It can be useful to perform simulated phishing attacks on an individual or set of individuals for the purposes of extracting information from a device used by the individuals. A phishing attack involves an attempt to acquire sensitive information such as usernames, passwords, credit card details, etc., often for malicious reasons, possible by masquerading as a trustworthy entity. For example, an email may be sent to a target, the email having an attachment that performs malicious actions when executed or a link to a webpage that either performs malicious actions when accessed or prompts the user to execute a malicious program. Malicious actions may include malicious data collection or actions harmful to the normal functioning of a device on which the email was activated, or any other malicious actions capable of being performed by a program or a set of programs.
A method of performing simulated phishing attacks is as follows. A target is defined as the user for whom the simulated phishing attack is directed, i.e. the user that is being tested. A simulated phishing message is sent to the target's address. The message can masquerade as a message from a party known to the target, such as an executive of the company that employs the target. In some embodiments, the message can appear to be sent from a party unknown to the target. The message may be designed to appear interesting to the target and may make an offer or promise e.g. access to an interesting tidbit of news, access to useful computer software, access to knowledge of how to perform a money-making scheme, or any other thing that may be of interest. In some implementations, the message may request that the target perform a certain action, such as providing sensitive information by replying to the message or transferring money to an account owned by the attacker and then sending a reply message to confirm that the money has been transferred. The message may request the target to perform any action that could result in a security breach if the simulated phishing message was a real phishing message.
A simulated phishing attack may test the readiness of a security system or users of a system to handle phishing attacks such that malicious actions are prevented. A simulated phishing attack may, for example, target a large number of users, such as employees of an organization. Such an attack may be performed by a party friendly or neutral to the targets of the simulated attack. In one type of simulated phishing attack, an attempt is made to extract sensitive information using phishing methods, and any extracted information is used not for malicious purposes, but as part of a process of detecting weaknesses in security. Performing a simulated phishing attack can help expose weaknesses in the security infrastructure meant to protect users and/or devices from phishing attacks or other computerized, cyber, or digital attacks. It may also expose a lack of vigilance and/or know-how in a user or set of users of a device in minimizing risk associated with such attacks. This can allow a security manager to pinpoint specific issues to be resolved and to bolster security as appropriate. A simulated phishing attack may be performed by e.g. a security manager, or by a third party on behalf of a security manager.