< Back to Insights
Happy fisherman | Informer. Vulnerability scanner

Are phishing assessments worth the money?

Phishing simulations is a tool we highly recommend for identifying weaknesses. But what's involved and is it worth it?

What is phishing?

It would be fair to say that phishing is a commonly understood term within the IT and tech community. However, it never hurts to give people a small reminder.

Typically, phishing attacks involve cybercriminals sending out a large number of emails. Done so in the hope of catching a handful of willing victims duped into:

  • Sending money to the hackers
  • Give them sensitive information - login details, credit card numbers…
  • Or installing malicious software

To name but a few...

What is a phishing assessment?

A phishing simulation or assessment is an exercise that repeats the steps attackers take to phish individuals within an organization. These can be delivered through off the shelf services or tailored to your direct needs. This is the style of phishing assessment we offer at Informer, as it leaves no stone unturned.

Through this method, we reveal weaknesses in your organization that you weren’t aware of. And confirms the doubts you had about potential problem areas. Typically, businesses are interested in the security of their internet facing systems and websites. They want to know if hackers can gain access to their internal systems. 

If they have the budget, they may conduct internal penetration testing to understand the impact of a successful breach. This takes testing of your security to the next level.

Ethical penetration testers will attempt to gain physical access to your facilities, using common hacker tactics. Such as fake security details, tailgating employees through security barriers, or just simply walking through your front door.

From there, the testers attempt to access secure rooms and your internal computer network. Doing so can reveal a treasure trove of information, including:

  • Passwords of your C-level suite
  • Sensitive documents
  • Company data
  • Server and IP credentials

Would you benefit from a phishing assessment?

Yes. It’s a simple answer as the benefits far out way the negatives of security ignorance. 

Sony suffered at the hands of phishers in 2015[1] that could have been avoided when an unfortunate employee fell foul of a fake Apple ID verification email. They were prompted to click a link and then enter their information into a fake verification form.

Hackers presumed the employee used the same password for their Apple ID as their work login. Through that action, the hackers were able to add malware to the Sony network, leading to one of the highest-profile hacks in recent years.

A phishing assessment before the attack would have gone a long way to preventing it.

You’ve done your phishing assessment, what’s next?

Being aware of the issues at hand is only stage one of the process. You need to instill a security-first culture within your business, involving:

  • Writing and implementing a security policy
  • Implementing changes - such as two-factor verification
  • Employee training
  • Reminding people of what they need to do. Careful not to turn into a security nag, this will put people off. Start with how security benefits the individual and the larger picture

So, is a phishing assessment worth the time and money? Our answer will always be, 100% yes! 

After all, we work in security and see the benefits of phishing assessments on a daily basis. We also see what happens when an easy to avoid attack has taken place.

Just think about the work case scenario of an attack on your organization. Then book a phishing assessment which will help you avoid it.

[1] tripwire.com

More from

penetration testing

Shodan: The Search Engine for Hackers

Shodan is not your average search engine and has become a tool used by hackers to find internet-connected devices and more.

Read Article >

Understanding Cross-Site Scripting: How to prevent an XSS attack

Learn why it's important to take a multi-layered approach to help prevent XSS attacks.

Read Article >

Understanding Cross-Site Scripting: Going beyond an alert box

In this post we are going to take a deeper dive into this vulnerability and investigate some of the more malicious payloads that could be used

Read Article >