Security Service Tests Staff Vigilance Against Phishing Attacks

PhishMe, a new security SAAS offering from the Intrepidus Group, enables companies to launch mock phishing attacks against their own employees in the name of improving e-mail security.

The Intrepidus Group has put its own spin on the axiom about teaching a man to fish.

In this case, the information security vendor is teaching companies to phish-not so they can feed themselves, but so they can educate their employees on the threats they face.

Through Intrepidus' new software-as-a-service platform PhishMe, organizations can simulate phishing attacks and perform user awareness training, creating what the vendor calls a "human firewall."

Founded last year, the New York-based company is not sailing in uncharted waters with the service, as many companies hire penetration testers and other security experts to perform assessments. But with spear phishing on the rise, officials at Intrepidus feel the service can help organizations improve internal security awareness.

"We developed a Web-based portal which is, which allows our clients to drive the creation and execution of mock phishing exercises," said Intrepidus CEO Rohyt Belani. "We provided them all the tools ... so in under 30 minutes they can actually set up a mock phishing attack [that] closely mimics a real phishing attack that a spear phisher would execute against the employees."

Studies have shown spear phishing, which involves targeted attacks against a domain or organization, has picked up in the past several months. Officials at VeriSign's iDefense Labs reported last month that 15,000 people fell victim to spear phishing attacks by two different groups during the preceding 15 months.

Intrepidus provides templates to help organizations simulate attacks and allows organizations to measure, track and report on employees' responses to the tests.

"One of the most popular things that phishers do is they play tricks with the URL parameters and what the link is displayed as ... so we provide a whole host of tools to do exactly like they do," said Aaron Higbee, chief technology officer of Intrepidus. "You can use our IP addresses, you can use domains that we've created, or if you really want to make an authentic phishing site, you can register your own look-alike domain, point it to our servers and use that for your phishing scenario."

Companies can design the test so that an employee who clicks on the link will be directed to training materials or keep the simulation going to see if the person will respond to requests to enter sensitive data such as passwords. PhishMe does not collect sensitive information, Higbee said, explaining that JavaScript on the Web site overrides anything users actually input into fields during tests.

The goal of is to provide what Higbee called a "phishing tackle box" that can be used to emulate the different techniques out in the wild.

"We're really there just to provide them the tools and also to help them to get the data they need in order ... [to] get their people trained," Higbee said.