PhishMe, a new security SAAS offering from the Intrepidus Group, enables companies to launch mock phishing attacks against their own employees in the name of improving e-mail security.
The Intrepidus Group has put its own spin on the axiom about teaching a man
In this case, the information security vendor is teaching companies to phish-not
so they can feed themselves, but so they can educate their employees on the threats
Through Intrepidus' new software-as-a-service platform PhishMe,
organizations can simulate phishing attacks and perform user awareness training,
creating what the vendor calls a "human firewall."
Founded last year, the New York-based company is not sailing in uncharted
waters with the service, as many companies hire penetration testers and other
security experts to perform assessments. But with spear phishing on the
rise, officials at Intrepidus feel the service can help organizations improve
internal security awareness.
"We developed a Web-based portal which is PhishMe.com
which allows our clients to drive the creation and execution of mock phishing
exercises," said Intrepidus CEO Rohyt
Belani. "We provided them all the tools ... so in under 30 minutes they can
actually set up a mock phishing attack [that] closely mimics a real phishing
attack that a spear phisher would execute against the employees."
Studies have shown spear phishing, which involves targeted attacks against a
domain or organization, has picked up in the past several months. Officials at
VeriSign's iDefense Labs reported last month that 15,000 people fell victim to
spear phishing attacks by two different groups during the preceding 15 months.
Intrepidus provides templates to help organizations simulate attacks and
allows organizations to measure, track and report on employees' responses to
"One of the most popular things that phishers do is they play tricks
the URL parameters and what the link is displayed as ... so we provide a whole
host of tools to do exactly like they do," said Aaron Higbee, chief technology
officer of Intrepidus. "You can use our IP addresses, you can use domains that
we've created, or if you really want to make an authentic phishing site, you
can register your own look-alike domain, point it to our servers and use that
for your phishing scenario."
Companies can design the test so that an employee who clicks on the link
will be directed to training materials or keep the simulation going to see if
the person will respond to requests to enter sensitive data such as passwords.
on the Web site overrides anything users actually input into fields during
The goal of PhishMe.com is to provide what Higbee called a "phishing tackle
box" that can be used to emulate the different techniques out in the wild.
"We're really there just to provide them the tools and also to help
them to get the data they need in order ... [to] get their people trained,"