At this year’s RSA conference Ira Winkler went on to tell the audience about hacking into an energy company (via an authorized penetration test) using a targeted phishing email. Details are in this networkwold article: http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html
“The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.”
Are we surprised they were successful? Absolutely not. We’ve been using this technique and responding to real incidents that that used spear phishing for quite some time now. But what if those same employees had already been “phished” through targeted awareness and then presented with the appropriate training material? What if you ran this exercise against all your employees regularly?
Phishme.com already has pre-built scenarios to make this training quick and easy. It has many generic domain names to choose from or you can register your own look-a-like domain.
There is no sense in paying a pentest company high dollar consulting fees to find out if your employees are vulnerable to phishing. I’m about to save your company a boat load of money.
Dear Magic Eight ball, I don’t currently conduct phishing attacks against my own employees as a means to train them. Am I vulnerable to spear-phishing attacks?