After launching an anti-phishing training system a year ago, Intrepidus Group has followed up with a new version that adds targeted email attacks using attachments to the model.

According to the company, PhishMe Malware Edition was inspired by the daily barrage of email-borne attachment attacks that face every company, a growing number of which use targeted information designed to catch employees off-guard.

Organisations can now emulate attacks using the web-based training system, tracking the ability of each individual undertaking the program to spot specific attacks, complete with the type of instant feedback that sharpens users' responses. The new feature extends the principles of the established PhishMe Standard Edition by throwing sophisticated attachment attacks at users to see how they respond.

"The typical scenario is to send a handful of employees of the target organisation a legitimate looking, spear phishing email and lure them to either click on a hyperlink in the email that points to a website hosting malware, or open a file attached to the email that infects the local system," said Intrepidus CEO, Rohyt Belani.

The point of using a system such as PhishMe was that it penetration tested the one part of the system that could fail with potential disastrous consequences. The human being was the final barrier that targeted attacks were sometimes skilfully designed to beat.

"If the employees fall prey, their workstations are compromised and the attacker is provided a foothold in the corporate network to expand influence through the environment and potentially gain unauthorised access to sensitive data," he added.

To reinforce its point, Intrepidus Group has publicised more background on a 2007 ‘spear' phishing attack on a US energy company in charge of critical infrastructure in which potentially serious consequences were only narrowly avoided. The attack was eventually traced back to an individual with admin privileges opening an attachment that appeared to come from the organisation's HR department.

"Phishing relies in vulnerabilities in human beings, not just technology," Belani told Techworld. The cost of better protection was that users needed to be trained to better distinguish the targeted attack from the innocent email. This added time to each user's assessment of a particular email, but this was a price worth paying to avoid catastrophe.

Figures from Intrepidus Group suggest that roughly a quarter of the average organisation's workforce are vulnerable to the soft of attacks that PhishMe tries to combat.

The company is holding an open marketing webinar on its technology on 15 September, and will explore the energy company hack in detail.