Sales: 0207 831 6757 | Support: 0345 370 0055
Get in Touch



On the hook: The rise of phish testing

Security is rarely far from the top of an IT team’s agenda, and while unusual exploits continue to emerge, tried and tested attack vectors are still the most likely method of breach. Email threats is top of that list. It’s one that has seen a significant increase in recent months, and presents an area of obvious focus for organisations as they review their defences.

A recent State of Email Security report from leading security vendor Mimecast highlighted the extent of the issue. It reveals a 64% rise in email security threats since the start of the pandemic, with phishing and ransomware attacks proving to be the most common.

Importantly, email attacks are often designed to exploit individuals, using malicious links or dodgy attachments from spoofed communications to catch out unsuspecting recipients. This only serves to highlight the importance of implementing the right security strategy in this area. Not only using suitable protections, but making sure that the people within your business are properly educated to identify and handle these threats.

Understanding where your team need to improve is an important first step, which has seen the evolution of phish testing practices.

What is phish testing?

A phish test, or phishing test, is essentially a form of penetration testing intended to highlight vulnerabilities within your team, their devices, or the processes already in place.

By triggering an artificial phishing attack via email to your users, you can measure the response to better understand the potential impacts on your business should this happen for real. Perhaps more importantly, you can also understand which members of your team are potentially vulnerable to an attack, and take steps to ensure that they are better prepared.

A number of different tools and solutions are available, including new features recently added to Microsoft Defender for Office 365. These tools allow you to run a benign attack simulation across your organisation, either for specific groups, individuals, or your entire workforce. There’s a number of variations available, including credential harvest, malware attachments, or malicious links, all of which can be customised to avoid suspicion.

Once submitted, the results are collated and returned to reveal the extent of a potential breach, and suggest possible follow up actions for specific individuals.

Why should you introduce it?

Even with the most sophisticated security posture in place, new threats will continue to emerge that expose new vulnerabilities. When this occurs, individual users are your last line of defence.

After all, a potentially malicious email containing a malware attachment isn’t going to cause a breach without involvement from an unsuspecting recipient. It’s for this reason that phish testing has an increasingly crucial role to play as part of a modern security strategy.

With so much importance placed on the response of your team, being able to properly assess potential vulnerabilities to gain a snapshot view of the risks facing your business can inform the improvements you make to your defences.

It’s likely that this will focus around email security or phishing-specific user training, which is the typical follow up to a phish test. With additional training, you can reinforce best practice within your organisation, and raise awareness of new threats as and when they emerge. Subsequent phish tests can then reveal additional vulnerabilities, with tests designed around evolving and popular threat types which help to assess the effectiveness of any additional training previously provided.

Prepare your people for a phishing attack

Whatever actions or solutions you choose to help better secure your organisation, it’s always best to start from an informed position. Our expert team can help you better understand the applications and benefits of phish testing, and implement a solution that gives you deeper insights into potential vulnerabilities that exist within your organisation.

To learn more about the options available, or to discuss your requirements with us, just get in touch.