Phishing exercise
From Inforail
Contents
Warning
- This is an exercise
- Do NOT send your phishing emails to anyone except people who are aware of your academic experiment
Task description
Keywords
phishing, social engineering, email, writing skills
Background story
The customer database of a company has been recently published online, it includes personal information such as the name and address of the customer, as well as other contact details.
The database is still easy to find, as it was downloaded thousands of times shortly after the leak. You have it too.
Objectives
Understand how phishers think, and plan a series of defensive actions.
Workflow
- Get hold of the database itself
- Examine its contents and determine which parts of it can be leveraged
- Plan a phishing campaign that will exploit the leaked information
- Draft an email that will be sent to every customer, luring them into your trap
- Write a press release on the behalf of the targeted company, explaining to customers how to best protect themselves from an upcoming wave of scams
Self-test questions
- What is phishing?
- How is it different from spear-phishing and whaling?
- How to protect ourselves from phishing scams?
- How can a company minimize the chance of its identity being spoofed by phishers?
Grading policy
- 6 - write a generic phishing email for the entire customer base
- 7 - write a specific email that targets each individual directly
- 9 - write the press release for the victim company
- 10 - apply some dramatic artistic skills and/or humour when doing the above; try targeting your teacher.
Recent breaches
- Starnet
- Ashley Madison
- Target