If you want to run phishing simulations (or if you already are), here are 7 relatively varied scenarios that will allow you to test your users with different attack profiles.
It’s a highlight reel of the attack simulations Mantra has run through different phishing campaigns at diverse companies.
Have fun and enjoy the phish :)
Target : Credentials
Psychological trigger : personal gain
Compromission : 27% *
Comment : You thought you had a new lead? Wrong, you just gave your CRM credentials to hackers. The lure of personal gain is the lever of many phishing campaigns with a broad range of enticements : gift cards, free smartphones, new laptops for employees...
Target : Credentials
Psychological driver : security
Compromission : 11% *
Comment : What better way to trick a user than to simulate a security message? All the password update requirements we receive (I used to get one every 45 days at a previous company, needless to say most people only changed theirs marginally) open up a breach for phishing attacks.
Target : Consent phishing
Psychological drivers : varied
Compromission : 18% *
Comment : One-click authentication, what a convenience… for hackers. They are skilled at turning users’ habits against them (ie. regularly granting permissions in order to access apps, documents…). This type of attack is all the more difficult to detect that the consent page through which hackers get permissions for their app is the real Microsoft Office one.
Target : Drive-by-download
Psychological driver : security
Compromission : 16% *
Comment : Updating your browser, your antispam software and firewal, your mac OS: good habit and good practice. Downloading malware after a phishing attack : not so great.
Target : Attachment with malware
Psychological trigger : Curiosity
Compromission : 21% *
Comment : Simple. Effective. Few are those who can resist the lure of opening or accessing documents that are sent to them by a “trusted” source… and more’s the pity.
Target : Attachment with malware
Psychological trigger : social proof and hierarchy
Compromission : 24% *
Comment : Loved, hated, never ignored, no one is indifferent to their CEO. That’s why, after a cursory assessment, one might open his email, and fall into the trap… PS : this doesn’t mean you should ignore all upcoming emails from your CEO.
Target : Credentials
Psychological trigger : Fear
Compromission : 16% *
Comment : The tender answer project you’ve been working on for months, don’t want to see the files disappear in the fog of cloud-based storage ? For everything to be back to normal, all you have to do is give your credentials to the hackers...
These are some of the tactics that you can use to start training your teams internally. Of course, this list is (far from) comprehensive, the creativity of hackers is unfortunately boundless…
Just in case, we of course stress that this exercise should only be conducted in a professional work environment (and not to spy on your neighbor).
If you want to know more about the other methods we use at Mantra to protect your teams from phishing and spear phishing attacks, contact us and book a demo.
* compromission is the amount of compromising actions relative to the number of emails sent during the simulations
Why do humans love to play? And how can using these principles and relying on gamification help your cyberdefense?
What is a Businesss Email Compromise cyberattack? How do hackers run these types of attacks and how can you protect your company from them?
Microsoft Azure AD's Conditional Access is a great tool! But hackers have found ways around it. Here's how.