Phishing Dark Waters

Notes from my reading of Phishing Dark Waters by Christopher Hadnagy

Planning a phishing campaign

I found this section of the book quite interesting when the author points out that the goal of a phishing campaign is not to make the employees of a company feel dump or stupid, but to help the organization to build a constructive training experience. Therefore, our phishing email and templates should not be perfect and totally credible. We have to give some clues to the employees that our phishing email might be a scam. These clues might requires less or more critical thinking depending on the level of awareness of employees.

The authors mentioned that he often proposes to the client phishing campaign of 4 levels, which increase in difficulty.

Level 1

A level one phishing contains a lot of indicators of a phishing attempt. It should not be too difficult for an employee to detect the phishing scam that ends into his inbox.

Indicators

  • Adding typos and grammar mistakes

  • Choosing an unlikely domain name

  • Very unlikely offers or context

  • Very general greeting

  • Unknown sender

  • Appeals to (exaggerate) emotional reaction (fear, curiosity, excitement, etc).

Level 2

More complex than Level 1. Indicators similar to level one are presents, but are harder to detect. The examples given by the authors shows that level 2 can appeal curiosity.

  • Bad links in body

  • Impersonal greeting and closing

  • Correct spelling - Bad grammar

Level 3

A level 3 phishing campaign will feature a scenario that is similar to real-world phishing attempt conducted by a trained attackers. Indicators of a phising attempts are subtiles, the email is well crafted and the scenario is plausible.

Level 4

Might sounds like spear phishing or whaling. May target the CEO of the company or some users having privileged access over the network. The context is very tied to the user context. This type of phishing requires a preliminary OSINT phase.

Never forget that the goal of a phishing campaign is to EDUCATE, not to shame the employees and make them feel bad. Our main goal is not to get as much phish as we can, but to get a clear picture of employees awarness.

PreviousList of Security HeadersNextPhishing tools

Last updated