Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only T&Cs apply

Find out more

Identifying Phishing Emails: The Social Engineering Toolkit

This video explains how the Social Engineering Toolkit is used in phishing attempts and includes further advice on how to assess authenticity.
Now, this is another fun one. This is UPS. My name came up for a UPS customer gift card worth $90. And they have a nice picture of UPS. They have the UPS logo there. Over $4 million in offers given out so far. So I might as well jump in on this. They sent out $4 million. It’s not something new. This is great, I can get $90. Well, let’s take a look. So first of all, this is not a UPS address. So we can see this nsnkk address. We can see it’s sent to, which clearly isn’t me.
And if we hover over the link here where it says my name came up for UPS customer service gift card, we can see that this is not a UPS address. So again, probably going to collect information on me. Probably get some bank info, login information, something like that. So clearly it works on greed. So this is kind of fun, because one thing here. If we take a look at this address again, we could see this
Now, I’ve never seen that before, so I decide to do a little research. Now what I found on was a nice article talking about how phishing emails were spoofed and sent from So apparently there’s been a rise of Microsoft Azure blog storage to host phishing websites. And this particular article talks about it targeting Office 365 users, but clearly it’s being used outside of that. So if you head over there, it’s a pretty good article to read. But again, in this case, you’re using Microsoft’s cloud server to send phishing emails.
Now, how hard is it to send a phishing email? Not very hard. There’s a lot of different tools out there. So we have the Social Engineer Toolkit, for one. And if you use Kali Linux, that’s actually built into it, one of the programs on there, you can also instal it on other machines. We have SocialFish. SocialFish is designed to send quick phishing emails out. And we could do things like Instagram, Facebook, Snapchat Twitter, et cetera, et cetera. We have the free email account attack, like the one I did with the Microsoft account. I simply used a free Yahoo! account to create an email and for the name, I put Microsoft Support Team, and the email address, I put Microsoft.
So it made it look more legitimate. So again, didn’t cost me anything. I just used a free email service. I could have even used a Microsoft email service like Hotmail or Outlook or whatever to make it look even more legitimate. So again, pretty low bar in order to create that one. We also have other tools that we could use. There’s Lucy, which is an open source phishing campaign software. It’s actually designed as a learning tool for doing things like launching a phishing campaign on your network to kind of gauge where people are and help educate people on phishing. And there’s even tools for Android phones, things like Spoof Box, and online tools.
Though I do need to say, Android is a lot better about these type of tools. I don’t see nearly as many tools for creating phishing emails on the Android store anymore as there used to be a couple of years ago.
So wrapping up, phishing emails tend to use social engineering to entice users to take action. The methods used typically use fear, authority, scarcity, and/or greed. Now, if you get an email, you should always verify the user send address and make sure it’s accurate and that it’s not using some sort of proxy to change an email address. Try link hovering instead of clicking on the email. If you weren’t an expecting email, try to verify with the user by phone or in person if possible. Don’t respond to the email asking, “is this a real email?”. Pause before reacting. So pausing for a few minutes can make a big difference.
Again, going back to the social engineering section, Amygdala hijacking, things– my Netflix account is locked, someone got in my PayPal account and changed the information. I need to click this right away and find out what’s going on. Now, if I pause and wait for a few minutes, I could start thinking that over and go, “well, okay, before I click this, I should link hover. I should take a look at the actual email address and see if there’s a proxy, if that email was actually a proxy address”. That can make a big difference. Viewing the email header can also give you quite a bit of information. Is the email going to the right account?
Is the email address even addressed directly to me or is it just a general email? Are other people email string for something that is supposed to be confidential? My PayPal account has been compromised. Why is there 30 other people on this email string? That should all be a big red flag.
Now, this was about phishing emails. Next video, we’re going to talk about running a phishing campaign. Thanks for watching. I’ll see you in the next video.

This video explains how the Social Engineering Toolkit is used in phishing attempts and includes further advice on how to assess an email’s authenticity.

You have already seen several phishing attempt examples. Now you will see one final example with tips on how to assess the true source of the email. The video also explains how the Social Engineering Toolkit is used to increase the probability of success when a hacker sets up their phishing strategy.

Investigate and share: Read this article on simple rules to protect against phishing attacks and share your thoughts in the comment section below.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now