To assess cybersecurity risks, organizations often desire to determine which users of the organization's computer network and connected devices are most likely to fall victim to a cybersecurity attack. A common way in which a user may expose a system to cybersecurity risk is by falling for a phishing email or other phishing message that asks the user to provide information or take action and ultimately enables unauthorized third parties to access to the organization's systems.
To assess this risk, organizations are increasingly using simulated phishing campaigns to identify users who are most likely to fall for an actual phishing message. A typical campaign involves sending a simulated malicious message to a group of users and identifying those users who may fall for a trap in the fake message (which is sometimes referred to as falling for, or “failing,” the simulated phish). The trap can come in the form of a fake malicious link in the content of the message, a fake malicious attachment, or a fake malicious request for sensitive information. A cybersecurity risk assessment campaign is a campaign that includes directing simulated phishing messages and/or other cybersecurity-related lures to users in order to assess the users' likelihood of falling for the lures and thus exposing systems or data to malware, data breaches, or other cybersecurity risks.
Businesses that conduct simulated phishing campaigns depend on accurate results in order to get the most value out of their efforts. For example, it is common for an organization that conducts a simulated phishing campaign to measure the number of times that a user failed simulated phishing campaigns. Current approaches of measuring this are not always accurate, as they can track whether or not a particular simulated phish was failed, but they cannot always determine whether the user who failed the simulated phish was actually the intended recipient who was the target of the simulated phishing message.
This document describes a solution that can help identify whether a simulated malicious message has reached an intended recipient, or whether the message has been forwarded to or otherwise been acted upon by someone else.