Sherlocked Security – Social Engineering (Phishing) VAPT
Human Layer Tested: Because Firewalls Don’t Stop Clicking
📄 1. Statement of Work (SOW)
Service Name: Social Engineering – Phishing VAPT
Client Type: Enterprises, BFSI, FinTech, SaaS, HR Teams
Service Model: Simulated Attacks + Awareness Testing + Reporting
Compliance Coverage: ISO 27001, NIST 800-53, RBI Guidelines, SOC 2
Testing Types:
- Spear Phishing Simulation
- Bulk Email Campaigns
- Credential Harvesting & Payload Testing (benign)
- Voice Phishing (optional)
- USB Drop Simulation (optional)
- Awareness Training Post-Test
🧠 2. Our Approach
🧠 Test. Educate. Strengthen.
[Target List Setup] → [Pretext Creation] → [Campaign Configuration] → [Email Delivery] → [Click & Submit Tracking] → [Metrics Capture] → [Awareness Debrief] → [Executive Reporting]
🧪 3. Methodology (with Visual)
[Kickoff] → [Target Scoping] → [Payload Design] → [Campaign Launch] → [Interaction Tracking] → [Data Analysis] → [Reporting] → [Awareness Training (optional)]
📦 4. Deliverables to the Client
- ✅ Phishing Metrics Dashboard
- 📘 Campaign Report:
- Pretext used
- Email open rate
- Click-through rate
- Credential submission attempts
- Department-wise breakdown
- Timeline of activity
- Screenshots / payload details
- 📊 Executive Summary PDF
- 📽️ Awareness Training Deck (optional)
- 🔁 One Re-run of Simulation (within 30 days)
- 🏆 Human Risk Scorecard + Fix Suggestions
🤝 5. What We Need from You (Client Requirements)
- ✅ List of employee emails (scoped)
- ✅ Consent & authorization letter
- ✅ Preferred themes or impersonation scenarios
- ✅ Mail gateway headers (optional, for bypass tuning)
- ✅ Helpdesk contact (to field queries during simulation)
- ✅ Training policy (for awareness phase)
🧰 6. Tools & Technology Stack
- ✉️ Gophish / King Phisher / Custom Portal
- 🌐 Redirector Links, Tracking Pixels
- 🖥️ Credential Harvest Pages (non-malicious)
- 🔒 SPF/DKIM-aware sender setup
- 📊 Real-time tracking dashboards
- 🎓 Awareness content modules (SCORM, PPT, PDF)
🚀 7. Engagement Lifecycle (Lead → Closure)
1. Scoping & Consent → 2. Pretext Design → 3. Payload & Domain Setup → 4. Test Send + Bypass Check → 5. Campaign Launch → 6. Results Review → 7. Awareness Session → 8. Closure Report
🌟 8. Why Sherlocked Security? (Our USP)
| Feature | Sherlocked Advantage |
|---|---|
| 🧠 Real-World Scenarios | Tailored emails, local language pretexts |
| 📊 Actionable Metrics | Click/open/submit tracking, heatmaps |
| 🛡️ No Risk of Infection | Simulated payloads only (harmless) |
| 🎓 Optional Training | Post-attack awareness for employees |
| 🔁 Re-run Included | Free retest to measure improvement |
📚 9. Real-World Case Studies
🎯 Executive-Level Spear Phishing
Target: CXO and IT team
Payload: Fake M365 login page
Result: 4/6 executives entered credentials
Fix:
- Awareness training
- Conditional MFA enforced
- Email gateway rule enhancements
📥 Payroll-Themed Phishing Campaign
Client: HR SaaS company
Theme: “Salary Revision Letter”
Findings: 41% click-through, 19% data entry
Impact:
- Risk profile assessed by department
- Targeted awareness rollout initiated
Outcome: - 85% improvement in retest results
🛡️ 10. SOP – Standard Operating Procedure
- Kickoff & authorization
- Target list finalization
- Pretext approval
- Email/payload setup
- Live campaign execution
- Data analysis & metric collection
- Awareness training (if opted)
- Final report & human risk scoring
📋 11. Sample Phishing Simulation Checklist (Preview)
- Define phishing campaign objectives and scope.
- Craft realistic phishing email templates.
- Setup a tracking mechanism (links/forms).
- Test email delivery and bypass filters.
- Launch campaign targeting sample employees.
- Track open rates and interactions.
- Capture credentials or simulate malware payloads.
- Report metrics and user behavior trends.
- Provide awareness and remediation training.
- Repeat testing post-awareness to measure improvement.
📬 Contact Us or 📅 Book a Consultation