Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Phishing Smarter: Fewer Tech Controls, More Insights Blog Feature
Josh Tomkiel

By: Josh Tomkiel

Print/Save as PDF

Phishing Smarter: Fewer Tech Controls, More Insights

Penetration Testing

Picture this: you've signed up for a social engineering attack as part of your organization's penetration test, specifically an email-based phishing campaign. The penetration testing firm is asking you to allow list their campaign through your mail filters and other technical controls. You have all those advanced protections in place - spam filters, web proxies, next-generation phishing protections - designed to protect your end users from phishing attacks. Yet, when it comes to assessing the very risk these controls are meant to mitigate, should you lower them for the tester specifically for the purpose of the test?

The Crossroads of Security Controls and Phishing

Our team gets asked often about this paradox: Why would we want to disable technical controls during social engineering assessments as part of a penetration test? It seems counterintuitive. After all, these controls are there to protect your organization. However, the goal of a phishing assessment is not to assess the strength of your technical controls; it's to see how well your end users can identify and respond to real-world threats when presented with them.

The Art of Social Engineering

Social engineering attacks rely on human psychology and urgency. They exploit our natural tendency to trust, to be helpful, or simply to click. When a phishing email bypasses your technical controls and lands in the end user's inbox, it presents a critical moment: Will they recognize the danger? Or will they fall for the attacker's pretext?

Lowering Controls for Greater Insight

When you allow a penetration testing firm to bypass your phishing filter, you're not exposing your organization to greater risk. Instead, you're surgically allowing a specific campaign through, ultimately mimicking worst case real-world conditions. You're giving your end users the opportunity to demonstrate their ability to identify and respond to threats in this controlled setting. 

Red Team Assessments vs. Penetration Testing

Understanding the distinction between a red team assessment and penetration testing is important to this discussion. Phishing as part of a penetration test is a collaborative effort where everyone knows what's happening, except for the employees targeted. It's about understanding how your organization would respond to a simulated attack.

On the other hand, Red Team assessments simulate an advanced persistent threat (APT) with an overall goal of testing your technical controls and internal teams, by doing whatever it takes to reach their objective without detection. During a Red Team assessment, it would NOT be expected for you allow an email inbound, as we would have more time to research and circumvent those controls to remain undetected. 

Bonus Tip: Don’t Dumb it Down

Along with push back on lowering security controls, there have been requests to make the phishing email more evident that it is malicious in nature. Some examples would be adding multiple spelling errors or restricting the pretext to only a specific idea.  We're now in the era of Generative AI solutions being freely available.  It takes little effort aside from a well-crafted prompt to generate a polished phishing email. The days of misspellings are a thing of the past. Plus, you’re hiring experienced professionals. Let them to do what they do best and provide you with a high-quality phishing assessment. The best phishing campaigns leave the user unaware that they were even phished in the first place.

Final Takeaway and Next Steps

The next time you consider why a pen tester might ask you to allowlist their phishing campaign or lower other technical controls during an assessment, remember this: it's not about compromising your security; it's about maximizing the value of your test. By allowing social engineering attacks to bypass some initial layers of defense, you ensure that the once the user is involved, the scenarios are as realistic as possible, providing critical insights into how your they would respond in a real-world situation.

Ready to have a phishing assessment performed? Take a moment to complete our short pen test scoping questionaire and we'll be in touch within 24 hours after that.

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.