Running A Successful Phishing Campaign
A phishing campaign is the the activity of an attacker attempting to social engineer one or more people for a common goal such as credential harvesting, endpoint compromise or invoking a response.
Why run a phishing campaign?
The most effective way to protect against phishing attacks is to simulate them. Running a simulated phishing campaign, provides you with a way of preparing your employees for a real-world attack. Phishing in it self is a broad term, there are many different types of phishing attacks, such as email phishing, voice phishing (vishing), SMS phishing (smishing), malicious advertising (malvertising) and so on.
The most common form of phishing used to compromise businesses today is email phishing, in-fact 90% of data breaches are the result of human error. When running a simulated phishing campaign, we need to utilise the same techniques used by threat actors to properly simulate them. These techniques include:
This is arguably the most important activity. To understand who we need to target and what they may be susceptible, we need to understand them. What's their name? role? what software do they use? what's their daily schedule look like?
Once we understand our target, we need to create an enticing phishing email. This includes content that's relevant but also creating masquerading as a person or service the target trusts. We need to do this in the most realistic way possible.
Persistence & Patience
Finally, we need to persist. Just because a target doesn't fall victim to the first phishing email, doesn't mean they're not susceptible. Attackers use email view, click and response metrics to gauge what level of interaction was given and what can be improved on in the future.
The stages of a successful phishing campaign
Running phishing campaigns can be complex without the right approach. Remember, we're attempting to trick not only our employees but also our defensive tooling. To run a successful simulated phishing campaign we need to ensure allow listing has been configured on any email or web filters in-use. Once allow listed, we can proceed with actually executing the campaign. Typically campaigns can be broken into 3 distinct phases.
1. Campaign Setup
- Target Selection - Multiple targets in a single phishing campaign should have a common attribute. This could be the company they work for, the division they work within or the type of role they have.
- Phishing Material Selection - Content should be highly relevant and personalised. The more convincing and relatable the phish, the more likely the target is to interact with it.
- Campaign Scheduling – Campaigns should be scheduled during the business hours the targets are working. Additionally, depending on the number of targets, email delivery should be staggered over one or more days.
- Campaign Execution – To ensure campaign success, we need to ensure that targets can receive our emails. It's advisable to run a series of tests prior to final delivery.
2. Campaign Management
Once a campaign has been scheduled and delivery is underway we need to ensure our phishing infrastructure is maintained and ready. This includes both the mail server delivering phishing emails and the web server hosting any phishing websites.
If you're using a managed phishing solution such as CanIPhish, this is taken care of for you. If you're using an open-source or self-hosted tool such as GoPhish then the responsibility for maintaining this infrastructure is on you.
If users report phishing material, your infrastructure may stop functioning prior to campaign completion. For this reason, you need to monitor infrastructure for during a campaign.
3. Campaign Reporting
To understand what portion of the business is vulnerable to phishing attacks we need to closely monitor phish click and report metrics. Trackable metrics include:
- Email Delivered - Did the email end up the targets inbox or was it bounced/rejected?
- Email Viewed - Did the target view the email? Was the email subject or sender name engaging enough?
- Payload Clicked - Did the target click on any links or download any attachments?
- Target Compromised – Did the target enter their credentials into a phishing website or execute a file on their computer?
- Phish Reported – Did the target report the suspected phishing email?
Free Phishing Campaign Tools
CanIPhish maintain a variety of free tools that allow you to easily run free simulated phishing campaigns at no cost!
Discover domains vulnerable to email domain spoofing and incorporate these into your simulated phishing training campaigns.
Hosted Training Website
When your employees fall for a simulated phishing campaign, they'll be directed to the CanIPhish learning page, or one that you configure.
Get the most out of CanIPhish with our comprehensive knowledge base, live chat, phone and email support.
Upload employees via CSV or automate directory synchronisation with our Azure AD and Google Workspace integrations.
Our highly dynamic platform enables you to use our hosted mail and web servers or to bring your own.
A full solution for everyone
Whether you’re an enterprise looking to train users, a red teamer conducting a penetration test; or a hobbyist, we have you covered.