Cybersecurity is becoming a focus for almost all businesses. One of the most common ways to gain information is not through the latest software security hole, but through social engineering. Social engineering is the art of manipulating people, usually to have you provide information or take action on something.
Companies are starting to train their employees on this matter and also are attempting to check employee susceptibility to social engineering. The companies use social engineering software to generate realistic phishing and spear phishing emails to test how their employees respond to these emails.
An employee might receive an email saying it is from IT and they need the employee to change his password by going to a link. The link reveals a web page that asks for the employee’s old password and a new password. If employees enter the password, they receive a talking-to from the security team. If this had been a real attacker they would have just given them a login to the company.
There are a number of companies that provide the phishing templates and monitoring software, to simplify the creation of phishing tests. This assists companies identify and work with their employees that would be vulnerable to this type of attack.
I expect the practice of sending fake phishing emails to expand to customers. I would expect banks to start sending emails to figure out which of their customers would give up their account or credit card numbers to a phishing attack. The results of these tests would identify customers that would be vulnerable to phishing attacks and could benefit from more attention.
I will make a prediction that you will start to see phishing tests from businesses starting this year. Hopefully this will lead to people being able to identify phishing attacks and treating emails they recieve a little more skeptically.