Sophos Phish Threat is a phishing attack simulator that allows your IT department send realistic-looking fake phishes to your own staff to educate and tests them through automated attack simulations, quality security awareness training, and actionable reporting metrics.
It helps you to test yourself and be a step ahead of the fraudsters.
The product has a vast collection of customizable templates that are updated regularly in order to construct fake phishes.
The main aim of the product is to give the users a feeling of real-world scams of all types.
Of the wide range of themes available, none of them was a threat. It is required to decide which phishing template gives the best/worst result.
Most of them dealt with issues that were boring and unexciting, while there are others which are interesting or important.
Let us take a look at a list of the top/bottom ten phishing themes.
Rules of conduct: This claim to be a letter from HR indicating the company’s new Rules of Conduct. Most of the companies revise their employment guidelines due to increase in workplace diversity and to reduce harassment. The employees are supposed to read new guidelines or their HR team makes them read it. So, they click on the links in such mails.
Delayed year-end tax summary: This email informs staff that their tax documentation would be delayed. The tax documentation or a payment summary is something which the staff needed and so they will click to find how long the delay will be.
Scheduled server maintenance: People usually tend to ignore IT messages regarding server maintenance. But as now most of the people are working from home, they are interested to know when the outages are likely so they can schedule their work accordingly.
Task assigned to you: In this message, the Phish Threat user need to choose a project scheduling system used by their company such as JIRA, Asana etc. Even though this makes it a semi-targeted phish, the staff must be aware that the business tools used in the company are widely known and easy for cyber criminals to find out even automatically.
New email system test: The staff tends to be helpful as it takes just a click for the test.
Vacation policy update: Due to the current corona virus pandemic situation, it is difficult to take vacation these days. Many companies have made changes to their vacation policies accordingly.
Car lights on: In this mail, the building manager reports about a car with its lights turned on. In reality, you become suspicious as they posted a picture instead of just typing in the vehicle tag. But in many states and provinces in North America the front plates are not supplied anymore, so a photo taken from the front of the vehicle probably wouldn’t show the registration number anyway.
Courier service failed delivery: This is a proven trick used by fraudsters for years. Most of the people depend on home deliveries due to corona virus. Usually, the courier company is decided by the vendor and so you might not know who is doing the delivery.
Secure document: This claim to be a “secured document” from the HR team, giving a feasible reason to make the receiver view it. This trick is largely used by phishing criminals to convince you to enter passwords where it is not required, or to adjust the security settings on your computer in order to improve the security which in reality reduces it.
Social Media Message: It was a simulated LinkedIn notification promising that “You have unread messages from Joseph”. It is tempting to click through it, thinking that it might be some new job offers.
Things to be done
Think before you click: The message might look legitimate at first sight, but if you take time and check it properly, there might be something wrong in it. Example: spelling mistakes you doubt the sender would make, terminology that your company wouldn’t use, software tools not used by your company and behavior such as altering security settings you have been warned not to change.
If not sure, check with the sender: if you find something suspicious, check with the sender but do not check by replying to the email to ask if it’s genuine. Use a corporate directory accessible via trustworthy means to find a way to get in touch with a colleague you think has been impersonated.
Check the links carefully before you click: Many phishing emails contain text and images that does not contain any errors. The criminals usually depend on temporary cloud servers or hacked websites to host their phishing web pages, and the deceit can be found in the domain name they want you to visit. Also don’t be tricked by the server name as the crooks register near-miss names such as yourcompanny, yourc0mpany (zero for the letter O) or yourcompany-site, using misspellings, similar-looking characters or added text.
Report suspicious emails to your security team: Always make it a habit to contact your security team if you find anything suspicious. Phishing crooks don’t send their emails just to one person at a time, so if you are the first in the company to find a new scam, your notification can let the IT department warn everyone else who might have received it too.
Image Credits : Staysafeonline