<\/p>\n
As part of its mission to protect and raise awareness, Hackmosphere ran a phishing campaign targeting these strategic profiles. The results speak for themselves, underlining the need for increased vigilance in the face of malicious e-mails. <\/p>\n
<\/p>\n
Definition of phishing<\/h3>\n
<\/p>\n
Before diving into the details of the research, it’s important to understand what phishing actually is. Phishing is a technique used by cybercriminals to deceive users and obtain sensitive information such as login credentials, passwords or financial information. Attackers use e-mails to pose as a legitimate entity, such as a bank, company or online service. They then ask victims to divulge their confidential information by clicking on a malicious link or by providing the information directly. Phishing can take many forms, including spear-phishing, which specifically targets an individual or organization, and whaling, which specifically targets a company’s senior management. These techniques are often highly sophisticated and difficult to detect. <\/p>\n
<\/p>\n <\/p>\n <\/p>\n <\/p>\n To guarantee the reliability of our results, Hackmosphere has followed a rigorous, methodical approach.<\/p>\n <\/p>\n Target identification<\/strong><\/p>\n <\/p>\n The campaign targeted two key decision-makers:<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n Scenario customization<\/strong><\/p>\n <\/p>\n Two distinct scenarios have been developed to specifically address each target:<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n Creating the infrastructure & sending e-mails<\/strong><\/p>\n <\/p>\n The e-mails were sent via a secure platform and optimized for deliverability. The creation method is a fairly complex process that could require a blog post of its own. We won’t go into detail here, but here’s our approach: <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/li>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n Retrieving results<\/strong><\/p>\n <\/p>\n To analyze the results, two metrics were taken into account:<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n <\/p>\n Example of timeline (time mail received and time clicked by victim) :<\/p>\n <\/p>\n <\/p>\n <\/p>\n Limitations <\/strong>: you might ask why we didn’t go further and ask for confidential information? The reason is simple: having volunteer CEOs and CTOs from a variety of industry backgrounds, it was difficult to find a scenario that would have been applicable to all. So we chose to simplify the campaign. <\/em><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n The e-mail sent to CEOs simulated a request for a quotation for a tender. It read as follows: <\/p>\n <\/p>\n <\/p>\n <\/p>\n Results :<\/strong><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n These results show that almost 4 out of 10 CEOs<\/strong> let themselves be tricked by a realistic simulation, highlighting their exposure to social engineering attacks.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n The e-mail aimed at CTOs played on their technical expertise and interest in professional events:<\/p>\n <\/p>\n <\/p>\n <\/p>\n Results:<\/strong><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n Despite a credible, targeted campaign, CTOs were generally more vigilant than CEOs.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n 1. The importance of credibility<\/strong><\/p>\n <\/p>\n The e-mail sent to CEOs was more credible, as it was based on a concrete business need (a quote for a service), whereas that sent to CTOs was based on a less tangible promise (to speak at an event). This underlines the importance of adapting attacks to target audiences. <\/p>\n <\/p>\n 2. Anti-spam system performance<\/strong><\/p>\n <\/p>\n The statistics show a significant difference between the spam filters of the different providers:<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n <\/p>\n 3. Mailbox training<\/strong><\/p>\n <\/p>\n The e-mail for CEOs benefited from better training (via warmupinbox), which explains its higher deliverability rate compared to the e-mail for CTOs. This technical detail illustrates the importance of preparation in the success of phishing campaigns. <\/p>\n <\/p>\n <\/p>\n <\/p>\n Although this phishing campaign was designed purely for awareness-raising purposes, the results reveal the immense risk to which companies are exposed when faced with real cybercriminals. In this simulation, the interaction stopped after the victim clicked on the malicious link. However, in a real attack, this click could have redirected victims to a fraudulent site designed to collect sensitive credentials, install malware or exfiltrate critical data. <\/p>\n <\/p>\n Beyond the immediate impact associated with this research, such as identity theft or system compromise, the consequences can extend to strategic levels. Companies may suffer significant financial losses, breaches of sensitive data or serious damage to their reputation. These scenarios underline the urgency of strengthening phishing defenses, as a single human error can open the door to a major cyber attack. <\/p>\n <\/p>\n <\/p>\n <\/p>\n The results of this campaign should encourage companies to step up their protection and awareness measures. Here are some key recommendations: <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ol>\n <\/p>\n <\/p>\n <\/p>\n This phishing campaign, carried out by Hackmosphere, has highlighted significant vulnerabilities among corporate decision-makers. CEOs, who are particularly exposed, need to redouble their vigilance, while CTOs show greater resistance. <\/p>\n <\/p>\n To protect your digital assets and strengthen your organization’s security, proactive awareness and effective tools are essential.<\/p>\n <\/p>\n <\/p>\n![\"fishing](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/02\/phishing-1024x680.png\")
<\/figure>\nPhishing campaign approach and methodology<\/h2>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
![\"stages](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/02\/phishingTimeline.png\")
<\/figure>\nWhat are the results of the phishing campaign?<\/h2>\n
CEOs: a vulnerable target<\/h3>\n
Objet<\/em><\/strong> : Devis pour une prestation<\/em>\nMessage<\/em><\/strong> :\nBonjour,<\/em>\nJe vous contacte car j\u2019ai identifi\u00e9 votre entreprise dans le cadre de ma recherche dans le domaine {{.Position}}. Je suis int\u00e9ress\u00e9 par ce que vous faites et aimerais obtenir un devis.<\/em>\nSi vous souhaitez participer \u00e0 l'appel d'offre, merci de prendre rendez-vous dans mon agenda ici : {{.URL}}<\/em><\/code><\/code><\/pre>\n<\/p>\n
![\"CEO](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/02\/resultatCampagne1.png\")
<\/figure>\nCTOs: greater vigilance<\/h3>\n
Objet<\/em><\/strong> : Invitation : Intervenez au Sommet des Leaders Technologiques 2025<\/em>\nMessage<\/em><\/strong> :\nBonjour,<\/em>\nNous serions heureux de vous accueillir parmi nos intervenants, pour partager vos id\u00e9es sur l'avenir de l'innovation technologique dans le domaine {{.Position}}.<\/em>\nSi vous souhaitez en savoir davantage sur notre conf\u00e9rence, vous pouvez t\u00e9l\u00e9charger notre programme ici : {{.URL}}<\/em><\/code><\/code><\/pre>\n<\/p>\n
![\"results](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/02\/resultatCampagne2.png\")
<\/figure>\nAnalysis and key findings<\/h2>\n
<\/p>\n
The potentially catastrophic impact of a real phishing campaign<\/h2>\n
How can you protect your company from phishing threats?<\/h2>\n
<\/p>\n
Offer awareness-raising sessions to familiarize your employees, including decision-makers, with the most common phishing techniques.<\/li>\n
Choose robust solutions like Office 365, which stood out in this campaign for its anti-spam effectiveness.<\/li>\n
Encourage systematic verification of senders and links (mouse over URLs to see their true destination) before clicking.<\/li>\n
Organize regular simulations to assess your teams’ level of vigilance in the face of malicious e-mails.<\/li>\nConclusion: raising awareness of cybersecurity is a strategic challenge<\/h2>\n
Don’t know your overall level of awareness? Take action with Hackmosphere <\/h3>\n