Go Phish

How To | Phishing

Phish Like the Pros

ByScottie Cole May 7, 2021July 27, 2025

Ever wonder if hackers sit around talking about phishing expeditions and the “big one” that got away? The big one, of course, being a huge cache of sensitive data.

According to research from Proofpoint, those conversations probably don’t happen nearly as often as they should. That’s because 75% of organizations around the world experienced a phishing attack in 2020, and nearly 75% of attacks aimed at US businesses were successful. Sadly, not many actually get away.

What makes this stat even more concerning is the same report found that 95% of organizations claim to deliver phishing awareness training to their employees. That tells me the training isn’t being validated with the type of rigorous testing it takes to make sure it’s working.

To make sure we’re all clear on terminology, phishing is the practice of sending emails pretending to be from reputable companies or people in order to entice an individual to reveal information such as passwords or sensitive data. Verizon’s 2020 Data Breach Investigations Report found that phishing was the second-leading threat action behind security incidents and the top activity that led to data breaches.

As a lead penetration tester at Raxis, I work with our clients to figure out what type of test they need, and then I customize a phishing attack designed to trick their employees and even their spam and virus filters, depending on the scope. Just like the blackhats, I’ll use any trick I can to get employees to give me their credentials or click on a malicious link. Unlike my unethical counterparts, however, all my phishing is catch-and-release.

In today’s video, I share some of my favorite tips and tricks for phishing assessments. The reason I’m happy to show you how is because, the more realistic the testing, the better prepared companies are when the bad guys come calling.

Phishing attacks are a significant threat to all organizations, no matter the size. It is important that members in your organization are up to date on security training, know how to spot the most common phishing scams, and understand the safeguards in place to help protect them and the company.

Raxis offers a variety of cybersecurity services, such as penetration testing, red team assessments, and other ethical hacking solutions, to help companies take a proactive approach to improve their security posture.

How To | Red Team | Social Engineering

PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool
ByBrad Herring August 12, 2025May 29, 2025

In this next post in our PSE and Red Team Series, Brad Herring explains how to use gaffer’s tape or heat-shrink tubing to make an under-door tool easier to use.

Read More PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool
How To | Penetration Testing

Reporting Tools for Large Penetration Tests
ByRaxis Research Team February 11, 2022

Raxis lead penetration tester Matt Dunn has developed three new tools to make it easier to compile and present findings from large penetration tests.

Read More Reporting Tools for Large Penetration Tests
Security Recommendations

Why Companies Shouldn’t Overlook Mobile Application Testing
ByBrian Tant February 9, 2021June 2, 2025

Penetration tests are as important for mobile applications as they are for their web app counterparts. Here’s why.

Read More Why Companies Shouldn’t Overlook Mobile Application Testing
Security Recommendations | Tips For Everyone

Three Questions to Ask Before Connecting a Device to the Internet
ByScottie Cole March 26, 2021July 28, 2025

Should you connect your latest device to the Internet? Lead Penetration Tester Scottie Cole recommends asking yourself some questions before you do.

Read More Three Questions to Ask Before Connecting a Device to the Internet
How To | Security Recommendations

New Metasploit Module for Penetration Testing: Azure AD Login Scanner
ByRaxis Research Team November 23, 2021June 16, 2025

Raxis’ Matt Dunn has published another Metasploit module, this one describing a vulnerability in Azure’s Active Directory Seamless Single Sign-on. Learn more here.

Read More New Metasploit Module for Penetration Testing: Azure AD Login Scanner
Security Recommendations

Understanding Vulnerability Management
ByBrian Tant January 14, 2021June 6, 2025

One of our most common findings in Raxis penetration tests is the lack of an effective vulnerability management system. Here’s why that’s important.

Read More Understanding Vulnerability Management