Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more

Running Your Own Phishing Campaign

This video gives practical explanations on how to run a phishing campaign to test your network security. 
Now, there’s two ways to essentially run this. You could either run it in-house or you can do it outsourced. Now, if you do it in-house, what type of resources do you have? Do you need to buy the software? Do you have the infrastructure for it? Do you have the staff that’s ready and trained to do this? Would you create your own training? Are you going to outsource the training? Are you able to dedicate the time to do this? Or are you going to outsource? Do you not have the resources to do this? So are you going to have an outside company do this, outside vendor? What type of references does the company have?
Does their vision align with your particular vision of how you want this to go? What are their deliverables? And do they offer any sort of staff trainings? And how do they actually give the training out to your staff? Well, if you do your own phishing campaign, there’s a lot of options out there. There’s a lot of open-source ones. And there’s some paid sets that you can actually use. Social-Engineer Toolkit is a pretty easy one to use. It’s preloaded in Kali Linux. Or you could actually download it and install it on a lot of different operating systems. There’s Lucy, which is another open-source solution. And Gophish is another popular one, another open-source phishing tool kit.
Now, the nice thing about these open-source ones like Gophish, it’s again, open source. So it’s free for the most part. You could actually pay money to actually get better templates, better insight. But essentially, they’re pretty easy to run. So they give you templates and targets. You could import it. You could add a nice web UI for you to get into a full HTML editor so you can easily kind of modify these templates that you’re building customised for your particular campaign. And when you launch the campaign, emails are sent in the background. You could also schedule a campaign to launch whenever you want. So this is handy for the start and stop time that you have.
And especially, if it’s going to be a repeated campaign, you could just schedule it out and just let Gophish do its thing. And this particular program will track the results. Detailed results are delivered in near real time and can be exported in reports. The export is going to be important because whoever you are doing this phishing attack for - it’s your IT manager, CTO, whatnot - they’re going to want to see what the actual deliverables are. What are the statistics? Who clicked on it? Who submitted information? Who didn’t open it? Et cetera. So again, going to be very important. And this particular program, you can install for Windows, Linux, or OS X.
Now, if you outsource it, there’s a lot of different options also. And again, I do recommend that you do your research and make sure that these particular companies are going to be able to work out for you, that they are going to fit within your price range, that they’re able to deliver what you want them to deliver, and that they are reputable companies. So the real big one out there is Social-Engineer. The person who runs this is Chris Hadnagy. And this particular one is pretty interesting. They give talks at Black Hat. They have books on social engineering. And they have a website that gives a lot of information on phishing and social engineering. There’s also KnowBe4. KnowBe4 is another company.
And they also offer some free tools. And they’ll run phishing campaigns for you also. Or there’s PhishingBox, which you could get a demo with. And they’re also a pretty interesting company that can run phishing campaigns. But again, there’s a lot of different ones out here. These are some examples of outsourcing your phishing campaigns however. So in wrapping up, phishing campaigns can give you important awareness. And also, they can provide an important training tool. You want to consider - are you going do this in-house, or are you going to outsource it? Well, depending on your resources, skill sets, requirements, you can run a campaign in-house or you might need to outsource. Paid versus open source.
So there’s an abundance of tools out there - open-source and paid tools - for phishing campaigns. Be sure to pick carefully because you’re really going to need to figure out what tool’s going to fit your unique needs, because everyone’s needs for a phishing campaign is probably going to be a little bit different than someone else’s. Before you start, always make sure that you have written permission from management and the scope of work and deliverables before you even start. Documentation - documentation is important. So you’ll want documentation of expectations, deliverables, scope of work, the results, et cetera. Training - what type of training are you going to have for your staff? And how is it going to be made available?
Will the training be provided after someone clicks the email and opens it? There’s certain phishing emails that as soon as someone clicks on the link it’ll actually pop and go, “Hey, this was a phishing email. Hey, here’s a training link for you.” Or you’re going to offer training afterwards. These are all different options that you need to consider.
So this was all about phishing. In the next email, we’re going to talk about what a red team is. Thank you for watching. I’ll see you next video.

This video gives practical explanations on how to run a phishing campaign to test your network security.

Once you had been through the necessary considerations we discussed in the previous video, you considered how you would run a phishing campaign for your own organization. Now you will learn how to implement your phishing campaign in a way that will allow you to test your network security will be effective. Again, remember that you should not do this without the permission of your organization.

Prepare for the Test of the Week

You have now covered all the new content for this week! In the following step you will complete a test to assess your understanding of what you have learned within this past week of the course.

Remember, you do not have to take the test until you’re ready. To help you prepare, you might wish to spend some time refreshing your understanding of the contents of the past week.

You may wish to reflect on the Learning Outcomes introduced at the beginning of the week and make sure you are comfortable that you have met the requirements of each. Take some time to review your learning to help you prepare.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now