What is a Phishing Vulnerability Assessment?

More than 90% of cyber breaches are a result of successful phishing campaigns. These breaches can result in a loss of network functionality, degraded utilisation of hardware, and significant reputational damage. Phishing emails are responsible for threats entering networks and systems, providing intruders with a foothold to continue their attack from.

With phishing emails and the associated techniques that threat actors use becoming more sophisticated and harder to spot, PGI recommends phishing vulnerability assessments to help you minimise risk and improve your processes.

Why have a Phishing Vulnerability Assessment?

A phishing vulnerability assessment is designed to boost awareness of risk and demonstrate how all employees can help to improve cyber security in the workplace, through better recognition of potential hazards.

  • Identify the risks Read more Read less

    Gain an understanding of your employees’ current awareness of phishing and social engineering threats, as well as identifying where the gaps are, and which areas of the business, if any, need further training. 

  • Gain more control over your business Read more Read less

    Businesses can control the technology being used in the workplace, conducting due diligence when introducing new hardware and software. However, it is not as easy to ensure the same due diligence when it comes to employee action, with risk heightened through the use of out-of-date software, unsafe online behaviours, and by interacting with phishing emails.

  • Educate on common threats Read more Read less

    Phishing campaigns can open organisations up to a range of threats, primarily that of malware, which includes computer viruses, spyware, rootkits, adware, keyloggers, participation in botnets, and ransomware. As an example, Ransomware is a major risk, with an estimated 300,000 devices infected in the ‘WannaCry’ ransomware attack alone.

    By educating your workforce you decrease the likelihood of a phishing campaign being successful.

  • Mitigate the risk of a data breach or operational disruption Read more Read less

    Phishing emails can give threat actors access to your networks and systems and enable them to steal data or conduct other cyber attacks. By educating your workforce about phishing, you are strengthening your overall defensesdecreasing the likelihood of an attack and, in turn, protecting your organisation’s bottom line and reputation. 

Ready to get started? Speak to one of our experts.

If you have any questions about our services or would like to learn more about our consultants here at PGI, please get in touch with us and speak with one of the team, call us on +44 (0)845 600 4403 or email us at sales@pgitl.com

Get in touch

How we conduct Phishing Vulnerability Assessments

At PGI, we use a simulation approach, or ‘ethical attack’, to carry out a controlled phishing campaign over a duration agreed with the customer.

We use various techniques to uncover dangerous behaviour taken by users, such as disclosing passwords, user information, and other confidential data held by your business. The degree of email authenticity can be tailored, showing your employees just how convincing some phishing attempts can be.

By understanding your organisation’s security posture, you can make informed decisions on effective investment in education and technology, as well as improving your organisation’s level of security and awareness. This allows you to maximize the return of your cyber security budget, delivering demonstrable impact.

  • Phishing simulation Read more Read less

    Test phishing campaign: PGI will conduct a bespoke test email phishing campaign, tailored to your organisation, based on: open source research, our knowledge of your organisation and the latest attacks targeted at your industry

    Differentiation: This campaign can be carried out over any period of time with multiple emails. The realism of these emails and the domain names used will vary to replicate the different abilities and skills used by attackers.

    Training: Upon failing to identify a phishing email, staff will be presented with a short educational message, such as a training video or webpage to help them identify and mitigate against that type of attack in the future.

  • Metrics and follow-up Read more Read less

    Monitoring: PGI will monitor and report on the following metrics throughout the exercise:

    • Opened phishing emails and potentially malicious links clicked/ attachments downloaded.
    • Geographical location of the user opening the email to identify access in non-typical locations.
    • Out-of-date browsers and plugins, identifying potentially vulnerable users.
    • Users who are subject to phishing emails but have failed to complete follow-up training.
    • Reductions in the number of successful phishing emails.

    Reporting: At the end of the campaign, PGI’s security experts will generate a comprehensive report, which will provide an analysis of current cyber risk profile.

  • Phishing assessment package options Read more Read less

    Basic campaign  

    This package includes:

    • A pre-engagement scoping call: We take the time to understand your organisation’s risk profile and appetite so we can recommend an appropriate solution. For example, who the emails should target and the type of email used.
    • Campaign set up: We set up the campaign using existing email templates, landing pages and PGI’s generic phishing domain URL.
    • E-learning: Employees who click a malicious link and/or input their credentials will be provided with an e-learning module to help them identify phishing emails in future.
    • Campaign monitoring and reporting: We monitor the interactions with the campaign as it is happening and then produce a post-campaign report to help you understand the awareness level of your workforce.


    Tailored campaign  

    All elements of the Generic campaign, plus:

    • A custom domain: We buy a domain name to use in the campaign.
    • Customisable content: To better simulate a phishing email, our consultants can work with you to customise an existing template to fit the context of your organisation.


    Targeted campaign  

    All elements of the Generic campaign, plus:

    • A custom domain: We buy a domain name to use in the campaign.
    • Fully customised content: We work with you to develop content for emails and landing pages that is specific to your organisation, to show the breadth of the social engineering tactics threat actors use.
    • Employee credential audit: When an employee enters their credentials, we can record this so you can compare again best practice standards or your organisation’s internal password policy.

Why choose PGI?

  • Tailored assessments. We do not provide an off-the-shelf service, we provide a full spectrum of phishing vulnerability assessments, including end-to-end support. 
  • We understand wider digital risk. We don’t just focus on phishing, we have experience helping clients understand and mitigate all forms of digital risk, so we can help you take a holistic approach to managing them. 
  • Practical and affordable. Our solutions are affordable because they are proportionate and focused to our clients needs, not a blanket approach. 
  • A flexible approach. We know the cyber threat is constantly evolving so our team work to your needs and business requirements.

Want to find out more?