Over the last year I’ve noticed that small- to medium-sized organizations have done a better job reacting to vulnerabilities and zero days. As a result, attackers have pivoted to different methods. Rather than attack us through our operating systems, attackers have targeted remote control tools, our consultants, and most importantly our users via phishing attacks.
Companies have attempted to “patch the human” by using phishing simulations. These simulations are often less than ideal and sometimes unethical. Recently, GoDaddy sent phishing simulations to more than 7,000 of its employees. The phishing simulation was an email sent from the company offering a Christmas bonus of $650 and asking them to fill out a form with their personal details. Nearly 500 employees failed the phishing simulation.