Credit: Tumisu/Pixabay

The Crown Commercial Service has invested in a phishing-simulation tool to help its security professionals identify areas for improvement.

Newly published commercial documents reveal that the government procurement agency has signed a deal with specialist firm MetaCompliance. The company will provide software intended to help its information security and assurance (ISA) function “to test security awareness” across the organisation and find “areas that need extra support”.

“The tool should allow the ISA team to craft realistic-looking emails that mimic real lift phishing attempts, for example NHS Covid 19 emails, HMRC tax refunds and missed parcel collections,” the contract said. “The tool should have pre-crafted templates that the ISA team can use or tweak to quickly send simulations The tool should allow ISA to customise target lists, for example people in finance get a different phishing email to those in HR.”

The document added that CCS’s security team will require “detailed reports showing who opened a simulation email, who clicked on the link, and if any credentials were entered – but not reveal the credentials entered”. 

Related content

• Departments retain defence and security firms for ‘cyber incident response’
• No one is an island: How Caribbean states are working together to tackle cybercrime
• Government’s cyber plan delivers ‘a complete revolution in how we provide assurance’

“The tool must allow the ISA team to craft ‘from addresses’ to look like legitimate senders and domains… [and] must allow for custom pages to be displayed when a link is clicked,” it said.

Specialising in cyber awareness, MetaCompliance’s MetaPhish product is designed to support security teams in “embedding automated phishing tests into… training programmes, [to] prepare employees to recognise, remediate and report phishing emails and ransomware”, according to the company’s website. 

“The anti-phishing software includes an extensive range of customisable and regularly updated phishing templates and multilingual point-of-need learning experiences,” it added. “The reporting dashboard provides an in-depth analysis of specific phishing campaigns and identifies weaknesses within the organisation.”

Although it has only just been published, the company’s contract with CCS came into effect in October 2021. It runs for two years, is worth £8,000, and was awarded via the G-Cloud 12 framework.