Phish5, a South African software as a service product created by Thinkst, is allowing companies to send phishing emails to their employees to test how prone they are to cyber attacks.
Speaking to HumanIPO Haroon Meer, chief executive officer (CEO) of Thinkst, said his company of less than five people has been using versions of Phish5 internally for approximately six months, which included the process of simplifying it and preparing it for general internet users.
Its availability was only announced at the beginning of this week.
“We have spent years performing complex hacks to penetrate clients, but a huge number of customers are still getting taken to the cleaners through ‘unsophisticated’ [or] ‘boring’ phishing,” Meer said.
“Technically competent people with time on their hands can simulate phishing campaigns to test their own organisations, but the vast majority of people won’t get around to it, until its too late.”
Meer said Phish5 allows people to quickly and easily conduct full campaigns from start to finish in minutes.
To activate it a user can sign onto the system with their email. For example “” can then allow “Bob” to phish the “@company” domain.
The user then enters a list of “victims” on the domain.
“With our web based editor, he then creates the phishing mail he wishes to send. We have several templates he can choose from, for example to mimic a LinkedIn invite, or Facebook invite,” said Meer.
Meer added: “Bob then uses the web based editor to create the web pages the users will see when they click on the link sent to them.”
Once this is done, “Bob” will launch the phishing campaign, then sit back and wait.
The system then tracks and records the actions made by the “victims” or in this case, employees. The actions include who opened the mail, who clicked on the link and who supplied credentials.
“By running these campaigns regularly, Bob is able to tailor training for his staff. Phish5 is largely about detection and education. The administrator running the campaign learns which people in the organisation need more training (or praise) and the victims learn quickly, but without the pain of a real attack,” said Meer.
Meer said the system does not capture actual usernames and passwords, instead recording what action was performed by whom and at what time.
Furthermore, Phish5 features a “consultant” option should a company wish to phish outside of its own domain, which is used by security testing companies verified by Thinkst.
Meer said any email that leads to the request of login information should be avoided.
“The system is super simple, so a user can signup and phish his company, literally in minutes,” concluded Meer.
