Assessing the risks. For a secured future.Phishing simulations as a service Private and confidential, 2020

ContentGet to know phishing 03

Pause before you respond 03

Think Deloitte, think secure 04

Learning management system 04

Customised solutions customised needs 05

Selecting the right phishing template 05

Our Phishing simulation solutions 06

Phishing solutions 06

Mobile application 06

Get to know phishing

Pause before you respond Our key services

Phishing is a form of social engineering. Phishing attacks involve the use of email or malicious websites to solicit personal information by masquerading as a trustworthy organisation.

For example, an attacker may send an email seemingly from a reputable credit card company or financial institution that requests account information, often indicating a problem. When users respond with the requested information, attackers can use it to gain access to accounts.

Phishing attacks may also appear to come from other types of organisations, such as charities. Attackers often take the advantage of current events and certain times of the year that includes:

• Natural disasters (e.g., Hurricane Katrina and Indonesian tsunami)

• Epidemics and health scares (e.g., H1N1)

• Economic concerns (e.g., IRS scams)

• Major political elections

• Holidays

Taking into account the current market’s requirements, Deloitte India offers the following simulation solutions, which include a set of initiatives aimed at making participants aware and reinforcing their basic concepts of cybersecurity and cyber-risks, while learning how to protect themselves from cyber threats.

Email phishingIt is an the attempt to obtain sensitive information, such as usernames, passwords, and credit card details (and money), by disguising as a trustworthy entity through an email. Phishing emails contain malicious links that entice users to click them.

SMShingIt is a form of fraud that uses mobile phone text messages, to lure victims into calling back a fraudulent phone number, visiting fraudulent websites, or downloading malicious content via phone or web.

Voice phishingVoice phishing or vishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

Learning management systemDeloitte intends to create better awareness among its client partners through a series of global security training programmes.

PHISHING

Think Deloitte, think secureEmail phishing, Vishing, and SMShing simulations

Learning management system

Taking into account the current market’s requirements, Deloitte India offers the following simulation solutions, which include a set of initiatives aimed at making participants aware and reinforcing their basic concepts of cybersecurity and cyber-risks, while learning how to protect themselves from cyber threats.

Email may contain malicious links with a sense of urgency to lure users into clicking it.

Phishing attempts may try and extract your sensitive account information.

Emails may contain malicious attachments that can infect your device with a virus.

A voice call may be in the form of a IVR, which records your responses and seems legitimate.

Vishing could be in the form of a conference call where you may find fake users sharing their personal information, leading you to believe it.

You may receive an SMS requesting for your credentials on the basis of false information.

You may receive an SMS from a known source, asking for a favour.

You may receive a ‘legitimate-looking’ call asking for your personal or confidential information.

Email may contain malicious links with a sense of urgency to lure users into clicking it.

Email phishing

Voice phishing (Vishing)

SMS phishing (SMShing)

Entice to click

Please give me your credentials!

To open that attachment or not?

IVR response capturing

Conference call

Please give me your credentials!

Do me a favour!

Entice to click

Voice response capturing

Security awareness training

Complete training Quiz

Download certificateLMS Login

E-learning/training ScoreReceives an InfoSec

training emailComplete the quiz

Contains specific training material and information

Provide score and the result: “Pass/

Fail”

Authentication using user ID and

password

Contains training specific MCQs

Customised solutions customised needsPhishing simulations as a service

Selecting the right phishing templateFollow the steps given below to select the right phishing template: • Select the appropriate ‘Theme’, ‘Human Vulnerability’ (the template would attack), and ‘Difficulty Level’. • Update the template as required. Review the ‘Phishing Indicators’ in the pre-defined template that end-users would be expected to spot to identify a phishing email.

• Upload details of the target audience and the trigger campaign.

C L I E N T D E T A I L S

The client faced an increased risk of being targeted by phishing emails. Deloitte supported continuously to stimulate employees by sending them regular phishing emails. • Value delivered: • Improved awareness among employees with respect to phishing • Change in employees’ behaviour when faced with a potentially malicious email

This engagement involves continuous support of the information security function ranging from vulnerability management and third-party risk assessment, to IT governance, information security awareness, and running phishing campaigns. This is an ongoing engagement where Deloitte has defined a process of awareness through continual training and regular email updates.

The client engaged Deloitte to perform the following functions: • Development of an information security awareness programme (including executing a phishing campaign with an internal Phaas platform)

• Selection of an identity governance and administration solution • Selection of an information classification solution

• The activities included defining and creating security policies, procedures, guidelines, and standards in line with ISO 27001, and aligning security policies to the relevant DOT and India IT Act, and other India regulations and guidelines.

• Deloitte carried out a gap analysis and review, asset identification and classification, and a risk review, as well as implemented the ISMS.

• Deloitte assisted in managing the client’s IS awareness process: maintaining training records, and creating training manuals and sample campaigns for future use.

Large IT service provider

Leading credit card industry

Large banking institute

Large telecom provider

Click on ‘Create New Campaign’

Phishing campaign triggered

Select Theme

Select ‘Human Vulnerability’ to be targeted

Select difficulty level (from 1 to 5)

• Banking • Social Media • Office • Personal • Shopping • Greed

• Fear • Curiosity • Panic • opportunity

• Easiest to spot with many mistakes

• No spelling mistakes/branding

• With branding, but incorrect sender ID

• Spoofed sender ID

• Spear phishing email

• Suspicious sender email address

• Misspellings • Unexpected email/

attachment • Grammatical errors • Suspicious URL link • Urgency

Update template/ ‘phishing indicators’

Our Phishing simulation solutions

Phishing solutions

Mobile application

Taking into account the current market’s requirements, Deloitte India offers the following simulation solutions, including a set of initiatives aimed at making the participants aware and reinforcing their basic concepts of cybersecurity and cyber-risks, while learning how to protect themselves from cyber threats

Cloud-based solution

Cloud-based solution

Cloud-based solution

On-premiseCloud-based solution

Hybrid

Administrator Reports generated will be analysed

and used for retaining purpose

Administrator Reports generated will be analysed

and used for retaining purpose

Administrator Reports generated will be analysed

and used for retaining purpose

Admin designs phishing campaign and triggers the campaign

Admin designs phishing campaign on the server

On-Premise server

Admin designs phishing campaign on the server

On-Premise server

On Premise server VMWare

Linux OS

On Premise server VMWare

Linux OS

Phishing campaign triggered

Reports

Reports

Reports

Phish sent

Phish sent

Phishing campaign triggered

Employees

Employees

Employees

Response captured on cloud

Response captured on cloud

Response captured on cloud

• Clients can login with authorised credentials and view reports for their live and completed phishing campaigns.

• The application also notifies the clients (through push notifications) of live events such as employee opening phishing simulation email, opening the attachment, and/or clicking on a phishing link during live campaigns.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.

©2020 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

ContactsRohit MahajanPresidentRisk Advisoryrmahajan@deloitte.com

Shree ParthasarathyPartnersparthasarathy@deloitte.com

Gautam KapoorPartnergkapoor@deloitte.com

Gaurav ShuklaPartnershuklagaurav@deloitte.com

Ashish SharmaPartnersashish@deloitte.com

Vikas GargDirectorvikasgarg@deloitte.com