Phishing Vulnerability Assessments

What is phishing?

Phishing occurs when a scammer tries to trick people into giving away their or their organisation’s confidential information, such as passwords, credit and bank account details and financial information.

They do this by pretending to be a legitimate contact and convincing a target to open a spam email, click on a dangerous link or go to a fake website.

When targeting a business, the scammer collects information about how an organisation’s emails are presented and structured to make them look as authentic and believable as possible. Often the attacker will pretend to be a CEO or senior executive and send messages to employees further down the management chain asking them to transfer money or sensitive data.

Phishing of employees and malicious attachments sent in email messages are still the main cause of data breaches, despite warnings. It is estimated that 156 million phishing emails are sent every day. Of these, 16 million manage to get through email filters, and 8 million are opened by unaware staff.

The General Data Protection Regulations (GDPR) that came into force on 25th May 2018 requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

To be GDPR compliant, you must evidence steps have been made to test the security of your data. A data breach is also a breach of GDPR without this. It is crucial that a workforce understands how to identify a phishing campaign to avoid data breaches, through clicking on malicious attachments and URLs.


Why identifying phishing campaigns should be top
of your priority list

There can be subtle clues in the messaging that, when looked out for, are obvious to the recipient. Unfortunately many targets are not aware of these or are too busy to notice them. Significant criminal gains can be made by targeting the big fish at the top, which is why whaling is so popular.

The scammer relies on the natural desire to impress senior managers and uses this behaviour to their advantage. Often an employee, no matter how odd the request may be, will want to adhere to a request made by the ‘CEO’.

No matter how secure your company’s networks are, they will still be vulnerable to human weakness. With phishing attacks being the most common form of cyber-attack, people need to know what to look out for when a potentially dangerous email lands in your or your employee’s inbox.

Our phishing capability assessment process

It is crucial that a workforce understands how it could be targeted, as well as knowing what to do if employees receive a suspicious email.

With this in mind, PGI has developed a phishing capability assessment with the purpose of measuring the current cyber awareness of the workforce, and delivering targeted training to reduce the organisation’s risk of exposure to this type of attack.


The solution

PGI will conduct a bespoke test email phishing campaign, tailored to your organisation, based on:

  • Open source research
  • Our knowledge of your organisation
  • The latest attacks targeted at your industry
  • This campaign can be carried out over a 4-week period with multiple emails.

Throughout the campaign, the realism of these emails and the domain names used will vary to replicate the different abilities and skills used by attackers.

Upon failing to identify a phishing email, staff will be presented with a short educational message, such as a training video or webpage to help them identify and mitigate against that type of attack in the future.

cyber security

Metrics and follow-up

PGI will actively monitor and report on the following metrics throughout the exercise:

  • Opened phishing emails, and potentially malicious links clicked/ attachments downloaded.
  • Geographical location of the user opening the email to identify access in non-typical locations.
  • Out-of-date browsers and plugins, identifying potentially vulnerable users.
  • Network endpoints vulnerable to data-exfiltration and firewall misconfiguration.
  • Users who are subject to phishing emails but have failed to complete follow-up training.
  • Reductions in the number of successful phishing emails.

At the end of the campaign, PGI’s security experts will generate a comprehensive report based on the above, which will provide an analysis of current cyber maturity, and produce recommendations to increase this.

By understanding your organisation’s security posture, you can make informed decisions on effective investment in education and technology, as well as improving your organisation’s level of security and awareness.

Product & pricing

(Please note, all prices are exclusive of VAT)
Price Inclusive
Starting at £499
For our most basic package based on small businesses
  Fully managed 4-week long campaign

  Bespoke customised template

  Comprehensive report

Phishing recommendations

Products & resources

It is crucial that a workforce understands how it could be targeted by phishing, as well as knowing how to prevent it from happening. Here are a few resources and products that could help keep you cautious.


PGI's experts are highly knowledgeable in phishing. Below are a few informative articles to ensure you are prepared in case a phishing email ends up in your mailbox.

Want to purchase or need more information? Why not speak to one of our experts.

Choose a day and time and one of our team will be in touch.
Alternatively, call us on +44 (0)207 887 2699 or email us at

+44 (0)207 887 2699
©2019 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Address: Unit 13/14, Swallow Court, Sampford Peverell, Tiverton, England, EX16 7EJ