Phishing Dark Waters
Notes from my reading of Phishing Dark Waters by Christopher Hadnagy
Planning a phishing campaign
I found this section of the book quite interesting when the author points out that the goal of a phishing campaign is not to make the employees of a company feel dump or stupid, but to help the organization to build a constructive training experience. Therefore, our phishing email and templates should not be perfect and totally credible. We have to give some clues to the employees that our phishing email might be a scam. These clues might requires less or more critical thinking depending on the level of awareness of employees.
The authors mentioned that he often proposes to the client phishing campaign of 4 levels, which increase in difficulty.
Level 1
A level one phishing contains a lot of indicators of a phishing attempt. It should not be too difficult for an employee to detect the phishing scam that ends into his inbox.
Indicators
Adding typos and grammar mistakes
Choosing an unlikely domain name
Very unlikely offers or context
Very general greeting
Unknown sender
Appeals to (exaggerate) emotional reaction (fear, curiosity, excitement, etc).
Level 2
More complex than Level 1. Indicators similar to level one are presents, but are harder to detect. The examples given by the authors shows that level 2 can appeal curiosity.
Bad links in body
Impersonal greeting and closing
Correct spelling - Bad grammar
Level 3
A level 3 phishing campaign will feature a scenario that is similar to real-world phishing attempt conducted by a trained attackers. Indicators of a phising attempts are subtiles, the email is well crafted and the scenario is plausible.
Level 4
Might sounds like spear phishing or whaling. May target the CEO of the company or some users having privileged access over the network. The context is very tied to the user context. This type of phishing requires a preliminary OSINT phase.
Never forget that the goal of a phishing campaign is to EDUCATE, not to shame the employees and make them feel bad. Our main goal is not to get as much phish as we can, but to get a clear picture of employees awarness.
Last updated