Phishing

Social manipulation

Attackers are always looking for the easiest way into the company’s systems – and this route often goes through employees. Through malicious emails, SMS messages or messages, criminals try to trick users into providing passwords or approving fake logins.

Social engineering is today one of the most common methods for gaining unauthorized access to organizations.

How to reduce the risk?

To reduce the risk, it is not enough to focus only on training. Organizations should combine human, organizational and technical measures.

An important measure is good email filters that stop phishing before it reaches the user. In addition, phishing-resistant authentication (Passkeys / FIDO2) is currently the most robust solution against phishing.

Phishing-resistant authentication replaces passwords and is tied to both the user and the service. This means that even if an employee clicks on a fake link, the login will not work – because the key only works with the real service.

Recommended measures

Support for phishing-resistant authentication is already available from leading providers such as Microsoft, Google and Apple, making implementation easier.

By combining technical measures with good routines and training, you significantly reduce the attack surface.

To protect the organization, you should:

Implement phishing-resistant authentication.

Ensure a compliant device – a PC/mobile/device approved by the organization for login.

Ensure regular training in phishing and social engineering.

Conduct simulated phishing exercises

Establish clear routines for reporting suspicious messages

What is phishing-resistant authentication?

Phishing-resistant authentication means that login credentials cannot be misused, even if usernames and passwords are compromised.

Do you need help setting up phishing-resistant authentication?

Protects against most modern phishing attacks

Phishing exercise

To measure the level of information security, simulated phishing attacks can be carried out, where realistic emails are sent to employees. Clicks, logins and responses are analyzed to uncover vulnerabilities.

A phishing exercise provides valuable insight into how resilient the organization is – and what you should continue working on to strengthen the security culture.

We offer various forms of phishing exercises

Customized email attack

Customized fake website

Email attack with malware

Collection of login details

Analysis of details from campaigns

Annual cycle with multiple campaigns of varying difficulty

Password verification, where we check whether login information is in leaked databases containing login information

Anonymous report, or with details if desired

Advice and assistance with security awareness training

Customer experience

Kristiansand Municipality experienced the nightmare when two stolen user accounts led to 5 million spam emails being sent across all of Norway. Read about their costly experience and why they chose to conduct a phishing exercise for all employees afterward.