Deceptive Emails to Assess Your Susceptibility to a Cyber-attack
A phishing assessment attempts to gain sensitive information or access from a target user through coercive emails. This method of engagement is particularly effective, as attackers can often leverage public information to craft compelling emails while impersonating someone trustworthy - perhaps even individuals within the target organization.
The primary concern with a well-organized phishing campaign is that attackers often use this as a stepping-stone for broader attacks. Similarly, CORE tailors each phishing assessment to your organization’s personnel and explores the full potential of a successful compromise with unparalleled depth, ending with a detailed social engineering report.
What is Phishing?
Phishing is the act of sending malicious emails to a target. Usually, attackers accomplish this under the guise of a credible individual or organization. However, the attacker may go to great lengths to establish some degree of credibility and then prompt the target to surrender personal information such as passwords or PIN numbers.
Despite being an older technique, phishing attacks continue to be very effective and remain a consistent threat to digital security.
Advanced Phishing Services
More Than Just an Automated Service
While many tools measure the users clicking links, how do you know the real risk to your environment? We go beyond automated testing with a full attack simulation to identify the impact of social engineering.
Targeted Spear-phishing Capabilities
Spear-phishing is a highly targeted phishing attack on a specific user (rather than a generic pretext to a group of people). Starting each engagement with reconnaissance and information gathering, we offer these highly-targeted capabilities into each social engineering assessment.
Structured Social Engineering Methodology
More Than Just an Automated Service
While many tools measure the users clicking links, how do you know the real risk to your environment?
We go beyond automated testing with a full attack simulation to identify the impact of social engineering.
Detailed Risk Breakdown Report
Risk boils down to two factors: the likelihood of an attack vector and the potential impact it would have.
We are the only social engineering provider who includes both elements in our social engineering assessment reports.
Targeted Spearphishing Capabilities
Spearphishing is a highly targeted phishing attack on a specific user (rather than a generic pretext to a group of people).
Starting each engagement with reconnaissance and information gathering, we offer these highly-targeted capabilities into each social engineering assessment
- Reconnaissance and Information Gathering
The collection of information is a critical stage of social engineering and often determines the success of the rest of the phishing assessment. Using a ‘black box’ approach, our security experts perform in-depth research to extract information on the target company.
- Create Pretext Scenarios and Payloads
Once we have fully enumerated the target, the focus turns to craft the payload. These specifics include identifying departments, user roles, and associated pretext scenarios. These details ensure each user is researched thoroughly for the most successful, targeted engagements.
– Engage Targets
Using carefully structured tactics and pretexts, CORE Security Labs’ security analysts engage employees via phishing emails. These emails often prompt the user to interact by clicking a link or downloading a malicious file. The emails and subsequent landing pages are crafted to appear authentic, often mimicking other sites and services.
– Assessment Reporting and Debrief
After completing the campaign and aggregating results, a final report is delivered, providing the executive summary and specific details. The information also includes a thorough breakdown of risk and remediation steps and documentation of successful phishing attempts. Training guides are also offered, guiding the client in resolving the training and policy issues identified.
– Optional: Employee Education
As an optional addition, CORE Security Labs provides user training sessions for client employees. Whether hosted in a recorded online webinar or an in-house training session, CORE Security provides quality security awareness training by the same experts who performed the initial engagement.
In a real-world social engineering attack, hackers don’t limit their approach. In addition to phishing, they may use vishing (Voice Phishing), SMShing (SMS text message phishing), and On-Site capabilities, physically attempting to gain access to building resources. Integrating all of these allows a much more thorough and accurate assessment of phishing risk.