ball a few times, and opened his emails.
He encountered a flurry of unread mail from the day before – including a peculiar one from the CEO of the company.
Puzzled and somewhat scared, Steve from accounting quickly clicked on the email. It said:
Hey Steve (from accounting),
Really stuck in a bind here. I’m on vacation in Costa Rica, and I lost my wallet with all of my credit cards. I need you to get me the company credit card number so I can buy a plane ticket back.
The CEO Himself, Esq.
Steve from accounting thought long and hard about what he should do. On one hand, it was very strange that the big boss would ever even talk to him directly like this. As far as he knew, the CEO didn’t ever travel to Costa Rica.
On the other hand, turning down a request from the CEO in dire straits could be bad. He decided to follow through with the request. He complied with the email and sent over the company credit card information.
The day carried on as normal, until about 1 p.m. That’s when the bank called and informed Steve from accounting that there was an unusual $40,000 charge on the company card.
At 3 p.m, Steve from the unemployment agency was smoking his last cigarette while holding a box of his belongings in the pouring rain.
Phishing for Information
Steve was the target of a scenario that was specifically created to obtain sensitive information from his company. By definition, Steve was the victim of a spear phishing attack.
These attacks are notoriously hard for organizations to defend against because they rely on someone to willingly give over control and information. Firewalls and antivirus systems can’t effectively block them.
So what can a business do?
For starters, they can focus on training their employees about the hazards of phishing. In 2016, around 30% of all phishing emails were opened. With proper preparation, that number could be significantly reduced.
The best way to prove that your employees actually understand how to avoid phishing attacks is to test them.
And the best way to test them is with an actual attack.
Penetration Testing through Social Engineering
Penetration testing commonly relies on a person actively trying to enter into an organization’s network infrastructure by using various programs and information at their disposal. However, penetration testing can be conducted with less complex methods, such as social engineering.
This entails deceiving one or more people into divulging critical information for malicious purposes. By conducting a non-malicious test within your company, you learn where you stand with the effectiveness of your employee security training.
Aside from that, you’ll also keep your employees alert and active against any possible phishing threats that could jeopardize your company.
Penetration Testing with Experts
Protecting against cybersecurity threats is a vital matter. Penetration testing provides valuable knowledge for you and your company, if done correctly. The best choice for you is to partner with a managed service provider that has experience in both conducting the penetration tests and analyzing their results.
Luckily, we’re here for you. We’ve conducted many tests that have assisted companies of all sizes and verticals. If you’d like to see how penetration tests can assist your company specifically, feel free to contact us.