Email Phishing Assessment

Our Email Phishing Assessment helps you determine the effectiveness and efficiency of your human controls and technology used to manage phishing attacks.

Strengthening Email Security with Phishing Assessments

Email phishing attacks have increased in both sophistication and frequency over the past several years. They are commonly included in dedicated attacks, and regular components in serious attacks like ransomware, and advanced persistent threats.

Phishing attacks come in many forms, including email, social media, phone calls, text messages, and even physical mail. Email phishing includes social engineering techniques to trick their targets into providing sensitive information or performing an action, such as clicking on a malicious link or downloading a malicious attachment. Such attacks can lead to compromise of a single system, or to the compromise of the entire organization, exposing all of your internal information, including login credentials, proprietary secrets, or sensitive financial information.

Your security program is not complete unless it includes active components specifically designed to combat email phishing attacks. This includes user training to ensure they understand how such attacks work, as well as technology controls designed to help reduce the chances these attacks even reach the end users.

Our email phishing assessments help provide full-coverage security for clients. Offered by themselves, or in concert with complimentary services, it helps you understand how well you are doing at enabling your employees to support the most secure operations they are able. Not only does a social engineering assessment includes an engagement-specific report, but our security professionals also update the Darwin Attack® portal with key findings. This means you don’t need to wait for the report to start remediation. You can start fixes immediately, making the best use of the information in our collaboration portal.

Our email phishing assessment solutions

Evolve Security’s email phishing assessments include a variety of approaches designed to test your staff readiness as well as supporting technical controls. This includes a process similar to most security assessment services:

  • Define the scope: Scoping the test to ensure we have well-defined testing goals and rules of engagement. Agree on the targeted staff, departments or other organizational groupings. Agree on specific goal systems, applications, and information. Define approved testing window. Define escalation process and rules if test is clearly identified by your organization.
  • Complete reconnaissance: Research the public face of your organization (including social media) to determine potentially interesting details and targets, including targeted systems or applications, as well as both general and specific users. Identify staff with influence, special projects, and organizational jargon.
  • Assessment: Send phishing emails with appropriate support, which may include phone follow-up. Measure test results, including replies or “click-throughs”, as well as reported fails. Repeat attempts and expand test per rules of engagement. Include results of initial testing in follow up emails to maximize test efficiency and effectiveness.
  • Report: Prepare full report on the engagement process and all results.

An effective email phishing assessment can include waves of emails, targeting both new and repeat employees, using information learned from earlier waves to improve targeting and context. We target a wide variety of information, to improve the chances of success. Part of an email phishing assessment challenges your implemented technology – how well are you blocking malicious links or attachments from even reaching employees. Those results are immediately obvious, but it can be difficult to appreciate the impact of negative results targeting your employees. As a result, Evolve Security is committed to ensuring that the results and impacts are as clear and concise as possible through a social engineering briefing, that discusses the results with your appropriate staff – not a one-way briefing, but a conversation about the results to ensure we both understand the impact.

Modernize your email phishing assessment approach

Many penetration test companies do not offer full social engineering assessment services. Penetration test vendors are more focused on the automated technical testing. Those who do perform social engineering often rely on tools and limit the customized portions of the testing, making such tests more “cookie cutter.”

Evolve Security is dedicated to making our email phishing engagement focused on your specific concerns and your staff and environment. Our social engineering assessments are highly customized to you, and focus on the specific users, systems, and applications important to your business operations. The goal of our email phishing testing is to enable you to improve your operational security, improving your control over your operations, and thus increasing both security and reliability.

During email phishing engagements, our security professionals enter findings, such as identified issues and potentially exploitable findings (like passwords, or other sensitive details), directly into our Darwin Attack® portal. We update the portal in a near-real-time basis, not at the end of the test. Providing you access to the same portal used by our testers and security professionals helps maximize the efficiency and effectiveness of your entire testing, remediation, and management process. You get to being remediation, including testing and internal communications earlier, speeding up your remediation process.

Our email phishing assessments continue to evolve

Like all components of social engineering, an email phishing assessment tends to be a highly customized offering, highly dependent on the specific organization. Tools and automation play a significant part in testing, and Evolve Security constantly updates tools sets to help ensure that we are using the best tools available for the given engagement. Our team of security professionals constantly monitors developments in social engineering and email phishing standards, and update processes and standards as appropriate. We also hold regular project review sessions and update our internal standards to help ensure we are assessing to at least standards of good business practice, based on the practices of current clients. Every engagement includes review of our own benchmarks to help ensure that we are assessing to the most appropriate set of controls.

Get Your Darwin Attack Demo Today

Start Pentesting in 2 Weeks