The Exploit

Notes from the Front Lines of Penetration Testing

Phish Like the Pros

Phish Like the Pros

Written by

Ever wonder if hackers sit around talking about phishing expeditions and the “big one” that got away? The big one, of course, being a huge cache of sensitive data.

According to research from Proofpoint, those conversations probably don’t happen nearly as often as they should. That’s because 75% of organizations around the world experienced a phishing attack in 2020, and nearly 75% of attacks aimed at US businesses were successful. Sadly, not many actually get away.

What makes this stat even more concerning is the same report found that 95% of organizations claim to deliver phishing awareness training to their employees. That tells me the training isn’t being validated with the type of rigorous testing it takes to make sure it’s working.

To make sure we’re all clear on terminology, phishing is the practice of sending emails pretending to be from reputable companies or people in order to entice an individual to reveal information such as passwords or sensitive data. Verizon’s 2020 Data Breach Investigations Report found that phishing was the second-leading threat action behind security incidents and the top activity that led to data breaches.

As a lead penetration tester at Raxis, I work with our clients to figure out what type of test they need, and then I customize a phishing attack designed to trick their employees and even their spam and virus filters, depending on the scope. Just like the blackhats, I’ll use any trick I can to get employees to give me their credentials or click on a malicious link. Unlike my unethical counterparts, however, all my phishing is catch-and-release.

In today’s video, I share some of my favorite tips and tricks for phishing assessments. The reason I’m happy to show you how is because, the more realistic the testing, the better prepared companies are when the bad guys come calling.

Phishing attacks are a significant threat to all organizations, no matter the size. It is important that members in your organization are up to date on security training, know how to spot the most common phishing scams, and understand the safeguards in place to help protect them and the company.

Raxis offers a variety of cybersecurity services, such as penetration testing, red team assessments, and other ethical hacking solutions, to help companies take a proactive approach to improve their security posture. 


Scottie Cole

Posted on

Categories: ,

Also by Scottie Cole

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.