Email Phishing Assessment

Evolve Security’s email phishing assessments include a variety of approaches designed to test your staff readiness as well as supporting technical controls. This includes a process similar to most security assessment services:

• Define the scope: Scoping the test to ensure we have well-defined testing goals and rules of engagement. Agree on the targeted staff, departments or other organizational groupings. Agree on specific goal systems, applications, and information. Define approved testing window. Define escalation process and rules if test is clearly identified by your organization.
• Complete reconnaissance: Research the public face of your organization (including social media) to determine potentially interesting details and targets, including targeted systems or applications, as well as both general and specific users. Identify staff with influence, special projects, and organizational jargon.
• Assessment: Send phishing emails with appropriate support, which may include phone follow-up. Measure test results, including replies or “click-throughs”, as well as reported fails. Repeat attempts and expand test per rules of engagement. Include results of initial testing in follow up emails to maximize test efficiency and effectiveness.
• Report: Prepare full report on the engagement process and all results.

An effective email phishing assessment can include waves of emails, targeting both new and repeat employees, using information learned from earlier waves to improve targeting and context. We target a wide variety of information, to improve the chances of success. Part of an email phishing assessment challenges your implemented technology – how well are you blocking malicious links or attachments from even reaching employees. Those results are immediately obvious, but it can be difficult to appreciate the impact of negative results targeting your employees. As a result, Evolve Security is committed to ensuring that the results and impacts are as clear and concise as possible through a social engineering briefing, that discusses the results with your appropriate staff – not a one-way briefing, but a conversation about the results to ensure we both understand the impact.

Many penetration test companies do not offer full social engineering assessment services. Penetration test vendors are more focused on the automated technical testing. Those who do perform social engineering often rely on tools and limit the customized portions of the testing, making such tests more “cookie cutter.”

Evolve Security is dedicated to making our email phishing engagement focused on your specific concerns and your staff and environment. Our social engineering assessments are highly customized to you, and focus on the specific users, systems, and applications important to your business operations. The goal of our email phishing testing is to enable you to improve your operational security, improving your control over your operations, and thus increasing both security and reliability.

During email phishing engagements, our security professionals enter findings, such as identified issues and potentially exploitable findings (like passwords, or other sensitive details), directly into our Darwin Attack® portal. We update the portal in a near-real-time basis, not at the end of the test. Providing you access to the same portal used by our testers and security professionals helps maximize the efficiency and effectiveness of your entire testing, remediation, and management process. You get to being remediation, including testing and internal communications earlier, speeding up your remediation process.