Phishing Campaign Ideas - Your Step-By-Step Guide
Learn how to create effective phishing campaigns
For decades, the "Nigerian prince" scam has been working its way through spam filters...
"Dear Sir, I'm reaching out to you from the Royal Inheritance Commission. As the last surviving heir, your inheritance has been transferred to a Western Union account. As the senior settlement manager, I can deliver the US$2,000,000 directly to you. All I need to perform the transaction is a small cash advance..." - the "Nigerian Prince"
Once the victim takes the bait and gets more invested, it all starts to go wrong, and more funds are needed for some "unforeseen circumstance". As the victim falls deeper into the trap, they are susceptible to the "sunk cost fallacy". This is a phenomenon where someone convinces themselves, often beyond logic, to continue doing something because they have already put in time, effort or money.
While this scam still exists, modern phishing attacks have evolved and adapted to targets who are increasingly more aware of online swindles. To fool victims, phishing attacks are now targeted, personalised, and use a variety of psychological techniques to manipulate and exploit their victims.
In recent years, the volume, quality and severity of online scams has reached new heights. These phishing campaigns target individuals and businesses alike. Cyber criminals love phishing, because it's relatively low risk, difficult to trace, highly effective, commonly yields high rewards and there's limitless potential targets. It’s no surprise that phishing remains the most common form of cyber-crime in 2023.
According to the Australian Financial Review, in 2022 there were 74,000 reported phishing attacks in Australia alone with financial losses of more the AUD$24.6 million. To make matters worse, the Australian Competition and Consumer Commission (ACCC) estimates that only 13% of attacks were reported!
So, how do we combat the constant barrage of phishing attacks? Well, we do a bit of phishing ourselves!
Simulated phishing campaigns are a powerful tool for raising an organisations security awareness and improving its overall information security posture. Crafting a well-designed phish, along with realistic payloads, that offers immediate feedback and security awareness training, can educate employees on the dangers of phishing and equip them with the knowledge and ability to recognise attacks.
Here are some phishing campaign ideas to help keep your employees sharp and turn your organisation from a target, into a phish finding fortress.
Spoofing emails from well-known companies
A common strategy is to leverage a well-known brands familiarity and strong reputation to fool victims. Tech companies that operate globally like Amazon, Microsoft and Google are particularly common companies to spoof. Their emails are expected daily, so it's not a surprise when we receive one. When an attacker combines a familiar looking email, that appears to come from a known company, that looks and feel legitimate, uses social engineering tactics, such as adding the targets name into the content, distinguishing the real from the fake can be difficult!
Using Human Psychology
Any good salesperson would attest to the fact that in order to sell, one must harness and take advantage of human psychology. Phishing scams use similar techniques with nefarious intent to create a sense of urgency, authority, scarcity and curiosity to manipulate and deceive their targets.
- Urgency: Phishing emails often create a sense of urgency to get the recipient to act quickly and bypass rational thinking. They may claim there has been a security breach and the recipients account has been compromised, making the victim believe that immediate action is required to mitigate further loss. These phishing emails will usually lead to a fake website masquerading as the real one where the victim is asked to enter their credentials in order to update their account details.
- Authority: Phishing emails often use the logos and branding of well-known companies or organisations to create a sense of authority and legitimacy. It’s common to see trusted sources such as banks or government agencies used to make the recipient feel like they can trust the email.
- Scarcity: Phishing scams create a sense of scarcity by claiming that the victim has won a prize which is only available for a limited time or available to a limited number of customers. This creates the feeling that the victim needs to act quickly before they miss the opportunity. This time pressure can lead to poor judgement.
- Curiosity: Curiosity is an emotion that scammers use to get clicks. Email subject lines and content are carefully crafted to pique your interest. Some powerful words/phrases to evoke curiosity are "spoiler", "secret", "be the first", the users name, "earn $2,000 a day at home", "guaranteed" and so on.
Spear phishing is a type of phishing attack that is highly targeted to an individual or company. In a spear phishing attack, you will usually see personalised information that appears to be from a trusted person or company. The attacker will often conduct extensive and meticulous research beforehand, gathering information from public sources such as Facebook, Instagram, and LinkedIn. Spear phishing attacks have a high success rate because they are tailored to the victim's interests, concerns, relationships, and can appear more legitimate than generic phishing attempts.
Obfuscated Sender Profiles
- Using a display name that is different from the email address: Attackers may use this technique to mislead victims who are not paying attention. They may use the name "HR Employee Benefits" as the display name, but the actual email address has nothing to do with your employer.
- Spoofing the senders email address: Attackers can create a fake email address that closely resembles the legitimate one. For example, they may use "googel.com" instead of "google.com" or "playstatlon.com" instead of "playstation.com". This makes it difficult for the victim to recognise that the email is not actually from the legitimate sender.
- Domain spoofing: An advanced phishing campaign idea is to employ domain spoofing. This is when the attacker will masquerade as a legitimate domain by taking advantage of vulnerable SPF and DMARC configurations. Domain spoofing is a powerful weapon for cyber criminals, and when paired with a legitimate looking email or message, an attacker can craft a phish that can easily fool unsuspecting victims. Unlike most phishing simulators, CanIPhish supports both domain spoofing and customised sender profiles. Check out the CanIPhish Knowledge Base Article for more information on how you can utilise these advanced features.
Executive Phishing (Whaling)
This is a type of phishing attack that targets high level executives, such as CFOs or CEOs. This is a common and effective phishing campaign idea where the attacker sends a targeted phishing email that appears to come from a trusted organisation, partner, government agency or fellow executive in the business. The email is designed to trick the victim into taking a specific action such as a providing confidential information or making a large payment.
The success of a whaling expedition relies on the attacker using multiple phishing techniques to craft a convincing message. Attackers may also use tactics such as social engineering and research to achieve this.
To prevent whaling, it’s important that organisations train employees within the business, this includes C level executive, to identify and report suspicious phishing emails.
Curious to learn more about whaling? Check out CanIPhish's page dedicated to Executive Phishing.
The success of a phishing campaign doesn't rely on just one factor, it's the aggregation of knowing your target, understanding what they're vulnerable to and utilising real-world techniques such as domain spoofing to make a phish appear as realistic as possible. Once phished, it's then crucial to provide immediate feedback to the victim in a non-threatening and constructive manner. This is usually done by redirecting the victim to an educational page that alerts them they have fallen for a phish and what they can do in future to spot the ruse. Organisations with excellent IT security posture often pair this immediate feedback loop with security awareness training for maximum effect.
So don't wait any longer, give these ideas a try with a Free CanIPhish Account and in doing so, empower your employees to become cyber-savvy superheroes! Remember, when it comes to cybersecurity, prevention is always better than cure!
An Ops Manager dedicated to helping you safely swim amongst the internet of phish!