Phishing Exposure & Education


This project was conducted with a multi-location client offering furniture and home goods to business
and retail customers on-line and through multiple showrooms in the Northeast. The company employs
over 300 staff. Since the company offers sales at retail and take credit cards at the showrooms and
online, they are subject to the PCI standards.

NCS has held the firm as a client for several years. In that time conducting scan and penetration tests of
the networks and web applications, security policy review and development.

With the proliferation of phishing schemes and ransomware attacks, NCS recommended that the firm
conduct “phishing exposure” exercises to gauge their exposure more fully to such attacks.

The client responded enthusiastically to the NCS proposal and the project commenced during 2019.

The Project

NCS initiated an unannounced test of the total employee population by sending “fake” emails to each employee. These emails were like certain well know phishing schemes and were not terribly sophisticated in their implementation or scope.

The result of this first test showed a 45% success rate or rather that ~135 employees fell for it on our
first attempt.

As a result of this early result, the client agreed that NCS should immediately provide the employees with education showing the test emails sent, explaining the result and providing guidance to the employee that would enable them to identify suspicious emails and instructions as to what to do if they saw any questionable emails. In addition, the client altered its email policy to give the employees guidance regarding actions to be taken.

After a month went by, NCS mounted a second more sophisticated attack. This time ~15% of the employees clicked. A much better result against a more sophisticated attack. The training was given again, this time the training was more in-depth covering more sophisticated and subtle attacks. The
employees have responded enthusiastically to the training and we expect the attack success rate to dramatically decrease again.

Initially the NCS training session was given on-site at the company headquarters, but subsequently the training will be given on-line due to the constraints from Covid-19.