Using versatile scenarios in a phishing test allows for effectively targeting a wide staff with little customization.
For instance, a false security alert regarding a Google account can target individuals from various departments while remaining coherent. In contrast, a Covid alert scenario asking to verify whether various health measures are implemented in the company is more suited to HR targets than others.
Generally, it's not advisable to test your entire staff with the same scenario. Doing it by groups of collaborators will allow you to choose more relevant scenarios.
However, scenarios like security alerts allow the use of urgency, curiosity, and fear and apply to a large number of employees, without specific discrimination.
The same goes for messages from applications requesting access rights for an urgent reason: these applications are often used by many people and do not require a particular context.
Scenarios that impersonate social networks, like a false LinkedIn connection invitation, also benefit from this versatility. They are popular and allow for varying the pretexts as well as the levers of manipulation.
It's important to train your employees to combat the theft of login credentials from platforms like LinkedIn: for a hacker, obtaining social network login credentials can potentially lead to accessing numerous other services using, for example, the SSO identification that these accounts may have, or simply by testing if the same passwords are not reused on other login pages.
In this video (in French), you will discover:
- Why to use versatile scenarios
- Examples of versatile scenarios available on the Arsen platform
- The importance of using security alerts as pretexts in your phishing simulations
- The benefits of pretending to request authorization for an application
- Why hackers impersonate social media identities