Phishing attacks are a major problem for organizations, as most data breaches start with a phishing email. Attackers use sophisticated social engineering techniques to target individuals through email, websites, USB drives, phone calls, and social media. When users fall for these attacks by clicking links or opening attachments, their devices become compromised and allow attackers to access organizational networks and steal confidential data. To protect against phishing, organizations must implement security awareness training for employees and multilayered technical defenses.

1. White Paper
Combating Phishing Attacks
How to Design an Effective Program to Protect Your Organization
Against Social Engineering

2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Most of today’s data breaches start with a phishing email, giving company-confidential data to malicious outsiders. This is a
real problem that companies need to address.
Phishing attacks are the most frequently used form of social engineering. They work because they take advantage of cognitive
biases, or how people make decisions. These techniques prey on human emotion by appealing to greed, curiosity, anxiety or
trust.
Phishing means that attackers are fishing for your private information. Attackers attempt to acquire information such as
usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
Many times this is done to steal a victim’s login credentials and other confidential information. Phishing continues to grow
and become more widespread with attacks up 37% year over year, and 1 in every 300 emails on the web containing elements
pointing to phishing.1
So, how can you combat phishing attacks and protect your company and its employees? This paper will discuss the problem
of social engineering and phishing along with its consequences, and will outline approaches for solutions to safeguard your
organization.
Defining the Problem: Breaches Often Start With Phishing
To demonstrate the seriousness of the problem, we will briefly present three examples of phishing and the damage they can
cause within an organization. These examples range from politically-motivated to financially-motivated to healthcare data
attacks.
The New York Times, The Wall Street Journal, The Washington Post, Twitter and Apple were all attacked in early 2013 in
what is seen as a wide-spread, potentially connected attack on high-value targets.2
In the case of The New York Times, the
attackers stole the corporate passwords for every Times employee and used them to gain access to the personal computers of
53 employees. The attack is believed to be politically-motivated retaliation for a Times investigation on China’s prime minister,
Wen Jiabao. Although China’s Ministry of National Defense denies the attacks, it appears to be part of a computer espionage
campaign against American media that have reported on Chinese leaders and corporations.3
Although these are all high-profile
organizations with sophisticated defenses in place, it appears that attackers may have used a targeted spearphishing attack to
breach the Times, exploiting human vulnerabilities to click on a link that led to a malicious website.
Many times cyberattacks are financially motivated. Attackers try to get customers’ credit card information, and if they are
successful, it results in a breach of trust with the company that was attacked, as well as substantial costs of dealing with a
breach. Barnes & Noble, the world’s largest bookseller, had credit card information stolen at 63 stores across the U.S.; this
information was then used to make unauthorized purchases. In this case, a malware (or malicious software) attack targeted
the keypad devices in stores. Security experts believe a company insider could have inserted malicious code, or criminals could
have persuaded an unsuspecting employee to click on a malicious link that installed the malware, giving the perpetrators a
foothold into Barnes & Noble’s point-of-sale systems.4
Healthcare data breaches have also been in the news recently. According to security expert Larry Ponemon, president of the
Ponemon Institute, stolen healthcare records can be much more valuable that financial records because they can be used
for financial ID theft crimes, medical ID theft or both, With medical records providing physical characteristic information,
attackers can create false passports and visas.5
Over the past three years, about 21 million patients have had their medical
records exposed in data security breaches that were big enough to require they be reported to the federal government. (As
required by section 13402(e)(4) of the HITECH Act, breaches affecting 500 people or more need to be reported, if the data was
not encrypted.) At present, physical theft – such as a stolen laptop from a car – made up 54% of the breaches, while hacking
made up about 6% of the compromised data.6
And, although phishing attacks have not been the cause of the most significant
data breaches to date, the healthcare industry is acutely aware of the threat and trying to protect against it.

3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Consequences of Phishing
Phishing attacks can result in compromised client systems. Here are some different consequences of phishing that can impact
your network:
• Browser exploitation - Browsers and their plug-ins contain vulnerabilities that can be exploited simply by visiting
a malicious website. An attacker can send an email with a link, which brings the user to a malicious website (which
is often designed to look like a legitimate site.) Just by visiting that site the user’s browser and machine would be
compromised and the attacker would have full access to the user’s computer. In addition, a completely legitimate
website can be attacked to become malicious. So a user could be browsing a legitimate website that’s been attacked
on the back end and injected with malicious code, which then exploits their browser.
• File format exploitation – Opening a malicious email attachment is another way to trick users. Attachments are
typically PDFs or Office files because those applications are widely distributed and widely used across platforms, and
the chance that the recipient can read that kind of file is higher. Once the malicious attachment is opened it exploits
vulnerabilities in a given application.
• Executable exploitation – This exploit uses another form of email attachment, an executable file (ending in .exe)
that runs when the user clicks on it. It is programmed to operate without needing a vulnerability in the program.
Although .exe files are quite often blocked by email security features, there are other types of executables. For
example, JAR (Java Archive) files end in .jar, rather than .exe, but they can still execute a malicious file when you
double click on them.
How do attackers gain your passwords or other credentials? Here is an overview of some of the methods used:
• Phishing form - This attack starts with a phishing email that includes a link to a website. When the user clicks on that
link, it doesn’t start to exploit your browser but it just pretends to be a familiar website, such as the LinkedIn log
in page or Outlook Web Access. When the user types in their user name and password, it captures that information
and records it, and then typically forwards you to the real site and logs you in. But, in the meantime, it’s taking your
information and storing it to further access your system in the future.
The next two are a little bit different. These require that the user’s computer is already compromised, for example by one of
the methods described above, and then they are used to gain additional information.
• Passwords and password hashes - In that case, the attacker can copy cached passwords from your machine.
Passwords are usually stored in the form of password hashes for security reasons. However, once a password hash has
been compromised, attackers can either use cracking to obtain the password in the clear or use the password hash
itself in a so-called pass-the-hash attack to gain access to network resources. If an administrator ever logged onto
the user’s machine, their credentials are cached on that machine. The attacker could reuse those administrator
credentials to access and start exploiting other machines on the network.
• Key logging – Once an attacker has access to a user’s machine they can also install what’s called a key logger,
which records every key that they press on the keyboard. This would allow the attacker to capture a user name and
password when a user types it, and would also capture the text of an email or a document being typed and send it
back to the attacker.

4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
As a result of compromised credentials, the attacker can gain access to the local file system, file servers, email, the Customer
Relationship Management (CRM) system to access customer information, the Enterprise Resource Planning (ERP) system to
access corporate financial information, credit card data, healthcare information, and other Personally Identifiable Information
(PII) such as Social Security Numbers. So, even if one person in an organization is a victim of a phishing attack, there are major
implications for the entire organization and its data.
The problems worsen with pivoting to other machines, where a compromised system is used to attack other systems on the
same network in multi-layered attacks, bypassing the perimeter defenses. So, even if the user who was hacked does not have
access to the ERP system, for example, the attacker now scan the entire internal network through the first user’s machine and
see what other machines are out there and the vulnerabilities that exist.
Limiting user privileges does not always protect companies from compromise either. Attackers often use privilege escalation,
exploiting a bug in an operating system or software application, to gain administrator-level privileges.
So, how do social engineering and phishing attacks happen?
Email Phishing Techniques
There are an estimated 8 million daily phishing attempts – close to 3 billion a year.7
The majority of phishing attacks come
through email, where the user is either instructed to click on a link or open an attachment. This leads them to a malicious
website or directly launches an attack on their computer. However, as email systems continue to get better and better at
filtering out spam, attackers are getting more sophisticated with their types of attacks to avoid detection and gain a bigger
payout.
Within the realm of phishing emails, there are several different techniques, each with an increasing level of sophistication.
Mass phishing is the most common phishing technique, sent out to an indiscriminate list of people, including both company
employees and consumers. This technique uses a “hook” that is applicable to many people with the goal of getting anybody
to click on it. An example would be emails concerning PayPal, since a huge amount of people have PayPal accounts. Emails
disguised to look like they are coming from PayPal could warn you that your account has been closed or there was a problem
with a payment. With such a broad audience, the attackers have a good chance of reaching somebody with a PayPal account
who falls for the scam and clicks on the link.
Statistics show that for 1 million targeted users in a mass phishing attack, anti-spam engines will correctly identify and block
the vast majority of threat messages. But of the messages that make it past the spam filters, 3% will open the email and 5%
will click through to the link, and then finally be converted, resulting in 8 victims. The average value of the attack per victim is
about $2,000.8
Phishing attacks also tend to be more successful when a user checks email via a smart phone. Mobile users are often checking
email quickly and are more likely to click on links and provide login info via their phone. In addition, links to phishing pages
can also be sent via texts in SMS messages. Once the user lands on the phishing page, it may be hard to determine if the URL is
genuine, and in the case of browser exploitation, it may already be too late.
Spearphishing is a more specific, targeted attack that addresses several individuals in a specific company. For example, an
email could look like it is coming from someone you know, perhaps from the personal account of your CEO or a manager at
your company. If the email subject line says “Can you please review this spreadsheet by tomorrow?” and it looks like it is going
to the executive team, many of those executives will click on the link because they want to be responsive and do the right
thing, but it’s actually a phishing email. So, spearphishing emails can be very targeted to a specific company, or more generally
targeted to an industry by offering an industry report or other relevant information.

5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
With a targeted spearphishing attack, the attacker may target 1,000 users, but of the emails that make it past the spam filter,
the open rate will be about 70%, with a click through and conversion rate of about 50%. The result is 2 victimized users, but the
payout is a lot bigger – with a value of about $80,000 per victim.9
In The New York Times case, investigators suspect a spearphishing attack. With one click attackers can install “remote access
tools” — or RATs. Those tools can siphon off data such as passwords, keystrokes, screen images, documents and, in some
cases, recordings from computers’ microphones and Web cameras, and send the information back to the attackers’ Web
servers. Instead of targeting firewalls, attackers are now targeting individuals. With one click on an email, that individual has
inadvertently opened the network to attack.10
Clone phishing is another technique. With clone phishing, a legitimate and previously delivered email containing an
attachment or link is used to create an almost identical or cloned email. The attachment or link within the email is replaced
with a malicious version and sent from an email address spoofed to look like it is coming from the original sender.
This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine,
by exploiting the trust associated with familiar looking email.
Whaling is the most sophisticated and most targeted form of phishing, tailored to a single individual. It is usually directed
at senior executives or other high profile targets. For example, if attackers wanted to compromise the laptop of a CEO, they
could look up that person’s social media accounts and find information about his or her hobbies and interests. Suppose the
targeted CEO likes classic cars and is really into old Jaguars. The attacker could send the CEO an email referencing a friend’s
name (also found through social media), saying that he wants to sell a classic Jaguar because he’s moving back to Europe. The
email sounds like it is from a friend of a friend, and is specific and personal, so the CEO may not think twice before clicking on
a link that claims to have photos of the car. And, thus, the whale – the most highly valued target – is harpooned.
Another interesting point is that you no longer need to be a sophisticated hacker to commit fraud on the Internet. Off-the-shelf
phishing kits are now available and cybercriminals are even migrating to a new business model known as Malware-as-a-Service
(MaaS), where authors of phishing kits offer extra services to customers in addition to the phishing kit itself.”11
Social Engineering Attacks Beyond Phishing Emails
Social engineering can also be used to launch other types of attacks as well. Some are web-based, others are more low-tech,
but they are still quite effective because they take advantage of human nature.
Drive-by attacks exploit vulnerabilities in web browsers or plug-ins. Often they use a popular topic, such as celebrity gossip,
and optimize a malicious website to rank highly in search engines for that news. When the user finds the site and clicks on it,
their machine gets compromised. This is an untargeted attack, but when it compromises employees, it can still put company
data at risk.
USB drives can be used by attackers to gain access into a network. The same file format exploit or executable exploit that is
put into an email by an attacker can also put on a USB thumb drive or a CD ROM. A tactic would be to give the file an enticing
name, such as “management salaries” or “layoff list” and then perhaps attach the USB drive to a couple of keys and drop it
in the parking lot outside the company that the attackers want to intrude. Then, if an employee walks by and sees it, they
would naturally pick this up. People want to be good citizens, return the key and the USB drive. To find the owner’s identity,
they may plug the USB drive into their computer. When they see the enticing content, they double click on it, infecting their
machine and opening up the corporate network to attackers.
Physical or in-person attacks rely on someone walking into a building, under a false pretense such as a package delivery, to
get access to the building. They can also use a “tailgating” strategy to follow an authorized person into an off-limits area. Once
they have physical access, they can plug a little device into the network to compromise it by phoning home to an attacker’s
server.

6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Phone calls are another way that an attacker may trick users into handing over their credentials. They may use a ruse such as:
“I’m Bob from the IT department; I’m seeing on our systems that your computer has been a little slow lately. Do you have time
to sort that out right now?” They then walk you through a few steps, maybe they’ll send you to a malicious website, or maybe
they will ask you to give them your credentials. Since the user believes it’s a helpful person from the IT department, many fall
for this scam.
QR codes, the square 2D barcodes, are being used in marketing campaigns and could also be used as an attack vector as well.
When scanned with a smartphone, the QR code sends the user to a website which could be malicious.
Social media including Facebook, LinkedIn, Twitter and other social media sites, can be used to send posts, updates, tweets
or direct messages with URLs. When the link is clicked on, again victims are sent to malicious sites and their computers are
compromised. With Facebook, user’s accounts can be attacked and then configured to send messages to their friends, which
may entice people to click on something they normally wouldn’t.
Typical Steps of a Phishing Attack
In most phishing attacks, the user opens an email, and then clicks on a link in that email. This results in the user’s browser
getting exploited. Maybe there is also a form on the web page that captures the users credentials as they are typed in.
Alternately, the user could open an email attachment and their machine gets compromised that way.
Links as bait in a phishing attack
Email attachments as bait in a phishing attack

7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Solution Approaches
There are essentially two major ways to defend against social engineering scams, in order to protect your company and
its employees. One is training your users, and the other is technical security controls. At Rapid7, we believe you have to
implement a combination of both user training and technical controls to be successful. Relying on just one approach or the
other will probably not decrease your risk to an acceptable level.
Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop many of these
messages as they pass through the system. Often, the technical controls are working, but spearphishers continue to change
their tactics to cope with the ever-improving technologies. Therefore, the user can be both the weakest point and the
strongest resource in the defense of corporate networks.12
With the proper user training, you can turn the weak link into a
protector of your organization.
Security Awareness Training
Security awareness training helps you educate your employees to stop risky activities such as clicking on a link in a
questionable email, opening an attachment they are not expecting, or submitting something on a bogus forum.
Here are 15 good defenses to teach your company’s employees13
:
1. Don’t trust links in an email
2. Never give out personal information upon email request
3. Look carefully at the web address; it could be a close approximation of the real URL
4. Type the real website address into a web browser
5. Don’t call company phone numbers listed in emails or instant messages; check a reliable source such as a phone book
or credit card statement
6. Don’t open unexpected attachments or instant message download links
7. Be suspicious if emails says “do X or something bad will happen”
8. Be suspicious of any email with urgent requests for personal financial information
9. If the email sounds too good to be true, it probably is
10. Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your
web browser; look for the https:// and/or the security lock icon
11. Regularly log into your online accounts and check your bank, credit and debit card statements to ensure that all
transactions are legitimate
12. Use a reputable anti-virus program
13. Enable two-factor authentication whenever possible. This combines something the user knows (such as a password or
PIN) with something the user has (such as a smart card or token) or even something the user is (such as a biometric
characteristic like a fingerprint).

8. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
14. Keep your operating system updated, ensure that your browser is up to date and security patches are applied
15. Always report “phishing” or “spoofed” e-mails to your IT department
Once you’ve decided to implement security awareness training in your workplace, you can decide to conduct your training
in live classroom sessions at your workplace, or via an online program. There are some good free online training programs
available, including:
• University of California, Santa Cruz Information Security Awareness training (1 hour or less online)
• The Department of Defense Phishing Awareness
• OnGuardOnline.gov, Phishing (see Phishing Scams game on the right side of the web page)
It’s important to emphasize this information when it is most needed. Use “teachable moments” to really make a point. For
example, Rapid7 lets you safely simulate attacks on your network to uncover pressing security issues. If you send somebody a
simulated phishing email and they click through, that’s the perfect time to teach them about phishing, because they’ve just
done something that could put both their company and their own personal information at risk. What they’ve learned not only
protects your organization, but it also protects that individual against identity theft and financial loss when they are using their
own personal devices.
Through this kind of security awareness training, you turn each one of your employees into security sensors in your
organization. So, there are actually people who can now spot a phishing campaign and can alert security so that they can
react. This type of threat might have otherwise have flown under the radar of security.
Technical Security Controls
Of course, training needs to be coupled with technical security controls. These technical controls will prevent or block many of
the threats so that they never reach your users. We’ll take a look at some of the different types of controls and how they work.
Vulnerability management is your number one defense against attackers. It identifies existing vulnerabilities in software
programs, browsers and plug-ins and helps shield your organization from potential damage, as well as mitigate vulnerabilities
through patching, changing configurations or making application updates to remove vulnerable code. Programs like Microsoft
Office and Adobe Reader are the typical applications that get exploited through phishing, so it is important to stay on top of
any vulnerabilities associated with these programs. You also need to make sure your vulnerability management program is
maintained and monitored over time. The keys to vulnerability management are to get visibility on client-side vulnerabilities,
focus on solutions that highlight vulnerabilities exploited by malware kits, as well as validate and prioritize vulnerabilities to
identify high-risk issues that must be fixed immediately.
Patch management is used to fix vulnerabilities based on input from vulnerability management. Some fixes are implemented
through patching and some are through changing configurations. Software updates and security updates need to be done in a
timely manner to keep up with patching vulnerabilities.
Malicious URL and attachment blocking can be done with web filters and SPAM filters. Microsoft Outlook has incorporated
a good filter that will put emails into the junk folder if they contain a suspicious link – for example, a link that doesn’t have
a domain name but only an IP address. Outlook will automatically put that email into the junk folder or it won’t let you click
on the link until you confirm that it’s okay. (Of course, you need to train employees that these emails have been placed in the
junk folder for a reason!) There are also web filters that you install at the Internet gateway of your company that will block
malicious URLs.

9. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Intrusion Prevention System (IPS) is another form of defense. If, for some reason, a user does click on a suspicious link, and a
website is serving up a browser exploit, an IPS can detect that and block web-based exploitation.
Data Loss Prevention (DLP) / Egress filtering is a system designed to detect a potential data breach and prevent it by
monitoring, detecting and blocking sensitive data while in use, traveling over the network or in storage. Let’s assume that your
network has been compromised and that somebody’s inside the organization to actually complete the action. They haven’t
reached their goal until they’ve actually downloaded the sensitive information, so, DLP and egress filtering is all about stopping
that sensitive data from getting out of the network.
Disabling Java may be a drastic approach to security but Java has been a huge attack vector for compromising systems via
malicious links in phishing emails. If you are using critical applications running on browser-based Java, or if your users need
Java to get their jobs done, you may want to configure the browser to prompt and ask for permission before launching Java and
educate your users to only allow Java on websites they trust.
Measuring Exposure and Improvements
In order to combat social engineering attacks, you need to know where to start, and then measure the progress you make.
Here are some guidelines to do so.
Get visibility into the problem as the first step in thwarting attacks against your network. If you’re running a program
to reduce your phishing risk, then first of all, you need to know the size of that risk. How do you quantify that? Is your
company currently doing well, or not so well? Where do you stand? Gaining visibility it is like putting a stake in the ground. By
implementing a penetration testing solution you can answer questions such as:
• How are you vulnerable?
• Where you are the most vulnerable?
• Do you know if the security investments you are making are worth it?
• Are you making progress over time?
Social engineering campaigns can be implemented inside your company as a test to measure how many people click on a
phishing email and how many submit fake log in forms. You can also host your own malicious website to see if your browser is
vulnerable and if your security controls are working. Your social engineering campaign will expose user susceptibility to scams
and will also test browser security, web filtering and other security controls.
Conduct a full penetration test from compromised machines to determine how far an attacker would get. You can even
go full scale and hire a penetration testing expert to replicate a real scenario. You can tell this person to try to phish your
employees and see how far they can get. Can you get to the credit card database or not? This is a typical goal that an attacker
would try to attain, because it gives them access to valuable, financial information.
How Rapid7 Can Help
At Rapid7, our simple and innovative software solutions give you visibility into the risk associated with your information
technology, your users and the real threats you face. Our software helps you quickly prioritize threats, manage risk, and take
the right steps to improve your organization’s security.
Specifically, Rapid7 solutions Metasploit and Nexpose are ideal complements to combat social engineering threats. Metasploit
can be used to simulate phishing attacks and to conduct internal penetration tests, and Nexpose can help you scan the network
for client-side vulnerabilities.

10. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Metasploit, our penetration testing solution, lets you to gauge the risk of a data breach. True to the mantra ‘an experiment is
worth a thousand theories’, you can test your defense to see where they fall short – both on the technical and the human side.
Our penetration testing software gives you a clear view as to what vulnerabilities can easily be exploited, which passwords are
too weak, and how many employees fall prey to phishing emails. With Metasploit, you can:
• Manage phishing exposure by simulating phishing attacks.
• Safely simulate attacks on your network to uncover pressing security issues.
• Audit password security.
• Use with Nexpose to assess and validate security risks in your environment.
• Verify your defenses, security controls and mitigation efforts.
Metasploit Pro lets security professionals can gain visibility into their organization’s exposure to phishing attacks through user-
based and technical threat vectors, and introduce the necessary controls to manage the risk.
Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but
it’s hard to know how effective these measures are – or even if you’re focusing on the right things. Metasploit assesses the
effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you
reduce your risk.
In addition, Metasploit Pro’s social engineering reports go above and beyond alternative penetration testing solutions by
providing conversion rates, such as how many people clicked through a phishing email, how many entered username and
password on a fake website, and how many systems were compromised. It enables organizations to track and trend the
effectiveness of their security programs and provides advice on how to address risk at each step in the social engineering
funnel.
Nexpose, our vulnerability management software, proactively scans your environment for misconfigurations, vulnerabilities,
and malware and provides guidance for mitigating risks. With Nexpose vulnerability management solutions, you can:
• Know the security risk of your entire IT environment including networks, operating systems, web applications and
databases.
• Expose security threats including vulnerabilities, misconfigurations and malware.
• Prioritize threats and getting specific remediation guidance for each issue.
• Integrate with Metasploit to validate security risk in your environment.
Rapid7 also offers professional services to help with implementation, training for Rapid7 product solutions or outsourced
security risk assessment services such as penetration testing. Our expert pen testers try to find weaknesses in your environment
by performing network, application, wireless or other types of penetration testing. Simulating a real-world attack provides
valuable insight into real-world risks to your organization
And finally, to address the proliferation of mobile devices, Rapid7 offers mobile risk management through Mobilisafe. This
manages your vulnerabilities on mobile devices because a lot of people are now reading emails on mobile devices, and as a
result these mobile devices now have access to your corporate email. Therefore, mobile devices are a new attack vector that
you should take into consideration.

11. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Conclusion
Since 2005, when The Privacy Rights Clearinghouse started tracking its Chronology of Data Breaches, over 607 million records
have been breached in over 3,600 publicly reported breaches. Malicious attacks or malware accounted for more than half
of the records breached.14
How can you make sure that your company is not an easy target? By implementing both security
awareness and technical controls, you can safeguard your company and its employees from the threat of social engineering and
phishing attacks and their consequences.
About Rapid7
Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration
testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain
contextual visibility and manage the risk associated with the IT infrastructure, users and threats relevant to their organization.
Rapid7’s simple and innovative solutions are used by more than 2,250 enterprises and government agencies in more than 65
countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more
than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing
security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®,
Forrester® and SC Magazine. The Company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more
information about Rapid7, please visit http://www.rapid7.com.

12. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Sources and Endnotes
1. RSA, “The Year in Phishing” January 2012 http://www.rsa.com/solutions/consumer_authentication/intelreport/11635_Online_
Fraud_report_0112.pdf
2. All things D, “Twitter Got Hacked. Expect More Companies to Follow.” By Mike Isaac, February 2, 2013, http://allthingsd.
com/20130202/twitter-got-hacked-expect-more-companies-to-follow/
3. New York Times, “Hackers in China Attacked the Times for the Last 4 Months,” by Nicole Perlroth, January 30, 2013, http://www.
nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all
4. New York Times, “Credit Card Data Breach at Barnes & Noble Stores,” by Michael S Scmitdt and Nicole Perlroth, October 23, 2012,
http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html?_r=0
5. Healthcare IT News, “Infographic: Biggest healthcare data breaches of 2012,” by Erin McCann, December 12, 2012, http://www.
healthcareitnews.com/news/infographic-biggest-healthcare-data-breaches-2012
6. Computerworld, “Wall of Shame exposes 21M medical record breaches,” by Lucas Mearian, August 7, 2012, http://www.
computerworld.com/s/article/9230028/_Wall_of_Shame_exposes_21M_medical_record_breaches
7. Scambusters.org, “Phishing Update: Key Trends and Warning Signs,” February 6, 2013, http://www.scambusters.org/phishing2013.
html
8. Cisco, “Email Attacks: This Time It’s Personal,” June 2011, http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/
ps10339/ps10354/targeted_attacks.pdf
9. Cisco, “Email Attacks: This Time It’s Personal,” June 2011, http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/
ps10339/ps10354/targeted_attacks.pdf
10. New York Times, “Hackers in China Attacked the Times for the Last 4 Months,” by Nicole Perlroth, January 30, 2013, http://www.
nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all
11. Scambusters.org, “Phishing Update: Key Trends and Warning Signs,” February 6, 2013 http://www.scambusters.org/phishing2013.
html
12. InfoSecurity, “Sixty percent will fall to a phishing attack that might herald an APT,” January 15, 2013, http://www.infosecurity-
magazine.com/view/30220/sixty-percent-will-fall-to-a-phishing-attack-that-might-herald-an-apt/
13. APWG, www.antiphishing.org and http://phish-education.apwg.org/r/en/index.htm
14. The Privacy Rights Clearinghouse, Chronology of Data Breaches, http://www.privacyrights.org/data-breach
Wikipedia was also used as a resource throughout this paper.
Further Reading
• Chris Hadnagy, Social Engineering: The Art of Human Hacking
• Kevin D. Mitnick et al, The Art of Deception: Controlling the Human Element of Security