Most of the phishing attacks are failed because of lack of being careful while constructing. The world is learning day by day. People are already aware of and careful about phishing attacks. You have to get one step ahead in order to trap them successfully.
Here’s the 10 tips that would help you constructing a successful campaign. Do let me know your feedback.
1. From Email address & Display Name
Choose a display name that your victim often genuinely receives email from or comfortable with. Do enough social engineering before you target. For example if you find the victim uses XYZ services, send email with the ‘From’ display name XYZ Support like the XYZ actually sends email with. Try to get a domain as closer as possible, like when original domain is xyz.com, try if you can get xyzsupport.com so that one overlooks at it.
2. The Design
Your email body design matters! Use the logo with the exact dimension as the original one, exact colors, font family & size. You can also fool users by giving trivial link to original site itself. For example if you are phishing for ICICI bank credentials, the email body may have hyperlinks of about, contact, terms & condition to the legitimate ICICI website itself. But the important one – the login hyperlink would link to your phishing login page.
3. Spelling mistakes and Poor Grammar
Most phishing campaign fails when the victim suspects the email by finding visible mistakes. Brands are very serious about emails and legitimate emails usually do not have spelling mistakes and poor grammar.
Legitimate business will often use a personal salutation with your first name or full name. Don’t write generic greetings like Dear valued customer or so.
5. Personal Information
Don’t ask personal information directly like reply with your credit card number, credentials.
6. Threatening words
Do not invoke a sense of urgency or fear. Don’t put “Your account has been suspended” or “your account had unauthorized login attempt” in the subject or body. Follow the exact words that the legitimate business do.
7. Signature & Contact
Legitimate emails always have a signature and contact details. Don’t let your email suggest a phish by lacking details about the signer or how one can contact the company.
8. Avoid Attachments
Unexpected attachments with inappropriate names often grabs attention to suspect phishing.
9. Email Header
Carefully construct the email header while targeting a phish. People who think they’re a master, often check them without realizing that the header can spoofed.
10. Try harder
You are failed until you give up. One of the great qualities of a hacker is to never give up. Try harder. Learn of mistakes and keep going!
Found it good? Share the write-up link on social media see here.