Simulated phishing: Uncovering vulnerabilities for better cyber security

Johannesburg, 27 Nov 2023
Phishing scams deceive people into revealing sensitive information.
Phishing scams deceive people into revealing sensitive information.

After a successful Cyber Security Awareness Month, our commitment to raising awareness around online safety persists, with a particular emphasis on phishing. 

Phishing remains our primary area on which to educate, due to its pervasive and evolving nature, which poses significant threats to individuals and organisations. The continued emphasis on educating our networks on phishing stems from its status as a relentless and adaptable form of cyber attack that preys, not on technology, but on human error, making it a constant concern for modern organisations of all types and sizes.

Phishing scams are incredibly effective in deceiving individuals into revealing sensitive information. This, coupled with the evolving tactics used by cyber criminals, solidifies the importance of ongoing education and vigilance against this pervasive threat. In this press release, we will provide you with a comprehensive guide on phishing, its types, detection methods and how individuals and businesses can protect themselves from this ever-present danger.

What is phishing and how does it work?

Phishing is a malicious cyber attack in which attackers pose as trusted entities to deceive individuals into revealing sensitive information such as login credentials, personal details or financial data.

Typically, phishing attempts occur through e-mail, text messages or social media. Attackers use various tactics to achieve their goals, including creating convincing messages that mimic legitimate organisations and employing urgent, tempting or threatening language to manipulate victims into taking actions such as clicking on malicious links or divulging confidential information.

Once victims comply with these deceptive tactics, attackers gain access to sensitive information, which they can use for nefarious purposes.

* Need to know more about phishing? Why not take a look at a recent KHIPU article: ‘What is phishing? A quick-fire guide’…

The many faces of phishing

There are several types of phishing attacks, each with its own unique characteristics:

  1. E-mail phishing: This is the most common form of phishing, where attackers use fake emails to trick recipients.
  2. Spear phishing: Similar to e-mail phishing, but more targeted, as attackers tailor messages to specific individuals or organisations.
  3. Pharming: This involves redirecting victims to fraudulent websites that trick them into submitting sensitive information.
  4. Vishing: Phishing via phone calls, where attackers pose as trusted individuals or organisations.
  5. Smishing: Phishing through text messages (SMS), where victims receive malicious links or requests for personal information.
  6. Whaling: Targeting high-profile individuals, such as CEOs or executives, to steal sensitive corporate data.
  7. BEC (business e-mail compromise): Attackers impersonate trusted entities to trick victims into making financial transfers or revealing sensitive data, often by sending fraudulent invoices.

Detecting phishing e-mails

Detecting phishing e-mails can be a challenging task, but there are some telltale signs to watch out for:

  1. Check the sender's e-mail address: Verify if it matches the official domain of the organisation. Legitimate organisations rarely use Gmail or other generic domains for official communications.
  2. Look for spelling and grammar errors: Phishing e-mails often contain mistakes, as attackers may not be proficient in the language they're using.
  3. Examine URLs: Hover your mouse over links to reveal their actual destination without clicking on them.
  4. Be cautious of urgent or suspicious requests: Scammers often create a sense of urgency through threatening or tempting language.
  5. Check for generic greetings: Legitimate organisations usually use your name rather than addressing you as "Dear Customer".
  6. Verify with the organisation: If you have doubts about the e-mail's authenticity, contact the organisation independently to confirm its legitimacy.

What can businesses and individuals do to protect themselves against phishing?

Both organisations and individuals can take several actions to protect themselves from phishing attacks:

  1. Education and training: Regularly educate and train employees or individuals on how to recognise phishing attempts and best practices to prevent them.
  2. E-mail filtering: Organisations should invest in e-mail filtering systems to detect and block phishing e-mails.
  3. Multi-factor authentication (MFA): Implement MFA for accessing sensitive accounts and services to add an extra layer of protection.
  4. Reporting process: Have a dedicated process in place to report phishing attempts to the appropriate authorities or IT/security departments.

Simulated phishing – it’s just the first step in protecting your assets

Historically, one incredibly valuable tool in the fight against the threat of phishing has been the deployment of simulated phishing and awareness training services. These services help organisations identify vulnerabilities and fortify their cyber security posture. They provide insights into how employees engage with simulated threats, thus determining the overall awareness and susceptibility of the workforce to phishing attacks.

To date, KHIPU’s cyber security team have carried out over 500 simulations, sending a total of 1.5 million e-mails and helping customers, across several verticals, track how their employees engage with these simulated threats so they can gain insights into the overall level of awareness and susceptibility of their workforce to phishing attacks. This, followed by regular awareness initiatives, has helped reduce the risks associated with these e-mail-based attacks.

Common weaknesses exposed by simulated phishing

Our many simulated phishing campaigns have revealed several common weaknesses within organisations:

  1. Poorly defined security incident response plan: Many organisations lack effective incident response procedures, highlighting the need for 24x7 threat monitoring, detection and response.
  2. Poorly configured e-mail security: Mail authentication and security protocols are often absent or poorly configured, leaving organisations vulnerable to e-mail spoofing and phishing.
  3. Weak password practices and lack of MFA: Many organisations have not implemented MFA, making password compromise easier.
  4. Insufficient staff awareness programmes: Generic cyber security awareness is not enough. Organisations need to provide ongoing training and updates on new threats to foster a culture of vigilance.
  5. Poor endpoint security: Many organisations lack up-to-date security software and patches, making their network devices susceptible to malware infections.

So, you’ve completed a simulated phishing campaign – what’s next?

While simulated phishing campaigns are effective in identifying weaknesses, they merely represent the beginning of the journey. Armed with these findings, organisations can implement measures to enhance their cyber security posture. This can be achieved through best practices in cyber security solutions and services offered by experts in the field.

Phishing remains a persistent threat in our digitally connected world. Recognising the signs, staying informed and investing in security measures are crucial steps for individuals and organisations to safeguard themselves from the ever-evolving tactics of cyber criminals.

Find out more at