It Only Takes ONE

6 Questions to Find Out If You Are REALLY Phishing Your Employees

Over the past few years, we’ve traveled the country with Jack Henry and Associates putting on Cyber Risk Forums for hundreds of banks and credit unions. At each event, we always ask what is keeping you up at night from a cybersecurity perspective. While we get several different answers at each event, PHISHING is always number one – Always. Quite frankly, we do not expect that to change any time soon.

There are so many fresh opportunities (for lack of a better term) to target your institutions these days. As an institution, you are at your most vulnerable point right now. Your employees are working from home using potentially unvetted personal devices. They are getting inundated with coronavirus scams, malware laced email attachments and fake websites spoofed to look like Covid-19 heat maps showing where it is most prevalent.

Search terms like “Coronavirus Map used to spread Malware” or “Coronavirus Scams” or “Nation State Government Hackers Craft Covid-19 Phishing Emails to Distribute Malware.” We could cite several more recent examples of employees clicking on links, or Coronavirus scams, or ransomware attacks. It is endless.

The bad actors, they are busy right now. They prosper in times of crisis. They love using fear to motivate even the most well-trained employees to open an attachment or click a link that know they should not. And all it takes is ONE.

A good example of only needing ONE

In the case below, we conducted two phishing tests with a client of ours, 10 months apart. This was a semi-custom attack using a spoofed leadership email asking for employees to click on a link and update their credentials. As the results show, they had significant improvement across the board, especially in the two key areas, clicked and credentials.

A key note here about these results…..They are not typical. In a lot of cases, we see improvement, sure, but this was significant improvement. This client was extremely concerned with those September outcomes. They had Senior Management buy in to make changes and implement new policies and procedures as needed. In the time between the tests, they spent time answering the questions we pose further down and had Rebyc conduct in person lunch and learn training sessions with all staff.

By all accounts, they did a lot of things right and their results revealed those efforts were successful. Major improvement. But see the ONE in red under the “Creds” header? It mattered. 

The ultimate punch in the gut – this client had recently rolled out multifactor for Microsoft Outlook, one of their key initiatives to improve their security position. However, for some reason, this account, the ONE that provided credentials, had been missed during the roll out. Using those credentials, we were able to access the user’s Outlook 365 mailbox and reviewed their emails for useful information. While reading emails, we discovered a link to their Microsoft Dynamics ERP system which allowed us access to the organization’s finances and expenses.

Simply stated, it is fighting an uphill battle. This example demonstrates how just one single failure by an end-user and one account out of almost 600 being overlooked by IT, can cause a serious data breach. While the bad actors only need to compromise one account or prey on one mistake, the good guys do not have that luxury. Everything and everyone must ALWAYS be protected.

Below are some questions to ask of your own testing practices to see if there is room for improvement.

6 Questions to Ask

To help organizations answer the question “Are You REALLY Phishing Your Employees?” we have put together 6 key points you should be considering when conducting phishing assessments:

  • Is open-source intelligence gathering being utilized to create realistic campaigns?
    • Company website, LinedIn profiles, employee social media accounts, web forums, etc.
  • Have you spoofed someone from within your organization using a misspelled domain or different top-level domain?
    • .net .co .us .info .mobi .live
  • Do you spoof vendors/suppliers that regularly contact employees at your organization?
    • Do you purchase misspelled domains for these vendor-vased campaigns?
  • Are campaigns based on timely, realistic scenarios?
    • WebEx and Zoom invites/installs
    • Covid-19 updates
    • Economic relief scans etc.
  • Do you follow up to your phishing emails with:
    • Text messages?
    • Telephone calls?
    • Another phish?
  • Have you simulated a compromised email account attack against high profile targets within your organization?

If you are not challenging your employees with some of the above scenarios, rest assured someone else will. Because of risk associated with phishing and client conversations, several of our clients engaged Rebyc Security to conduct realistic, fully customized phishing assessments against their organizations.

4 Additional Key Tips to Consider

Here are some tips that Rebyc Security has picked up over the years to help your organization and employees stay safe and remain vigilant against phishing attacks:

  • Vary Your Testing
    • Make sure that systems like KnowBe4 are supplemented with real-world, custom phishing attacks against your organization and/or high-risk employees.
  • Test Spam and Web Filtering
    • Ensure spam filters are tuned to block latest threats.
    • Consider blocking access to uncategorized websites and/or websites less than 30 days old.
  • User Awareness Training
    • Continue to create up-to-date, relevant security related content.
    • Make sure employees understand the risks associated with phishing and the impact of failing.
  • Multi-Factor Authentication
    • For any Internet-facing resources owned or utilized by the organization, MFA should be enabled.

If you have any questions regarding phishing, want to discuss our custom phishing programs any other information security related needs, please feel free to contact us at or via the contact us page at