fbpx
 

This was a simulated phishing test initiated by your employer

 

You have just entered your details in a counterfeit login page. This was a simulated phishing test initiated by your employer. The password you just entered has not actually been sent, so you do not need to change your password.


P.S. Don't tell your colleagues about this test just yet, we want to test everyone individually. After all, hackers also use 'spear-phishing' (phishing emails aimed at specific employees). Thank you!


How to (better) recognize phishing?

  • The message contains a 'wrong' link (URL)
  • Phishing e-mails can often be recognized by a manipulated link. Usually the link (reference) in the phishing message appears to be completely valid, in this case it refers to https://ctpczech.sharepoint.com (sharepoint as main domain looks valid, isn't it?). However, when the user moves the cursor over the link (ie not clicking), the real link comes up, namely: ctp-eu.com. This is a completely different domain that is not owned by CTP at all. In the case the hyperlink refers to a completely different website, it's best to delete the email right away.
  • Your are being asked to login with your company account (such as Office365, Google Cloud, Amazon) on a page that is not managed by the cloud provider.
  • The usual login flow for cloud-based identities is that your are redirected to the cloud provider (such as login.microsoftonline.com, etc.), there you will enter your login credentials and complete the authentication flow and then your will be returned automatically to the original page where you wanted to login or sign-up. Never enter your Microsoft 365 username and password on a third-party page (other than the cloud provider).
  • Link (URL) contains a misleading domain name
  • Cyber ​​criminals misuse users' lack of knowledge about domain names to successfully launch an attack. The first tip is about checking the link. Even though it seems to be correct, the user can still fall into the phishing mail. Criminals abuse the domain names of companies and the trust of the user. A legitimate Microsoft domain-name can be as following: download.software.microsoft.com. The domain is on the right and everything in front of it, in this case download.software, is legitimate. In the event that the domain name is displayed as following: microsoft.com.download.software.com, the domain is not from Microsoft but from software.com, that pretends to be Microsoft's domain.
  • The message contains grammatical and spelling errors
  • Although the grammar and spelling of phishing messages has greatly improved compared to a few years ago, a phishing message generally still contains grammar and spelling errors.
  • The message asks for personal information
  • ven though a message still looks so official, always be on your guard when it comes to a personal messages where personal information is requested. Your municipality does not have to ask for your social security number or the bank for your account number, because they already know this information about you. The same applies to passwords, why would a company want to be interested in it?
  • You receive an unexpected message
  • Have you ever received a message that you have won the lottery while you have not purchased a lottery ticket? Isn't that a bit crazy? This also applies to all kinds of other "offers" where the sender presents himself as a well-known person.
  • Too good to be true
  • If something is too good to be true it probably is. When an offer is too good to be true it is in 99% of the cases too. A smartphone is not for sale for €10, and a washing machine either. Be careful on offers that look too good to be true.
  • Track an order via a Track- & Trace code
  • A popular way of phishing is the so-called tracking of an order. When you receive a message that you can track your order via the link in the message, it is best to ignore it. It is better to go directly (or via a search engine) to the relevant website.
  • Small payment for a large bag of money
  • You are supposedly an "inheritor" of a rich African prince and you are now entitled to a few million. To activate those millions you often have to pay a small amount in advance, after which the millions are automatically transferred to your bank account. When you have paid, unexpected costs are added and the process repeats itself every time, until you stop paying.
  • A message from a "government agency"
  • Although most phishing messages are focused on financial or personal information, it is also possible that you receive a message that frightens you. For example, you may receive a message that appears to have come from the police stating that you have downloaded illegal software. You can settle with the police for a certain amount and then there will be no prosecution. If you don't pay, you have the chance to get a criminal record, or at least they want you to believe that. Also know that more and more government systems no longer send emails with links in them, an example of this is the notifications of "My Message Box". They never send emails that contain links.
  • Something just isn't right
  • Why am I getting this message now? I never asked for this and I am not even a customer at company X. If you feel that something is wrong, you should not comment on the message. Check with the sender (via another channel) why you received this message.

What is a phishing test?

A phishing test is a test to find out how the most common attack possibility: the email. We developed this because of phishing damage every year. Phishing is "fishing" for fraudulent data. Hackers are becoming more and more sophisticated when it comes to looting e-mail data. They also use this method to install ransomware from other planned software within your organization, with all the consequences that entails.


Why is this a good method?

This is a good test because you will be challenged on several levels. Firstly, a realistic scenario objectively measures how many employees click on the link in the email and how many actually leave data. We also include a number of technical matters, such as operating systems and browser versions and also improving technical security. We also test the incident response, so how long does it take before the phishing email is reported and what the actions are from IT. Finally, raising the level of awareness by sharing the results of the test within the organization, along with specific do's and don'ts. That is why we help to highlight the results of the phishing test in a good way.

 
 
Copy link
Powered by Social Snap