The Social Engineer’s Guide to Phishing: Part I

A Brief Introduction

Choosing the Right Tools

Scenario 1: The Dev Team

  1. They have a small number of employees.
  2. They cannot afford an enterprise solution.
  3. They have a small Security team that will have to orchestrate this.

Scenario 2: The Mid-Sized Paper Company

  1. They have a decently large number of employees, ~300.
  2. They have multiple branches, and would need to manage user groups.
  3. They would like to have regular reports, and to maintain statistics.
  4. They’re still trying to save money after the loss, so opensource is preferred.

Scenario 3: The Uber-Conglomerate

  1. They have too many employees to manage with a smaller platform.
  2. They need complete transparency with operations.
  3. Product support is a must, things always break eventually.
  4. There is a lot at risk.

So What’s the Gist?

Building a Convincing Campaign

Motivation

  1. You are driving home and stop at a stop light. A man approaches your vehicle. Out of fear, you lock your doors.
  2. While browsing the web, you see an ad for something so ridiculous you just have to check it out. Your desire for new experiences compels you to click the ad.
  3. You receive a phone call after a local historical building has burned down, the person on the line is asking for donations to restore it. Out of compassion, you pledge $50.

Trust

  1. John is a member of his local orchestra.
  2. John is a Network Engineer at a local IT Shop.
  3. John uses Paypal, Gmail, and Netflix regularly.
  4. John’s boss, Dave, often emails him about important business topics.
  1. A believable (spoofed, if needed) sending address
  2. If email, a template that looks like other emails in that space
  3. All applicable logos and graphic resources a user expects
  4. If social media, a profile that looks like a genuine person

Putting it all together

  1. The Password Reset
  1. The Data Breach
  1. The Package

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrew Long

Principal Product Security Engineer @ Flock Saftey. Avid security researcher, dedicated father, and nerdy analog electronics collector.