Task One ~ Design a phishing email simulation
Scenario
In this project, I played the role of a security analyst at Mastercard’s Security Awareness Team. Our Chief Security Officer relies on us to make sure everyone at Mastercard knows how to spot and report security threats, especially the sneaky ones known as phishing attacks.
Phishing is like online trickery where someone pretends to be someone else to get important info, like passwords. It’s a big deal because if it works, it can cost a company a ton of money and put everyone’s information at risk.
To tackle this, we run a cool program. Every month, we send fake emails to our team that look like the ones bad guys might send. It’s like a practice test to see how well we can catch these tricky emails. The results help us make our training even better, so everyone is a pro at keeping our company and our team safe from cyber threats.
Background Info
A few months back, we detected a phishing email that was being used by an external bad actor on some of our employees.
Thankfully, it failed due to being an obvious fake. However, we know that phishing emails are now getting very sophisticated and a range of tactics are used.
Task to perform
My manager has given me the exciting responsibility of leading Mastercard’s upcoming phishing simulation campaign. It’s a fantastic chance for me to showcase my skills and take on a leadership role.
The first task at hand is to craft the fake phishing email for the simulation. The goal is to make it believable enough to increase the chances of an employee clicking on the phishing link during the simulation.
Obvious fake
From: mastercardsIT@gmail.com
To: employee@email.com
Subject: URGENT! Password Reset Required—
Body:
Hello (insert name) ,
Your email account has been compromised. immediate action is required to reset your password!
Click here to reset your password in the next hour or your account will be locked: [https://en.wikipedia.org/wiki/Phishing](https://en.wikipedia.org/wiki/Phishing)
Regards,Mastercard IT
Key points indicate that this email is likely fake and potentially a phishing attempt:
Sender’s Email Address: The email is sent from “mastercardsIT@gmail.com,” which is not a legitimate email address for a professional organization like Mastercard. Legitimate companies typically use their own domain for official communication.
Urgent Tone: The email uses an urgent tone, a common tactic in phishing emails to create a sense of urgency and panic. Cybercriminals often want recipients to act quickly without thinking critically.
Generic Greeting: The email begins with a generic salutation like “Hello (insert name),” instead of addressing the recipient by their actual name. Legitimate organizations usually personalize emails with the recipient’s name.
Misspellings and Grammar Issues: The phrase “immediate action is required to reset your password!” contains a grammar error. Legitimate organizations typically proofread their communications thoroughly.
Unusual Link: The provided link appears to lead to a Wikipedia page on phishing, which is suspicious. Legitimate password reset emails usually link to the company’s official website, not an external source like Wikipedia.
Unofficial Sign-Off: The sign-off is simply “Regards, Mastercard IT,” which lacks the formality and completeness of a legitimate corporate communication.
No Personalization: Legitimate organizations usually include specific details or information that only the recipient would know to enhance credibility. This email lacks any such personalized information.
Unsolicited Password Reset Email: Legitimate organizations typically send password reset emails only in response to a user-initiated request. Unsolicited password reset emails are often indicative of phishing attempts.
Improved Email
From: Mastercard Staff Rewards
To: employee@email.com
Subject: Your Black Friday Employee Reward Card!
Body:
Hello < name>,
In recognition of your hard work throughout the year, we wish to reward you with a gift card to spend in the upcoming Black Friday sales as a small token of our appreciation. Please find attached your Employee reward card.
The balance of your card will be determined based on your role. To view the balance and activate your employee reward card, visit here.
For any questions or queries, please contact Staff Rewards support at: rewards-support@email.com
From,
Staff Reward Services
CONFIDENTIAL: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Key improvements made and why someone might be tempted to trust it
- Personalization: The email begins with a personalized greeting using the recipient’s name, which adds a touch of legitimacy. Phishing emails often lack personalization.
- Recognition and Appreciation: The email mentions recognizing the recipient’s hard work throughout the year and frames the reward as a token of appreciation. This could appeal to the recipient’s emotions, making it more likely for them to trust the email.
- Subject Line: The subject line mentions a Black Friday Employee Reward Card, which could attract attention, especially if the recipient is expecting or hoping for a holiday bonus. Cybercriminals often use enticing subject lines to lure recipients.
- Link is Masked in Plaintext: The email mentions a link to activate the employee reward card, but it’s important to note that the actual link is not provided in the text; instead, it instructs the recipient to visit a certain place. Cybercriminals may use this technique to mask the actual phishing link, making it appear more legitimate.
- Use of a Confidential Disclaimer: The email includes a confidentiality disclaimer, which is a common tactic used by scammers to make the email appear official.
- Professional Sign-Off: The email is signed off as “Staff Reward Services,” which adds a professional touch. Cybercriminals often use professional-sounding names to make the email appear authentic.
Task Two ~ Design and Implement training to increase awareness about phishing.
The phishing simulation designed in the first task was run last week. So, what’s next?
We’ve used some tools to analyze the results and we can see the failure rate of each department – it is clear that some teams appear more likely to fall for a phishing email than others.
Now that we have these results, we need to:
- identify which areas of the business need more awareness about phishing, and
- design and implement the appropriate training for those teams to lower our risk of an attack.
Result of the phishing campaign
| Team | Email open rate | Email click-through rate | Phishing success rate |
| IT | 80% | 2% | 0% |
| HR | 100% | 85% | 75% |
| Card Services | 60% | 50% | 10% |
| Reception | 40% | 10% | 0% |
| Engineering | 70% | 4% | 1% |
| Marketing | 65% | 40% | 38% |
| R&D | 50% | 5% | 2% |
| Overall average | 66% | 28% | 18% |
The presented table provides a clear overview of the performance metrics, indicating that the HR and Marketing teams have exhibited the lowest performance. Specifically, the Phishing Success Rate for both teams is noted as 75% for HR and 38% for Marketing. These results underscore the need for increased awareness and targeted training for members of these teams. By addressing the specific vulnerabilities identified in their performance, the goal is to enhance their awareness and resilience against phishing attempts in future events, ultimately strengthening the organization’s overall cybersecurity posture.
Prepared Presentation for the training
