Phishing campaigns

Phishing is a fraudulent technique in which criminals attempt to steal personal information, financial data, passwords or other confidential information from unsuspecting individuals. This is usually done by the attackers using fake communications such as emails, text messages or websites to pose as legitimate organisations or individuals. Victims are often tricked into clicking on fake links or entering personal information on fake websites that resemble the real company or service provider. Phishing can also use social engineering techniques to trick victims into revealing confidential information, for example by pretending to offer technical support or report urgent problems.

A simulated phishing campaign is a controlled exercise where organisations or specialised service providers such as TEN Information Management send fake phishing messages to their employees or users to test their reactions and security awareness. These exercises are designed to help raise awareness of phishing attacks, train employees and strengthen the security culture in the organisation. Typically, the phishing email attempts to build trust with recipients by providing known information and persuading them to enter confidential information – such as login names and passwords – on a phishing page. This is done in the same way as real attackers would do – except that the goal is to raise awareness of the organisation, not to steal information. 

The objectives of a simulated phishing campaign include making employees aware of the dangers of phishing, training them on how to deal with potentially suspicious emails or other contact attempts, and thereby enabling employees to respond appropriately to attacks. Such simulated campaigns are an important part of a comprehensive security programme to reduce the risk of successful phishing attacks.

We first discuss joint planning, based on the target group, the principal’s specific situation and other parameters. As part of the planning, we decide together, for example, which story line, i.e. which “story” we tell and how many phishing emails we send (and how often). A frequently chosen goal is to capture usernames and login passwords. Then we build a fake phishing page with the layout of the organisation we want to attack. We register a fake phishing domain that is very similar to the domain of the principal; we then send the emails from this domain. The reactions of the recipients, i.e. whether they open the received email, click on the link and perhaps even enter login information, are automatically recorded. Based on this captured information, we create a report that the principal can use for awareness-raising activities. 

The evaluation is automated by specialised software that we use to plan and run the campaign. As part of the evaluation, you can choose whether you want to receive the results completely anonymised, pseudonymised or with real information. Meaningful statistics show, for example, how many employees opened the email, clicked on the link or even entered information. You will receive a report in PDF format that you can share within your organisation accordingly. 

Based on the results of the campaign, the principal should plan and implement targeted training and awareness-raising initiatives. Provide employees with resources, tips and best practices to better prepare them for future phishing attacks. If you need help with this, the experts at TEN Information Management are available to advise you. 

No. If we capture sensitive information (e.g. login names and passwords) during the campaign, we do not make it accessible to anyone and delete it immediately after the end of the campaign, or even before if necessary. We also inform you immediately so that you can take countermeasures (such as changing passwords) if necessary.  

Of course they are. All activities are fully covered by the applicable legal situation, in particular we adhere to the relevant provisions of the General Data Protection Regulation. 

We need a list from the respective principal with the names and email addresses of the people we are to attack. The principal can help determine the story line, i.e. the content of the phishing emails. For example, we can use seasonal occasions such as Christmas parties or one-off events such as company anniversaries to make the particular story line seem believable. It is important to limit the number of people who will be informed about the campaign to a minimum and only inform those who absolutely need to know about the campaign in advance. Other involvement on the part of the principal includes obtaining any necessary approvals (e.g. from the works council, if any). 

Experience shows that such offers are not cheaper and, in particular, much less target group-specific than a campaign tailored to the needs of the respective principal. In the case of the modular systems mentioned above, on the one hand, the user needs to have the appropriate expertise on how to run such campaigns. This includes not only technical knowledge, but also knowledge regarding the graphic design of the address in the e-mails and fake pages, psychology and knowledge of human nature. On the other hand, the supposed advantage of “do it yourself” is a serious disadvantage. Remember that your time costs money too. If you click together an off-the-shelf campaign, you get just that – an off-the-shelf campaign. Attackers, however, are highly specific these days. They spy on the target organisation’s environment meticulously in order to generate phishing emails that are as targeted as possible. And that is exactly what you should do in a simulation. If you honestly add up the price of an “off-the-shelf” campaign – i.e. taking into account not only the licence costs of the kit, but especially the time of the people carrying it out – our specific campaigns are always cheaper. 

Yes. Usually, the handling of data processed in the course of a simulated phishing campaign is data processing on behalf of the client. Consequently, our clients receive a commissioned data processing contract that has been drawn up by a specialist lawyer and complies with DSGVO. 

In compliance with the Data Protection Ordinance, we store this data exclusively for a specific purpose and only until the order has been completed. After that – and at any time earlier if you wish – we delete it in a secure manner. 

All servers used are located in DSGVO-compliant data centres within Germany. 

Absolutely. You should share the findings with the attacked target group – e.g. your staff – and derive appropriate actions from them. If employees have entered sensitive information such as passwords on the phishing site, we recommend that they change the password of the respective system. 

Depending on the desired frequency and the frequency of the phishing e-mails to be sent, the implementation of such a campaign takes from a few days to several weeks. 

The costs are calculated according to the frequency of the phishing e-mails to be sent. Typical campaigns start at around 1,800 euros. We always carry out the campaigns as a fixed-price offer, which gives the principal the best planning security with regard to the expected costs. 

In short – by being precisely tailored to the organisation to be targeted. We take time for you, talk through the content in detail and are also there for you after the campaign. You don’t get all that, especially with “do it yourself modular solutions”. 

By using 2-factor authentication. A second factor ensures that the attacker cannot do anything with the captured secret – for example a password – without the second factor. 

People tend to forget what they have experienced. In order to achieve a sustainable anchoring of the topic in the awareness of the employees, we recommend an annual implementation.