Phishing Case Study: How A Leading Conglomerate Is Building A Human Firewall

Nov 4

About the Customer

The client is a large-scale, diversified conglomerate with significant operations in the hospitality and entertainment industry. Their business relies on thousands of employees, making human-layer security a critical component of their defense strategy.

Phishing Case Study Table 1
        
                    Category
                    Details
                
                    Industry
                    Diversified Conglomerate
                
                    Challenge
                    Assessing and improving employee awareness to mitigate risks from sophisticated, real-world phishing attacks.
                
                    Solutions Used
                    Phishing Simulation Exercise, Security Awareness Assessment

The Challenge

As part of its annual cybersecurity initiatives, the client’s security team needed to assess the human element of its security posture. The organization understood that technical defenses alone are insufficient against social engineering. The key drivers for a comprehensive phishing assessment were:

The need to measure the organization's real-world resilience against phishing and test employee awareness levels.
To determine the baseline likelihood of employees clicking suspicious links in emails designed to mimic authentic internal communications.
The email templates included deliberate and noticeable errors, designed to test the vigilance of recipients.
The client sought clear metrics on employee vulnerability to guide future targeted training and awareness campaigns.

The AKATI Sekurity Solution

AKATI Sekurity was engaged to design and execute a coordinated Phishing Simulation Exercise targeting a large cohort of employees. The engagement involved crafting a realistic phishing scenario that impersonated an official IT Security Operations notice.

The email urged users to perform a "Mandatory Security Update", leveraging urgent language to pressure employees into action. Employees who clicked the malicious link were immediately redirected to an educational landing page. This page informed them of the simulation and provided instant, actionable awareness tips on how to spot phishing attempts.

Strategic Gap Analysis & Baseline

The assessment provided the client's leadership with a clear, quantitative baseline of their 'human firewall' effectiveness. This data served as a crucial benchmark for their annual security posture assessment.

Key Results:

Successfully assessed a test population of over 2,100 employees across the organization.
Established a baseline click-through rate, revealing that approximately 10% of the targeted employees clicked the suspicious link.
Identified a large group of vigilant employees (a majority of recipients) who opened the email but correctly identified it as suspicious and did not click.
Provided a clear, data-driven foundation for targeted remedial training and future awareness campaigns.

Process & Methodology

The phishing simulation moved beyond a simple pass/fail test to provide a comprehensive, end-to-end assessment of employee behavior and reinforce security awareness in real-time.

Phishing Case Study Table 2
        
                    Phase
                    Description
                
                    Scoping
                    Targeted a large, cross-departmental group of over 2,100 employees to ensure a statistically relevant sample size.
                
                    Execution
                    Deployed a realistic phishing email mimicking a mandatory IT security update, complete with urgent language and subtle, deliberate errors.
                
                    Analysis
                    Analyzed user actions in real-time, segmenting the population into 'Clicked' (Victims), 'Opened Only' (Vigilant), and 'No Action' (Inactive/Aware).
                
                    Mobilization
                    Delivered immediate, on-the-spot training via a "You have been Phished" landing page and provided actionable recommendations for focused follow-up training and strengthened reporting mechanisms.

Key Campaign Metrics

The following metrics represent the anonymized outcomes of the phishing simulation. These results provided a clear benchmark for the client's security awareness program.

Phishing Case Study Table 3
        
                    Category
                    Result
                
                    Total Targets
                    > 2,100 Employees
                
                    Click-Through Rate (Victims)
                    Approx. 10%
                
                    Email Opened Only (Vigilant)
                    Approx. 64%
                
                    No Action Taken
                    Approx. 26%

Conclusion

Understanding human vulnerability is the first step to building a resilient organizational culture. AKATI Sekurity's engagement provided this vital visibility, transforming an abstract risk into a measurable metric. By establishing a clear baseline, the client is now empowered to strengthen its human firewall, implement targeted training for at-risk groups, and refine its ongoing awareness strategy to foster a more vigilant and secure workforce.

Phishing Assessment

Joanna Woon SC.