Phishing our Clients

This is a photograph of conceptual email envelopes, dangling off a fishing line in the water. The background is a pure white. The @ symbol is on the envelope to symbolize email and spam and phishing.As an IT Management company, our role is to manage all aspects of our clients IT systems and needs.  Whether we’re fixing a computer, building a website, or developing a backup and disaster recovery plan, we take care of everything.  We strongly believe in continuous improvement and we felt an area of improvement needed was in educating our clients’ staff on IT security, often referred to as Security Awareness and Training.  However, we wanted a way to ensure security awareness and training was a worthwhile investment.  After all, when you read about breaches in the news, they often affect larger organizations.  You rarely hear about small businesses.

In an effort to demonstrate that small businesses are not immune to security threats, Brian Shrift and Dr. Kevin Slonka, Sr. Systems Engineer at Precision Business Solutions and Computer Science Professor at Pennsylvania Highlands Community College, conducted a research study in which they would phish our clients.

Phishing is an email attack in which an attacker masquerades as a trusted source and sends fraudulent emails in an attempt to elicit personal information from the recipient, thus gaining access to their digital life. Our objective was to study the results, use them to further enhance our security awareness and training materials, and look for areas of improvement in educating our clients’ staff.

Security Awareness & Training“Our Phishing study had a 12.9% success rate.  The reason that’s scary to me, is that we’ve been working with our clients on security training for over a year now, so they’re more prepared than most small businesses.  So if we were this successful with our clients, I could only imagine how successful we’d be if we phished non-clients.” 
Brian Shrift, President of Precision Business Solutions.

Articles

The following articles were written utilizing the data provided by the research study:

PBS_PhishingCoverPagePhishing our Clients – Small Business Edition
This article was written with the small business owner in mind.  It’s not overly technical and demonstrates why IT Security training is so important, including how the phishing study could have easily compromised their business.  Open Article

PHISHING OUR CLIENTS: A STEP TOWARD IMPROVING TRAINING VIA SOCIAL ENGINEERING
This article is a condensed version of the full research study that was submitted to a peer reviewed, scholarly journal (pending publication), and is more detailed and technical in nature than the small business article.  Open Article

Full Study
The full research study includes all details and source code examples.  Open Full Research Study

The following materials were developed as part of this research study, which we’re making publicly available:

Source Code
You may download the source code we developed, which includes the website, database, and a PowerShell script that allowed us to generate individualized spear phishing links for detailed tracking.

Our Phishing Website: https://www.precisionbs.tech/reg.php