The act of phishing is usually considered criminal behavior. In a phishing attack, a hacker aims to trick a user into clicking on a malicious link of some sort in an attempt to infect the user with malware or steal personal information.

As it turns out, one of the best ways to help prevent people from being victims of a phishing attack is to actually phish them. At least that's the view of security vendor PhishMe, which operates an anti-phishing technology service that teaches users what not to click. It's a business that investors now see potential in too.

At the end of July, PhishMe raised $2.5 million in a Series A venture capital funding round, let by Paladin Capital Group.

"Our focus is all about changing employee behavior toward spear phishing attacks," Rohyt Belani, CEO and co-founder of PhishMe, told eSecurityPlanet.

Belani explained that PhishMe has a Software-as-a-Service (SaaS) offering that customers use to emulate phishing attacks against their own employees. He noted that PhishMe is different than traditional penetration testing with social engineering.

The PhishMe service is run as a program throughout the year at an enterprise, and, if and when people actually click on links, there is instant training and remediation offered. Belani said the training is in bite-sized segments of three minutes that is presented to the user after they have been duped.

Belani explained that PhishMe was built with custom written code running on Ruby on Rails. There is a user interface that lets customers choose the theme and a reporting engine.

There are three primary types of phishing attacks that PhishMe will emulate. One of them is an email-based vector, where the goal is to try and get the user to click on a link in the body of the email. The second is also email based, but is an attempt to get the user to click on an attachment that carries malware. The third type of phishing attack is data entry-based, where there is an attempt to solicit corporate credentials or other sensitive data.

"The goal is to have a front-end that emulates the bad guys as closely as possible," Belani said. "Then as soon as people are found susceptible, there is no exploitation on them, only education and then reporting on the back-end."

According to Belani, traditional end point security systems like anti-virus software don't catch most phishing attacks.

"The key challenge is that the malware is customized and signatures don't exist, and it's just a shot in the dark to say that technology alone can catch these things," Belani said.

From an educational perspective, a key best practice to avoid being the victim of phishing is to not click on active links in email. Belani advises that even if you think the email is from a legitimate source, it's typically safer to simply copy and paste the link into a browser. Within the browser, there are more tools and techniques available that can help a user to spot a phishing URL than what is typically available within email.

"We teach people how to quickly read URLs," Belani said.

There are a number of reasons why people click on phishing attacks in the first place. Belani said the first thing they tell customers is to be aware of email risks. He added that people often don't think of themselves as targets.

"Email is an attack vector," Belani said. "Most people don't even know that."

Exit Strategy

Now with a new round of venture funding in hand, PhishMe will continue to push forward. Belani noted that he doesn't expect that his company is on track for an IPO, though he did not dismiss the notion that it could be an acquisition target by another company.

Belani said his company is still in its early stages and has approximately 140 enterprise customers.

"For the next 18-24 months my focus is to grow the company and grow a world-class operations team," Belani said.

Sean Michael Kerner is a senior editor at eSecurityPlanet InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.