Top Learnings From Phising Drill

Article submitted by Suryanarayanan K, ,Central Bank Of India

Phishing attacks are one of the most common security challenges that both individuals and organizations face in keeping their information secure. Phishing is the attempt to obtain sensitive information such as usernames, passwords, credit/debit card details etc., often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one. Also phishing emails may contain links to websites that are infected with malware.

One of the effective method to assess the awareness level among staff is to conduct phishing drill wherein a phishing mail will be sent to the mail ids of staff. The mail can have a link (intranet link) where staff will be prompted to fill in certain details. Subsequent analysis like number of staff opened the mail, number of staff clicked on the link provided, number of staff provided the details asked etc. will help in assessing the awareness level. It is to be ensured that no critical/sensitive information is collected from them, to avoid any type of possible misuse of the same.

Such a drill was conducted recently in the organization, details of which are as follows :

  • A webpage in organization’s intranet server has been created for inputting the details by staff.
  • A separate temporary mail server, outside organization’s domain, has been created for sending the mail to all staff. The domain used was different but looking similar to actual domain.
  • A mail was sent to all staff (wherever mail ids available), asking certain details and requesting them to provide the details by clicking the link provided in the body of the mail. Though the information sought was not so critical (considering the possible misuse of the same), there was some sort of urgency created in the mail, like any other actual phishing mails do.
  • The drill was very successful in the sense that nobody could recognize that this is an exercise conducted by the organization.

Summary of response by staff in this regard is as follows :

  • Some of the staff have reported the receipt of the mail to their controlling offices and also to CISO through mail/phone and requested to confirm the genuineness of the mail.
  • Some of the offices have advised the offices/staff under their control that it is a fraudulent mail and not to provide the information asked in the mail.
  • Some of the staff reported the receipt of the mail to the incident response team of the organization.
  • Some of the staff reported that the link is not opening at their end for providing the required details, which indicates that they will end up with providing the details if the link is opened.
  • A good portion of staff from various offices across the country have clicked the link and provided the details.

Observations/findings from the drill are as follows :

  • A good portion of the staff are aware of such phishing mails and the harm associated with it. They are aware that such mails are not to be responded.
  • A major portion of the staff are not aware of such phishing mails. Considering the urgency mentioned in the mail, they have provided the details asked in the mail. Also they could not identify the difference in the domain name used for sending the mail.
  • Since certain departments/staff have alerted the branches under their control, most of the branches/officials have not submitted the details. If the exercise was to a targeted group, say branches only, then the number of staff clicking the link and submitting the details may be more.

Considering the above, there is a need to improve the awareness level among staff, on a continuous basis.

An advisory with special reference to the phishing drill conducted with instructions regarding what they are supposed to do on receipt of such mails has been sent to all staff subsequently.

Views: 293

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform


Security Trends and Emerging Technologies That A CISO Should Adopt In 2021

Started by Priyanka Aash Mar 3. 0 Replies

What are the challenges you as a CISO have been facing since the last year and share some security trends that are catching up? Help the community by sharing your knowledge and personal views on this subject. Or if you have any specific questions…Continue

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30, 2020. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19, 2020. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20, 2020. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2021   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */