A publicly traded healthcare services organization was interested in testing the security acumen of their employees to better understand the effectiveness of their internal security awareness training and their potential exposure to email phishing scams.
Baker Tilly worked with the client to develop a custom email phishing campaign that would test the susceptibility of their employees to phishing emails and attempt to gain employee credentials that would be utilized as part of the external penetration testing activities.
Baker Tilly's email phishing campaign noted a layered approach to email security, where our phishing emails were caught by the organization's email security filters at various levels. Once the phishing emails were whitelisted, our campaign resulted in a few employees clicked on the link in the email, but no employees entered their credentials into our testing website. Overall, the client felt their technical security controls were operating effectively but that they wanted to enhance some of their internal security awareness training to reduce the number of employees that clicked on the phishing link.