Phishing Susceptibility

Phishing Susceptibility in the context of cybersecurity is a quantifiable measure of an individual's or an organization's weakness against social engineering attacks delivered via electronic communication, primarily email. It represents the likelihood that users within an organization will fall victim to a phishing attempt by clicking a malicious link, downloading a contaminated attachment, or surrendering sensitive credentials.

Components of Phishing Susceptibility

Phishing susceptibility is determined by analyzing both the human attack surface and the technical defense posture of the organization's email infrastructure.

1. Human Behavior Metrics: These metrics are tracked through continuous simulated attacks.

• Click-Through Rate: The percentage of users who click a malicious link in a simulated phishing email.

• Data Submission Rate: The percentage of users who enter their credentials or other sensitive information on a fraudulent landing page.

• Reporting Rate: The percentage of users who correctly report the simulated phishing email to the security team. A low reporting rate indicates high susceptibility.

2. External Information Exposure: Attackers craft convincing lures using harvested external data.

• Credential Exposure: The volume of employee usernames and passwords found leaked on the dark web or in public breaches. Exposed credentials increase susceptibility because they are often used for spear-phishing (an attacker sends an email claiming to have proof of the leak) or for Account Takeover (ATO).

• Email Format Guessability: If the organization's email naming convention (e.g., firstname.lastname@company.com) is easily predictable, it increases susceptibility to targeted spear-phishing, as attackers can validate a list of potential targets.

3. Domain and Brand Defense:

• Email Authentication: The absence or misconfiguration of email security protocols such as DMARC, SPF, and DKIM constitutes a technical vulnerability. A lack of these makes the company's email domain easy to spoof for fraudulent campaigns.

• Impersonation Infrastructure: The failure to secure typographical variations of the corporate domain (typosquatting) leaves the organization susceptible to its brand being used to host fraudulent phishing sites.

Consequences and Defense

High phishing susceptibility is a direct precursor to significant security incidents, including Business Email Compromise (BEC) fraud, malware infection, and essential data breaches. Reducing this susceptibility requires an ongoing, adaptive defense strategy that includes robust technical controls (like DMARC enforcement) and targeted, continuous security awareness training driven by real-world exposure data.

ThreatNG directly helps mitigate Phishing Susceptibility by addressing the core components of the risk: the technical weaknesses that enable domain spoofing and the human exposures that allow attackers to craft highly successful, targeted phishing lures. By quantifying both factors from an external perspective, ThreatNG enables a proactive, effective defense.

ThreatNG's Role in Phishing Susceptibility Reduction

External Discovery

ThreatNG performs purely external unauthenticated discovery using no connectors, which is essential for mapping the external attack surface that attackers use to stage phishing campaigns.

• Example of ThreatNG Helping: The discovery process uncovers all Domain Name Permutations and related Web3 Domains. An attacker's initial step in phishing is acquiring look-alike domains. ThreatNG finds these fraudulent domains first, denying the attacker the infrastructure needed to host a convincing phishing site.

External Assessment

ThreatNG's BEC & Phishing Susceptibility Security Rating provides the quantifiable metric for this risk, guiding the defense strategy by prioritizing the technical and human failures that contribute to high susceptibility.

• BEC & Phishing Susceptibility Security Rating (A-F): This rating is the primary tool, based on critical findings that enable phishing:

• Domain Name Permutations (available and taken):

• Example in Detail: ThreatNG discovers a typo-squatting permutation, such as c0mpany.com, that is already taken and configured with a Mail Record. This indicates that an active phishing campaign is being staged (Brand Impersonation) and validates the organization's high susceptibility. The poor rating mandates immediate takedown action against the fraudulent site.

• Email Format Guessability:

• Example in Detail: ThreatNG's Email Intelligence confirms the organization has high Email Format Guessability (e.g., using first.last@company.com). Since attackers use this predictability, this finding quantifies a specific human-enabled flaw that increases susceptibility to targeted spear-phishing.

• Domain Name Record Analysis (including missing DMARC and SPF records):

• Example in Detail: ThreatNG finds missing DMARC and SPF records. This quantifies a significant technical susceptibility, as the lack of these records allows an attacker to easily spoof the company’s official email address for phishing campaigns, enabling the fraudulent emails to bypass email filters.

• Data Leak Susceptibility Security Rating (A-F): This rating highlights the human factor risk by including Compromised Credentials.

• Example in Detail: ThreatNG identifies a batch of employee credentials associated with corporate email addresses. Exposing these credentials directly increases phishing susceptibility because an attacker can use the exposed PII to craft a highly believable phishing lure or to use the leaked password for an Account Takeover (ATO), which is the goal of most phishing attacks. The poor rating mandates preemptive credential remediation.

Reporting

ThreatNG's reporting ensures that the failure points contributing to phishing susceptibility are clearly communicated and actioned.

• Reporting (Executive, Prioritized): The Executive reports provide a concise view of the BEC & Phishing Susceptibility rating. In contrast, the Prioritized reports ensure that high-risk precursor activities (such as a newly registered fraudulent domain with a mail record) are surfaced with the highest urgency, driving immediate action against the phishing infrastructure.

Continuous Monitoring

Continuous Monitoring of the external attack surface ensures that new phishing threats are detected in real-time, preventing the defense from becoming outdated.

• Example of ThreatNG Helping: Continuous monitoring detects a surge in new typosquatting domain registrations directed at the organization's brand. This sudden increase in fraudulent infrastructure flags a rapidly increasing phishing risk that requires immediate action, ensuring the defense is adaptive to emerging threats.

Investigation Modules

ThreatNG's modules provide the specific tools to confirm and neutralize the components of phishing susceptibility.

• Domain Intelligence / Domain Name Permutations: This module is essential for identifying the fraudulent infrastructure used in phishing campaigns.

• Example in Detail: An analyst uses this module to discover a newly registered Web3 Domain permutation that mimics the brand's name. This precursor intelligence allows the organization to perform Defensive Domain Registration or a takedown request to neutralize a potential phishing vector in an emerging space.

• Email Intelligence: This module confirms whether the legitimate company domain has configured necessary email security records, such as DMARC and SPF.

• Example in Detail: The analyst uses this module to audit the organization's main domain and confirm the actual state of its DMARC, SPF, and DKIM records, providing the evidence needed to remediate the technical flaw that allows for email spoofing (a key phishing vector).

• Social Media Investigation Module: This module proactively addresses the Human Attack Surface susceptibility.

• Example in Detail: The LinkedIn Discovery feature identifies employees most susceptible to social engineering attacks. This list helps the organization target security awareness training to the most vulnerable personnel, thereby directly reducing human susceptibility to phishing.

Intelligence Repositories (DarCache)

ThreatNG's repositories provide the raw, external data that confirms the highest-risk phishing precursor activity.

• Compromised Credentials (DarCache Rupture): This repository is the source of truth for measuring the volume of employee identities compromised via dark web leaks. A high number of compromised credentials is a direct precursor to an account takeover, which is often the ultimate goal of a phishing attack.

• Dark Web (DarCache Dark Web): This monitors for explicit organizational mentions and associated ransomware events.

• Example of ThreatNG Helping: ThreatNG discovers chatter on a dark web forum about the sale of an email list to be used in a mass phishing attack targeting the target company's industry, providing early warning of the impending campaign.

Complementary Solutions

ThreatNG's phishing susceptibility intelligence can be integrated with other platforms to automate remediation, ensuring rapid risk reduction.

• Cooperation with Email Security Solutions: When ThreatNG flags missing DMARC and SPF records, this finding can be sent to a complementary Email Security Solution. This platform can automatically guide the security team through the configuration process to implement the records, effectively closing the technical phishing initial access vector.

• Cooperation with Security Awareness Training Platforms: When ThreatNG's Compromised Credentials module detects a surge in leaked employee passwords, this quantified risk can be sent to a complementary Security Awareness Training Platform. This automatically enrolls the affected employees in a targeted course on password hygiene and spear-phishing recognition, using external data to enhance human defense.