I decided to try Duo Security’s phishing test and sent myself a fake phishing email. The mail can be customized and sent to any number of employees:
When I clicked on the link, Google Chrome warned me that the domain was known for phishing:
Of course, a real campaign would probably start with a clean domain, so that warning might not appear. Instead, you’d be presented with a nice logon screen very similar to a Microsoft logon screen. Note that Google is still flagging this at the top of the page. But the HTTPS certificate is valid, so if Google wasn’t flagging it, the HTTPS would be accepted.
After entering my email address and password, I was advised that I’d been phished:
The back-end dashboard shows how many recipients have opened the email, clicked on a link, or provided credentials:
Ready to try a phishing test at your company? Contact MCB Systems.