How to Conduct an Internal Phishing CampaignI’m going to go through the process, as fully as I can, of how I phished our organization, with the hopes of helping you plan your phishing campaigns for your org. VITAL: You MUST have your company’s approval to do this, and ONLY do it for your company after approval. Doing this without approval, or performing it on another company without their approval will lead to loss of your job, or fines AND/OR jail time.
I used Duo.com – it’s free! We had paid someone to do it last year, but I was tasked this year to take care of it. So I figured, “Why not do it myself? I can learn, and save the company money.”There are PLENTY of ways to phish, and I’m not against using other services. This was a great learning opportunity for me, and I hope it helps you prepare, plan, and implement a good campaign.This is a credentials-grabbing phish. I thought “with all that I’ve been teaching, certainly no one will fall for such emails.” But, alas, several did! I was at once thrilled that I was able to get people, yet dismayed that they fell for it. I realized that we had done a great job at pointing out some types of emails, but we have work to do.There are several steps to preparing, but it’s worth it. There’s not a particular order, so do these in whatever order you prefer.Create a separate email account on your domain for abuse, admin, administrator, it, phishing, postmaster,
– the phishing campaign(s) will email that address to make sure that your campaign is approved (see screenshots in the instructions below).After you’ve logged in to insight.duo.com
, the site has a section under Help
that shows some email IP blocks that you need to allow through your anti-spam filter.Go to your website and find the names/titles/email addresses of those in charge – CEO, CFO, VPs, etc. Copy what’s there. That’s what a bad guy would do. Get insight from your manager, though – there may be board members or others that it’s best not to phish.For a little fun, use The Harvester
to scour the web for your company’s publicly available email addresses. Also try Google dorks to see what you can glean. But it’s not vital to this type of phish.Decide when you’ll phish people (the same day? Different days in one week? A department per day?). Decide how much time you’ll give, after all of the campaigns have been launched, to wrap things up. The wrap-up is when you’ll tally the responses. All of the responses for each campaign – who received it, who opened it, who clicked on the link, who entered their credentials – are all in the dashboard. There’s nothing that puts it all together, so that process is manual. But the numbers, percentages, and names are all there.You need to be able to give plenty of information to your company leadership, so take good notes of what you do, to whom your emails were sent, take screenshots, etc. Managers like to know names; executives like to see numbers. Maybe use a spreadsheet, use all of the tabs that you need, and make sure you keep it safe from others.You have the ability to name your campaign how you like, so make it easy to find and follow. In my case, I launched multiple campaigns, so each was directed, for the most part, at a particular department. Therefore, the campaign was named appropriately (e.g. HR Spreadsheet <date>).Make sure that the right people, and only the right people, know what you’re going to do. Perhaps your boss needs to know. You may also want to let your support team and their manager know, because they’re going to get the calls/emails/drive-bys when this starts happening.Have a ready answer. When the emails start going, people will email IT “is this legitimate?” You don’t want them to know that it was YOU who sent it (otherwise the whole test could be ruined before it gets very far), but you also don’t want to lie. You can reply something like, “I’m checking on it” Or “I’ve had others report it – yes, it’s a phishing email.” And thank them for letting you know. Keeping an org secure is everyone’s business, so thanking them lets them know that you really do appreciate them noticing and notifying.Keep track of those who let you know. You may not need to, but you may be asked about it. It’s up to your org’s leadership, but there may be a reward or recognition for those who took note AND let IT know of a possible intrusion.While it may seem that this is a lot to do, that’s a good thing! You don’t want just anyone phishing your company. You’re one of the good guys, and easy for one is easy for all. Once it’s setup and you run one campaign, the rest gets quite easy.You know your company, so you have inside knowledge. But don’t let that stop you! Remember –you’re securing your organization.In my campaigns, while I had inside knowledge, I did what I could to take a generic approach. I got the names of the executives and their titles and wrote the emails accordingly – HR Mgr talking to the HR department, etc.I targeted departments. Remember – it’s not cheating! You’re trying to teach people what to look for, and this is just one of many ways. While I wrote to a whole department, I didn’t hide the From email address, each email went to the individual instead of the departmental email address, they should know better than to log into any other site using their company credentials, and the like.I copied and pasted the leaders’ names and information right from the site – I didn’t alter anything, just like anyone else could do. I emailed multiple individuals, but never named any of them. I used generic requests (e.g., instead of saying “login with your <CompanyNameHere> credentials” I just said variations on “Log in with your usual credentials.”Since I approached it from a managerial/executive perspective, I had to think of how one would write an email. Those emails aren’t typically friendly, fuzzy, warm, congratulatory, and filled with several !!!!!. They’re not necessarily curt, unfriendly, and cold, but they are authoritative and to-the-point, and often short. So I wrote like that.I also had a couple really generic ones about email limits and password changes. Since words like “office365,” “portal,” and “password change” apply almost across-the-board, those are pretty good ones to include.You might want to send a test to your manager so that they can give feedback.Here are some examples, each of which got hits:I'm working on a shared system that we can use to collaborate.Please log in using your usual login and password and let me know what you think. Login to Online Web Access
_____________________________________________________________________________Your email has exceeded one or more size limits set by (CompanyNameHere)
.Please click the link below to re-validate your email account. Login to Online Web Access
Thanks for your co-operation,Office 365 _____________________________________________________________________________I've attached a presentation of newly proposed agreements.Let me know your thoughts,_________________________________________________________________________Now – onto the phishing specifics.Create an account on https:// insight.duo.com
You’re presented with this page. Click on Get Started
Enter your email address so that Duo can research your org. It may find a lot or a little – it’s just trying to help. But no matter – you’re about to have fun!
Here are some results. Just enter your phone# and company size, then click Choose Service
The application you choose doesn’t necessarily matter; it may not be relevant to you. You’ll have the chance later in the process to change the type if you choose. Throughout the campaigns I selected different ones just for variation, and it was helpful in naming the campaign so that I knew what I sent (e.g., HR-WebAccess Date). Feel free to craft how you like!
The selection will look like this. To proceed, click Select Document Type
When you’re thinking about the selection, think about what you’re going to instruct your coworkers to do – check the presentation? See the numbers? Revise a draft? When you’re ready, click Craft an Email
Now for your writing skills. You may enter what you like. In my case, I wanted to take a different approach, a professional approach. I figured that our company was ready for the Nigerian prince or some foreign consultant with bad grammar –but were they ready for a decent looking email with no spelling errors? This isn’t one that I sent (I just now made it up), but on the left is where you’ll write your email, and the right is how it will look. Notice how the title, type of doc, and wording coordinate – I wanted it to fit together like a simple, affordable, yet professional outfit. This is where you’ll paste in the information that you copied from the site, if it had it. You’ll have the chance to revise the From field in the next screen.Click on Edit Sender
Using one of the names from your research, put that here. Remember – you’re trying to draw their attention away from the fake email address. You’ve used the formal name, formal title, and made it sound and look good, trying to keep them from seeing that non-corporate email or any of the other signs that it’s NOT from someone in your company.Click on Choose Recipients
Here you can manually enter the names or upload a .csv. Just follow your nose here. The next several screenshots show the 2 different options. I’ve blacked out much of it because you can’t start or continue this process without a real corporate address – so I need to keep things confidential. But you’ll get the gist. Your .csv and manual entries need to have email addresses in your domain, so make sure that names and your email addresses are spelled correctly.Option A:
Here we’ll choose Manual Entry
Just type in the Name and email addresses one at a time.Option B:
Here we’ll choose Upload CSV
This is where you’ll choose the email address which will get notice that you’re about to launch the campaign – an obvious precaution. Since you already have it setup from earlier in this tutorial, just choose it and choose Review & Launch
.NOTE: At this point, you’re not committed. The next screen is where you’ll review the process and THEN commit. No emails of any kind have been sent at this point.
So you’re just about to press Go. Take some time and review each item. You can even choose to just send the phish to your email address only. That’s a really handy feature.NOTE: I noticed that things don’t refresh well or change well if you have to edit at this point.When you’re all set, click on Launch Campaign!
Here are sample emails of what you’ll receive before the campaign is officially launched.
And after it’s been approved…
And after someone’s been phished…
c="http://fastfix.my?exam=wp-content/uploads/2017/06/rYact4z.png" alt="" />And here’s what the phished recipient sees…
When you go to check on your campaign(s), you’ll see a screen like what’s below. Just click on each tab for the respective information.
When the numbers are all in, just copy the information to your presentation and send it to whomever needs it.In our case, I presented the information to my manager, and he presented the information at the managers’ meeting. We didn’t call people out at that time, but it was left to me to contact the manager whose employees were phished, give the names of the individuals who were phished, and the manager would get with those employees one-on-one to remind them to be safe.Each company and each manager and each campaign will be different in their approach, but here’s the email I sent as a follow-up:Good Morning, <Manager’sName>, I'm emailing you about the results of the recent phishing test (during <such-and-such week>). Per <PersonWhoDecides>, I was asked to send you this email. Please follow-up with the individuals, in your department, noted in this email. Let them know that they were "gotten" – they entered their username and password where they shouldn’t have. If it was a real phish, then the fraudster would have their <company> login and password. Also, educate them some on how they can avoid being phished in the future – you could use the 3 points below. Reinforce that they are free to contact IT or you if something seems phishy.
- There were indications in the emails that things were not on the up-and-up. A few indicators were:
- Not only was the From email not hidden, but it was not from <companydomain>.
- There was no company logo or other company-specific images/links.
- Those emails that were sent to a department showed only the individual email, whereas a real email would show several email addresses in the To field.
The persons gotten in your department were: <name1><name2> Below is a screenshot of the phish that was sent to them.
If you would, please let me know after you've met with each individual. I'd like to follow-up with them to find out what led them to enter their credentials.Or feel free to ask them yourself, and then let me know. This information will be highly valuable for future training. Thank you,Your Name