Phishing exercise

From Inforail
Jump to: navigation, search

Warning

  • This is an exercise
  • Do NOT send your phishing emails to anyone except people who are aware of your academic experiment


Task description

Keywords

phishing, social engineering, email, writing skills

Background story

The customer database of a company has been recently published online, it includes personal information such as the name and address of the customer, as well as other contact details.

The database is still easy to find, as it was downloaded thousands of times shortly after the leak. You have it too.

Objectives

Understand how phishers think, and plan a series of defensive actions.

Workflow

  • Get hold of the database itself
  • Examine its contents and determine which parts of it can be leveraged
  • Plan a phishing campaign that will exploit the leaked information
  • Draft an email that will be sent to every customer, luring them into your trap
  • Write a press release on the behalf of the targeted company, explaining to customers how to best protect themselves from an upcoming wave of scams



Self-test questions

  • What is phishing?
  • How is it different from spear-phishing and whaling?
  • How to protect ourselves from phishing scams?
  • How can a company minimize the chance of its identity being spoofed by phishers?


Grading policy

  • 6 - write a generic phishing email for the entire customer base
  • 7 - write a specific email that targets each individual directly
  • 9 - write the press release for the victim company
  • 10 - apply some dramatic artistic skills and/or humour when doing the above; try targeting your teacher.



Recent breaches