Phishing attacks: Measuring your Susceptibility

James Moore, Security Consultant
August, 2013
10 mins read

Phishing is a growing threat to organisations who have more to lose now than ever.

Phishing attacks are designed to deceive individuals into providing sensitive information such as passwords to a malicious third-party, or into performing actions such as downloading malware designed to give an attacker remote control over the victim’s computer. Worryingly, these attacks are becoming increasingly sophisticated, to the extent that often neither the individual nor the organization to which they belong is even aware that an incident has occurred until it is too late.


Typically, these attacks take the form of an email that appears to come from a legitimate entity (for example, an online bank or email account), in order to gain the individual’s confidence, so that they then follow a link and divulge sensitive information. As an Information Security company, we have witnessed these types of breaches occurring ever more frequently, in line with the growth of online services, such as banking and social media. Certainly the kind of information that it is now possible for attackers to intercept over the internet and company intranets makes these attacks very lucrative. Additionally, there is a low barrier to entry as phishing attacks such as this are relatively straightforward to implement and difficult to track and prevent.


Phishing: the unknown

If a phishing attack were launched against your organization today, would your employees be susceptible?


Within many organizations, the susceptibility of employees to phishing attacks is largely unknown. Whilst security testing is now commonplace within organizations and the adoption of common security controls is widespread, there is not a widely-adopted approach to sustainably reducing the risks from phishing threats over the long-term. Whilst policies and processes are often in place to help an organization react to a phishing attack, the effectiveness of any internal reaction to a legitimate attack is often unmeasured, especially if the occurrence of the attack itself has remained undiscovered.


The financial cost of phishing attacks to UK-based organizations, on the other hand, is well known. In 2012, the UK economy lost £405.8m to phishing attacks, an increase of 25% over the £304.4m lost in 2011. RSA reported that in 2012 there were, on average, more than 37,000 unique phishing attacks globally each month, compared with 21,500 per month in 2011. Phishing attacks against organizations are rising in both number and sophistication, and as the quantity, diversity and confidentiality of data stored electronically increases, so does the risk presented by the phishing threat.


The primary issues faced by organizations include how to measure organizational susceptibility to phishing attacks, and how sustainably to reduce the risk posed by such attacks, given that they are increasing in both frequency and sophistication.


Do you really know your security posture?

Whilst a growing number of organizations now have stringent security controls, policies and procedures in place and frequently perform security assessments, these assessments often do not provide any insight into the susceptibility of an organization or its employees to phishing attacks. Instead, security assessments usually focus on more ‘tangible’ vulnerabilities, such as security flaws within software or the insecure misconfiguration of network infrastructure.


To gauge your current security posture in terms of the risk posed by phishing attacks, ask yourself the following questions:

  • As part of your regular security assessments, have you ever performed a controlled phishing attack?
  • Would you expect your employees to click on a malicious link within an email? Would they then go on to disclose authentication credentials or attempt to download a malicious payload?
  • How many employees in your organization would you expect to perform those actions?
  • Which offices and departments within your organization are most likely to be susceptible to a phishing attack?
  • Therefore, do you know where your security training budget is best spent for maximum impact and ‘quick wins’?
  • Have you ever run security awareness campaigns? If so, how effective do you think they were?
  • If there were a phishing attack, would there be an internal response, or would it go unnoticed?
  • Is the response guaranteed to go as per policy and procedure, or would a real world attack be likely to cause chaos and confusion?
  • If there were a response, would it be sufficient to mitigate the risk posed by the attack?
  • Is your organization more or less susceptible to phishing attacks than other organizations within the same market sector?


If you were unable to answer any of the above questions, or if you answered any with uncertainty, then your organization’s security posture could certainly be improved. The susceptibility of an organization, and as such the risk associated with phishing attacks, is widely considered to be difficult to measure. *


In some cases, phishing attacks, as an attack vector, are even overlooked entirely. In rare cases, where controlled phishing assessments are performed to measure risk, these are performed as one-time exercises and do not provide sufficient metrics to identify weak areas of an organization. In these cases, the assessment does not have a sustained preventive effect: employees are still likely to click malicious links within emails only a few months after the engagement. Such engagements offer little to no value.


The risk posed by phishing to your organization

Executed well, a phishing attack can extract far more than domain credentials from your organization. An attacker can use phishing attacks as a base to trick employees into downloading and running malicious software, in turn providing an attacker with a long-term, often undetected foothold inside the network, side stepping traditional security controls. Such a foothold is then often used to gain further access to corporate resources, such as file shares, from which assets can then be extracted.


A more determined attacker can go a stage further still. By enumerating the versions of client-side software, including the browser and plug-ins (in Java for example), as soon as an employee browses a malicious website after clicking a link in a phishing email, the attacker is able to identify and attempt to exploit any vulnerable client-side software accessible via the web-browser. If successful, the attacker would obtain a foothold within your network without the need even to prompt for the download of malicious software.


Once a foothold is obtained, an attacker can attempt to elevate their privilege level and begin to extract confidential data from the corporate network. Such data often includes financial information, such as payroll, client information or sales figures and projections. In many cases, it would also be possible for the attacker to modify data, thus affecting its integrity. Ultimately, the real risk to a business from a successful phishing attack is loss of both money and reputation.


Measurement and mitigation of risk

The first stage of any plan to mitigate the risk posed to an organization by phishing attacks is to measure the current level of susceptibility by performing a controlled attack against employees. Such an attack would ideally target a subset of employees from each department within the organization. If appropriate, employees and departments from different offices should also be included within the test, in order to allow for the identification of any trends across the entire organization. The data returned by such an assessment is invaluable in gauging current levels of susceptibility and providing information such as:

  • Number of users who clicked a malicious link within an email
  • Number of users who entered corporate domain credentials into a phishing website
  • Number of users who attempted to download a malicious executable
  • Breakdown of susceptible employees into various demographics, such as office, department or location
  • Activity over time (were users still clicking malicious links even after the internal security response?)
  • Use of weak passwords within corporate domain credentials
  • Did any employees reply directly to the phishing attack?
  • Comparison against the average susceptibility of other organizations in your market sector


Once a baseline has been established, strategies for mitigating risk should be investigated and implemented. There are a number of approaches that, when combined, are extremely effective in dramatically cutting the overall level of susceptibility:

  1. Perform regular, controlled phishing attacks to maintain a heightened awareness, thus reducing the likelihood of employees clicking suspicious links within emails. Such phishing attacks should use a different ‘scenario’ each time, in order to prevent any attack being instantly recognizable. When performed quarterly or bi-annually, such assessments train employees to be suspicious of all unexpected emails containing links to third-party websites. In addition, regular exercises of this kind provide constant analysis against the baseline assessment and will demonstrate any shift in susceptibility over time and allow for the tracking of company performance.
  2. Perform targeted training after assessments. Based on the data from each controlled phishing attack, look to identify trends in susceptibility within the organization. It may be that your HR department was the most susceptible, or that employees within your London HQ were most likely to enter domain credentials into a third-party website. Use this data to target the most susceptible areas of the business with security training, in order to maximize the effectiveness of your training budget.
  3. Review the internal response after each assessment. Identify key areas of weakness that require improvement. Did the initial attack get spotted by the security team? If not, identify the reason for this and address it through the introduction/modification of policies and procedures. Investigate technical solutions to support the identification of attacks such as the implementation of IDS, IPS or Email Monitoring Solutions. Generally, the efficiency, effectiveness and management of internal responses to phishing attacks and other threats will be enhanced with each assessment.


Controlled phishing attacks: what to expect

Generally, the advantages of regular controlled phishing attacks will be well understood within the technical areas of an organization; however, there are various challenges that must be faced before such assessments are authorized and commissioned. Often, the most significant hurdle is mitigating the risk of upsetting or embarrassing employees. Ensure that any employees who do click malicious links are not reprimanded or patronized, by ensuring that there is a strategy in place to explain the risks posed by phishing attacks and that formal training is provided where appropriate to help employees identify threats going forward.


Another issue is the fact that the assessment may have a detrimental effect on the corporate environment or network. Ensure that your supplier does not use any ‘payload’ for regular phishing assessments, i.e. employees’ attempts to download malicious software are recorded, but no malicious software is actually supplied. Once regular assessments are commissioned, ensure that the key personnel within the organization are aware of the assessment and know how to react, but do this on a need-to-know basis only. Generally, the heads of security and IT should be aware of the assessments, and should be prepared to intervene prior to any unnecessary actions being taken (such as replacing employee workstations). For the first few controlled phishing attacks, expect large numbers of employees to be susceptible. It is not uncommon for 60-70% of employees targeted to click on the malicious links. Generally, there is a small drop-off (typically 5-10%) in employees who supply domain credentials and a further small drop-off (typically 2-4%) in those who then proceed to attempt to download a malicious executable.


In terms of internal response, anticipate some minor chaos for the first assessment. As security policies and procedures relevant to phishing attacks are tested for the first time, there are generally opportunities for improvement going forward. As long as procedures are in place to identify and document these opportunities, then progress can be made going forward, and, with each assessment, the internal response should become more efficient and streamlined. In the event of a real-world phishing attack, the internal response should have progressed to a stage where it is not only efficient but wholly effective.


From a return on investment perspective, the number of employees susceptible to phishing attacks can typically be expected to decrease by upwards of 25% per assessment, with most organizations seeing an overall susceptibility reduction of at least 90% after one year of quarterly controlled phishing assessments.



Despite being a long-established attack vector, phishing is a growing threat to organizations who, with the increasing amount of confidential data being stored electronically, have more to lose now than ever. It is common for organizations to struggle to measure their susceptibility to phishing attacks, with common security controls proving ineffective against the threat, and security assessments often overlooking phishing as a potential attack vector.


Regular phishing assessments performed in a structured, controlled manner provide a means to benchmark decreasing susceptibility over time. They can map out trends within your organization, highlighting patterns in areas of the business that are most vulnerable. In addition to providing accurate metrics that allow the calculation of risk posed to your organization, conducting quarterly or bi-annual phishing attacks helps to maintain a heightened awareness. This will decrease the risk posed to your organization of a real-world attack, typically by upwards of 90%.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs