Menu
Open Search

Phishing emails are the most common initial access vector in cybersecurity compromises across the world. Therefore, those that are received by critical infrastructure represent a significant threat to national security and public safety. A successful phishing attack on these sectors can lead to operational disruptions, economic losses, and potential harm to citizens.

SC CIC recognized the need to address this essential component of cybersecurity posture when it was first created and started offering phishing campaigns and security awareness training as a service upon its creation. The goal of a phishing campaign is to help participants test each employee’s ability to identify suspicious emails, provide actionable data to drive future tests, and offer training that helps users learn from previous mistakes.

At the start of an SC CIC phishing engagement, the participant is given a selection of phishing email templates. These templates are based on real campaigns SC CIC has observed in the wild and allow for customization to fit the needs of the specific organization, such as adding company logos or mimicking legitimate landing pages an employee would normally encounter. The SC CIC analyst then works with the internal IT team to ensure test phishing emails are not blocked by email filters and that the domains being used to conduct the test have been allowlisted where appropriate.

Once a test phishing campaign goes live, metrics are collected on which users open the email, click on links contained within, and if applicable, enter credentials into the landing pages served. At the end of the campaign, the organization receives reports that detail these metrics. An SC CIC analyst then reviews the report with organizational leadership, makes recommendations based on the findings, and develops a training plan that is delivered to users directly.

These trainings show users what signs to look out for to detect suspicious emails in the future and illuminate the potential impacts of their actions had the email been a legitimate threat. SC CIC’s phishing service is designed to act as a supplement to internal efforts, so it is not offered on a regular schedule per organization. In this way, SC CIC can help fill the gap where resources may be lacking while still supporting the development of all levels of security programs in the state.

Results of 2024 SC CIC Phishing Campaigns
In 2024, more than 30,000 phishing emails were sent to SC CIC participants. Of these, 32.6% were opened, 6.44% clicked, and 3.63% entered credentials.

 

If you represent a critical infrastructure organization and are interested in any of the SC CIC services, please complete the Join SC CIC form here.

Need to report an incident?

If you are a South Carolina critical infrastructure organization experiencing an incident, report it here.