fbpx
Wikipedia

Simulated phishing

January 01, 1970

Simulated phishing or a phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements. This is especially the case for those who "fail" by opening email attachments, clicking on included weblinks, or entering credentials.

Rationale edit

There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary.[citation needed][1] Simulated phishing allows the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation is recommended by various official agencies, who often provide guidelines for designing such policies.[2] Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour.[3]

Ethics edit

Such campaigns need to be authorised at an appropriate level[4] and carried out professionally.[5] If such a technique is used carelessly, it may breach laws, attract lawsuits, and antagonise or traumatise staff.

However, if employees are advised of a change to policy such that "the company reserves the right to send deceptive 'simulated phishing' email to staff from time to time to gauge staff security awareness and compliance", and training and guidance has been given in advance, then such problems should not occur. Some organisations may choose to require users to give their consent by opting in,[6] and others may allow staff the option to opt out.[7]

The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training.[8][9][10]

Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons. These would include emails with content likely to cause distress to the recipient or the use of third-party trademarks,[5][8] although it is also sometimes argued that this is covered by fair use.[11]

Methods edit

Such testing can be done in a number of ways.

  • Many vendors offer web-hosted platforms to do this, and some provide limited free "test" campaigns.[12] [13]
  • A wide range of freely-available open-source tools allow more technical organisations to host and run their own testing.[14][15][16]
  • Some email service now have such testing as a built-in option.[17][18]

Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some whitelisting to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon.

Frequency edit

Most advice is that testing should be done several times per year, to give staff practice in responding correctly, and to provide management feedback on the progress in staff identifying and reporting potentially dangerous email.

See also edit

References edit

  1. ^ Jampen, Daniel; Gür, Gürkan; Sutter, Thomas; Tellenbach, Bernhard (2020-08-09). "Don't click: towards an effective anti-phishing training. A comparative literature review". Human-centric Computing and Information Sciences. 10 (1). doi:10.1186/s13673-020-00237-7. hdl:11475/20346. ISSN 2192-1962.
  2. ^ "Designing Phishing Simulations" (PDF). Center for the Protection of National Infrastructure. Retrieved 12 September 2018.
  3. ^ Fischbein, Jonathan. "Council Post: 2021 Cyber New Year's Resolutions". Forbes. Retrieved 2021-10-03.
  4. ^ Kovacs, Eduard (23 August 2018). "Attack on DNC Part of Simulated Phishing Test". Security Week. Retrieved 12 September 2018.
  5. ^ a b Cheng, Joey (18 March 2014). "Out-of-control Army phishing test results in new guidelines". DefenseSystems. Retrieved 12 September 2018.
  6. ^ "Simulated Phishing". Berkeley Lab. Retrieved 12 September 2018.
  7. ^ "Simulated Phishing Email Campaign". UC Santa Cruz. Retrieved 12 September 2018.
  8. ^ a b Prendergast, Tom. "Is all fair in simulated phishing?". www.csoonline.com. Retrieved 9 September 2018.
  9. ^ Meijdam, Katrien. "Phishing as a Service: Designing an ethical way of mimicking targeted phishing attacks to train employees". Retrieved 10 September 2018.
  10. ^ R, Kate. "The Trouble with Phishing". National Cyber Security Centre. GCHQ. Retrieved 12 September 2018.
  11. ^ Calarco, Daniel. "Stop Phishing with Bad Fake Bait". EDUCAUSEreview. Retrieved 12 September 2018.
  12. ^ Salla, Sebastian. "free phishing test campaigns". CanIPhish. Retrieved 10 October 2022.
  13. ^ Korolov, Maria. "10 companies that can help you fight phishing". CSO Online. Retrieved 12 September 2018.
  14. ^ e.g GoPhish, King Phisher, The SocialEngineer Toolkit
  15. ^ Pauli, Darren (4 February 2016). "Go phish your own staff: Dev builds open-source fool-testing tool". The Register. Retrieved 12 September 2018.
  16. ^ "Phishing campaign simulators". Phishing Countermeasures. Retrieved 12 September 2018.
  17. ^ Ghosh, Debraj. "GA of Attack Simulator For Office 365 Threat Intelligence". Microsoft Tech Community. Retrieved 12 September 2018.
  18. ^ Lardinois, Frederic. "Microsoft launches a phishing attack simulator and other security tools". TechCrunch. Retrieved 12 September 2018.

January 01, 1970
simulated, phishing, phishing, test, where, deceptive, emails, similar, malicious, emails, sent, organization, their, staff, gauge, their, response, phishing, similar, email, attacks, emails, themselves, often, form, training, such, testing, normally, done, co. Simulated phishing or a phishing test is where deceptive emails similar to malicious emails are sent by an organization to their own staff to gauge their response to phishing and similar email attacks The emails themselves are often a form of training but such testing is normally done in conjunction with prior training and often followed up with more training elements This is especially the case for those who fail by opening email attachments clicking on included weblinks or entering credentials Contents 1 Rationale 2 Ethics 3 Methods 4 Frequency 5 See also 6 ReferencesRationale editThere is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks and that good training of staff is necessary citation needed 1 Simulated phishing allows the direct measurement of staff compliance and when run regularly can measure progress in user behavior Phishing simulation is recommended by various official agencies who often provide guidelines for designing such policies 2 Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour 3 Ethics editSuch campaigns need to be authorised at an appropriate level 4 and carried out professionally 5 If such a technique is used carelessly it may breach laws attract lawsuits and antagonise or traumatise staff However if employees are advised of a change to policy such that the company reserves the right to send deceptive simulated phishing email to staff from time to time to gauge staff security awareness and compliance and training and guidance has been given in advance then such problems should not occur Some organisations may choose to require users to give their consent by opting in 6 and others may allow staff the option to opt out 7 The standard advice is that failing staff not be shamed in any way but it is appropriate and reasonable to provide supportive followup training 8 9 10 Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons These would include emails with content likely to cause distress to the recipient or the use of third party trademarks 5 8 although it is also sometimes argued that this is covered by fair use 11 Methods editSuch testing can be done in a number of ways Many vendors offer web hosted platforms to do this and some provide limited free test campaigns 12 13 A wide range of freely available open source tools allow more technical organisations to host and run their own testing 14 15 16 Some email service now have such testing as a built in option 17 18 Because organisations generally have a set of multi layered defences in place to prevent actual malicious phishing simulations often require some whitelisting to be put in place at email gateways anti virus software and web proxies to allow email to reach user desktops and devices and to be acted upon Frequency editMost advice is that testing should be done several times per year to give staff practice in responding correctly and to provide management feedback on the progress in staff identifying and reporting potentially dangerous email See also editPhishing Fire drillReferences edit Jampen Daniel Gur Gurkan Sutter Thomas Tellenbach Bernhard 2020 08 09 Don t click towards an effective anti phishing training A comparative literature review Human centric Computing and Information Sciences 10 1 doi 10 1186 s13673 020 00237 7 hdl 11475 20346 ISSN 2192 1962 Designing Phishing Simulations PDF Center for the Protection of National Infrastructure Retrieved 12 September 2018 Fischbein Jonathan Council Post 2021 Cyber New Year s Resolutions Forbes Retrieved 2021 10 03 Kovacs Eduard 23 August 2018 Attack on DNC Part of Simulated Phishing Test Security Week Retrieved 12 September 2018 a b Cheng Joey 18 March 2014 Out of control Army phishing test results in new guidelines DefenseSystems Retrieved 12 September 2018 Simulated Phishing Berkeley Lab Retrieved 12 September 2018 Simulated Phishing Email Campaign UC Santa Cruz Retrieved 12 September 2018 a b Prendergast Tom Is all fair in simulated phishing www csoonline com Retrieved 9 September 2018 Meijdam Katrien Phishing as a Service Designing an ethical way of mimicking targeted phishing attacks to train employees Retrieved 10 September 2018 R Kate The Trouble with Phishing National Cyber Security Centre GCHQ Retrieved 12 September 2018 Calarco Daniel Stop Phishing with Bad Fake Bait EDUCAUSEreview Retrieved 12 September 2018 Salla Sebastian free phishing test campaigns CanIPhish Retrieved 10 October 2022 Korolov Maria 10 companies that can help you fight phishing CSO Online Retrieved 12 September 2018 e g GoPhish King Phisher The SocialEngineer Toolkit Pauli Darren 4 February 2016 Go phish your own staff Dev builds open source fool testing tool The Register Retrieved 12 September 2018 Phishing campaign simulators Phishing Countermeasures Retrieved 12 September 2018 Ghosh Debraj GA of Attack Simulator For Office 365 Threat Intelligence Microsoft Tech Community Retrieved 12 September 2018 Lardinois Frederic Microsoft launches a phishing attack simulator and other security tools TechCrunch Retrieved 12 September 2018 Retrieved from https en wikipedia org w index php title Simulated phishing amp oldid 1223060544, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.