Phishing

Why More Than Half of Email Phishing Leaks Happen on Mobile Devices

June 22, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

Over 60 percent of people who are phished by email are phished on mobile devices. This is why it happens and what you can do about it.

mobile phishing — Photo by Rasheed Kemy on Unsplash

Why Mobile Devices are More Prone to Phishing

I’ve sent a lot of phishing emails. All with good intentions I must add. While reviewing the results, one of the most surprising things that I discovered was that the majority of people who fall for phishing tests (and therefore real phishing attacks) are using mobile devices. In my experience, 60% of those who are successfully deceived are victims of mobile phishing.

These are my conclusions as to why this is true and recommendations on what we can do to help people stay safe online.

[Read more…]

Bug Bounty Tips #4, Covid-19 phishing, and more

March 16, 2020 By Craig Hays Leave a Comment

Reading Time: 2 minutes

Craig’s Newsletter – March 16, 2020 Edition

Hi All!

Here’s a little update on what I’ve been doing since we last spoke.

What I’ve Been Writing

Since the last update I’ve published my 4th in a series of bug bounty hunting tips:
Bug Bounty Hunting Tips #4 — Develop a Process and Follow It. You can read it for free on craighays.com or if you’re a medium.com member you can support me by reading it there.

What I’ve Been Seeing

[Read more…]

Inside a Real SMS Phishing Attack (Smishing)

February 5, 2020 By Craig Hays 4 Comments

Reading Time: 8 minutes

SMS based phishing attacks (Smishing) are a real threat that we see every day. To help you spot them in future, this is how they work.

A Phishing/Smishing Attack In Action

At 17:52 pm today I received a text message from my mobile phone network, ‘EE’. I picked up the message at 18:08. This is what it said:

[Read more…]

How to Run a Phishing Simulation Test

January 29, 2020 By Craig Hays Leave a Comment

Reading Time: 12 minutes

Running a successful phishing simulation campaign is difficult. This is how to test your employees to better prepare them for real attacks.

Following on from my last article on how to write phishing emails that work, this article outlines how to run a successful phishing simulation campaign. We do this to measure how employees respond to attacks from criminals, how effective our training is, and where we need to do more to help our employees stay safe online.

[Read more…]

9 Things I’ve Learned Writing Phishing Emails

December 6, 2019 By Craig Hays

Reading Time: 7 minutes

For the past six months, I’ve been writing and sending phishing emails to thousands of innocent people and analysing the results. This is what I’ve learned.

(Disclaimer: This is for educational and authorised testing purposes only. Please don’t break the law, it isn’t nice.)

Writing phishing emails — Photo by Matthew McBrayer on Unsplash

My victims have no idea who I am, why I would want to steal their login credentials, or what I could do with them. They are trusting, hardworking people who just want to do a good job and go home to take care of their families.

Fortunately, I’m not a criminal. The emails I send are authorised phishing simulation tests. They’re designed to test our employees and their responses to various scenarios presented to them in email form.

Phishing Simulation and Awareness Training

With phishing simulation, we can measure how susceptible people are to real attacks, provide just-in-time training to those who take the bait, and measure the effectiveness of our overall training strategy. No amount of phishing awareness training is ever going to be 100% effective but if we can raise the level of caution even slightly we’re in a better place than before. No matter what we do, people will always be phished. Even me, even you.

At work, we employ people based on their ability to provide products and services to our customers, not their ability to distinguish real emails from malicious ones. Phishing simulation is a useful tool but to protect our people we need many others in our toolboxes. Things like Multi-Factor Authentication (MFA), email filtering, and a secure web gateway (filtering proxy) to name a few. Awareness training needs to be part of our defence-in-depth approach.

What I Learned Writing Phishing Emails

Writing phishing emails is a copywriting task, not a creative writing task. Creative writing is an art. Copywriting is a science. Writing phishing emails is more like writing sales and advertising material than anything typically associated with cybersecurity. The same things that convince us to buy products and services, book a holiday abroad, or subscribe to an email mailing list are the same things that make us click links in phishing emails and give away our login credentials.

Copywriting is the science of influencing people to take defined actions with the written word. Copywriters are effective through their ability to empathise with the reader and play upon their emotions. They use psychological tools such as the power of perceived authority, our natural bias towards loss aversion, a false sense of urgency through an imminent deadline, and many others. Ultimately, writing effective phishing emails is no different from convincing someone to upgrade their smartphone or buy a new car.

With that said, this is what I’ve learned so far:

[Read more…]