Conducting an Anti-Phishing Campaign (OBJ 5.6)

Introduction to Conducting a Phishing Campaign

  • Objective: Train users within an organization to recognize and avoid phishing scams.
  • Approach: Create a controlled phishing email campaign to test user awareness.

Overview of the Phishing Campaign Process

  • Use of Phishing Tool: Utilize a free program called Phish Insights by Trend Micro.
    • Accessing Phish Insights:
    • Go to: phishinsight.trendmicro.com.
    • Sign-up required for new users to create an account.
    • Tool is described as a wonderful free resource.
  • Creating a Campaign:
    1. Log into your account on Phish Insights.
    2. Click on Create a Campaign.

Campaign Setup

  • Selecting Target:
    • Example: Create a campaign with one target—Jason Dion.
    • Input recipient details:
    • List Name: Jason
    • First Name: Jason
    • Last Name: Dion
    • Email: jason@diontraining.com
    • Title: Instructor
    • Hit Continue to save target information.

Template Selection

  • Choosing an Email Template:
    • Select a template that mimics a common LinkedIn connection request.
    • Content of Selected Template:
    • Greeting: "Hi Jason Dion, I’d like to join your LinkedIn network."
    • Call to Action: Accept or View Profile buttons along with notification options.
    • Customization Options:
    • Ability to edit template to make it appear less like LinkedIn if desired.

Email Address Configuration

  • Sender Email Address:
    • Example of deceptive email: invitations@linkein.com (not properly spelled).
    • Expectation: Users should recognize the erroneous sender address as a potential phishing scam.
    • Customization for Realism:
    • Option to use the correct email address invitations@linkedin.com, making it more deceptive.

Campaign Scheduling

  • Setting Up the Campaign Schedule:
    • Options to run the campaign over varying periods (one week, two weeks, or longer).
    • Recommended for larger organizations with many employees to assess training effectiveness over time.

Actions Following User Interaction

  • Responses to User Clicks:
    • When users click on a link, the campaign can trigger different responses:
    1. Automatic training notification indicating they clicked on a link they shouldn’t have.
    2. Immediate phished webpage display prompting the user for remedial training.
    • Notification Options:
    • Option to send a text message or email confirmation upon starting the campaign.

Analyzing Results and User Training

  • Monitoring the Campaign:
    • Campaign start time indicated as upcoming, with results available after execution to analyze user interaction.
    • Goal: Identify users who clicked on phishing links and provide necessary training based on their interactions.

Example Phishing Email Analysis

  • Description of the Phishing Email Sent:
    • Subject Line: "Jason, please add me to your LinkedIn network."
    • Sender Identity: Fake address invitations that misleadingly resembles LinkedIn correspondence.
    • Email Content:
    • Contains LinkedIn logos and formatting to appear authentic.
    • Link Destination:
      • Genuine expectation of leading to LinkedIn; actual links redirect to a phishing website (websitefun.club).

Characteristics of a Phishing Scam

  • Crafting Deceptive Emails:
    • Effective phishing emails resemble legitimate communications, tricking users into engaging with malicious links.
    • Users are warned against clicking hyperlinks directly in emails.
  • Recommended User Action:
    • Open a new web browser and navigate directly to known safe websites (like LinkedIn) rather than clicking on links in emails.
  • Risks Associated with Phishing:
    • Clicking phishing links may lead to malware downloads or credential theft through fake login prompts disguised as legitimate websites.