Frequently Asked Questions.
Click on the question to see the answer.

Measure and manage Advanced Persistent Threats to the enterprise human firewall with automation, power and ease.

Try Demo
What is phishing?

Phishing is "a way of attempting to acquire information ... by masquerading as a trustworthy entity in an electronic communication."

Spear-phishing is a related term used to describe phishing that targets specific organizations. These targeted attacks attempt to gain unauthorized access to specific critical information.

Why is it a problem?

Phishing scams are real threats that result in various types of losses.

  • Financial Loss. Various sources place the annual economic costs of phishing at over $3B.
  • Reputation Damage. There are several high-profile instances where trustworthy enterprises experienced reputation damage due to phishing.
  • Technical Breaches. Phishing attacks are often used to gain unauthorized access to systems. It is often easier to simply trick someone into sharing a password than to directly hack the technical controls.
  • Strategic Harm. It is hard to estimate the strategic harm if a phishing attack leads to disclosure of strategic information.
  • Compliance Failure. Given the regulatory environment, there are many reasons to consider the potential audit findings if phishing attacks are not being addressed.
How do enterprises combat the problem?

There are two generally accepted ways to address phishing.

  • Email and Web Filtering. The idea is to prevent untrustworthy messages from being delivered and to limit the exposure to untrustworthy websites. Given the high level of innovation, filtering is a critical layer of security control.
  • Security Awareness Training The idea is to reduce the chances of unauthorized data disclosure by arming employees with the knowledge to recognize and report phishing attacks. Training is a critical layer of security control that is much more difficult to measure.
Do existing filters work?

After years of white-hat email social engineering engagements, we believe that filters are absolutely critical to have in place.

Somehow, year-after-year, filters and other controls never quite seem to be enough to keep people from directly or indirectly disclosing sensitive information.

  • No approach is 100% effective.
  • No approach provides visibility to the real-world residual risk exposure.
  • No approach provides actionable information to focus multi-layer security mitigation efforts.

Even with new exciting new advances in filtering, including Data Loss Prevention (DLP) critical information can still be disclosed.

There is no substitute for having an effective 'human firewall' where your people thwart unauthorized information access requests. In spite of the excellent training and educational materials available, it is typical to train employees and never test how well they resist the temptations of a compelling phishing message.

Does this approach fit my organization?

Many organizations embrace the idea of safely testing the human firewall. It is viewed as a logical and important extension to traditional technical security assessments.

Historically, these tests had to be done with highly-skilled (and expensive) consultants who performed one-time limited email social engineering tests.

PhishLine enables organizations to perform unlimited tests in an automated manner. The system's power to help visualize trends provides deep insights into the people, processes and technology that is most vulnerable.

With power comes responsibility. PhishLine is not a trivial tool to simply "trick" your employees. It is an enterprise ready, professional solution that can make a real difference in reducing your risk exposure when used in a manner that is appropriate for your organizational culture.

It is best used in the concert with mature, relevant and focused enterprise information security programs.

May I submit my own question?

Absolutely! If you want a personal response, you may enter your contact information. If not, we will consider the question for posting in the FAQ.

Your Name (optional):
Organization (optional):
Email (optional):