With this tool, described in this blog post it is possible to compare different phishing emails and measure how advanced and complex they are. This form is dynamic; different rows will be added for different choices. In the bar below a percentage is eventually indicated: if the most advanced option (and thus most legitimate looking options) is chosen for each category, the action will be 100%. This does not mean that legitimate email automatically ends up at 100%: colleagues can also make typos, an internal newsletter does not contain a personal salutation or an external party has been asked to send a survey.
| Category | Element | Choice |
|---|---|---|
| Context | Reason | Important value for the recipient Examples: hobbies, charity, job-specific knowledge
Recent eventExamples: recent organizational change, changed employment conditions, migration to a new system
Current themeExamples: corona, week of sustainability, Christmas
Timeless activityExamples: survey, payment, invoice
|
| Sender | Own organization or colleague Known organization Unknown organisation Private person |
|
| Goal | Obtain information or initiate (offline) action Examples: CEO fraud, submitting personal data, files or photos
Obtain money through online money transferExamples: fine or invoice that must be paid directly online
Obtain credentialsLink sends victim to login page
Obtain access by malware on websiteLink sends victim to download page
Obtain credentials and access by malware on websiteLink sends victim to login page and download page
Obtain access by malware in attachmentAttachment contains for example Office macro or ZIP file with malware
BlackmailingExamples: paying Bitcoin through 'leaked documents', ransomware
|
|
| Principle of influence | Commitment, reciprocation and consistency Examples: helpfulness requested, asking favor from employee
Social proofExamples: other colleagues have also bought shares in the company
Liking, similarity and deceptionExamples: conference invitation, special occasion for colleagues with the same function, possibility to support a good cause
AuthorityExamples: question from the CEO, request from manager
DistractionExamples: time pressure to fill in something, log in to another account
CuriosityExamples: new message from colleague, new terms of employment, better lease arrangement
|
|
| Content | Taal en tekst Multiple choices possible: choose all that apply |
Language within organization Flawless text without typos Form of address within organization No use of extra special characters and extra spaces |
| Design | Internal corporate identity
Text formatting and, for example, signature correspond to use within the organization Copied corporate identity
Recognizable corporate identity Corporate identity is a copy of original organization Corporate identity contains, for example, logo and colors, but is not an exact copy
Neutral corporate identityCorporate identity is neutral / attacker does not try to pretend to be another organization
Plain textNo style or formatting present
|
|
| Personal information | Victim is addressed with a correct salutation, first and / or last name Victim is only addressed with the correct salutation (sir / madam) Email contains personal information obtained through social media Examples: place of residence, date of birth
Email contains personal information obtained from breach databasesExamples: leaked password, leaked email address
Email is impersonal, can be sent to anyone / all colleagues
|
|
| Domain name | Sender | Email address is literally the email address of a colleague The email account of a colleague has been abused by internal phishing
Email address is spoofed from own organization or known (relevant) organization Email address is exactly like that of a colleague or other known entity due to incorrect email configuration
Email address uses expired domain name of own organization or known (relevant) organizationEmail address contains a previously used (known) name
Email address uses typosquat name of own organization or known (relevant) body as domain name Email address is a variation of a known email address, where characters are omitted or replaced
Email address contains own organization name or known (relevant) organizationEmail address contains company name in the domain. Example: info@organization-office.com
Email address appears to be private (Gmail, Hotmail, etc)Examples: sender from Gmail or Hotmail service
Email address seems random or from irrelevant instance Examples: prize@flostracizedent.ru or use domain name of expired sneaker webshop with an email about Office 365 |
| URL to phishing website | URL is expired domain of own organization or known (relevant) authority URL previously visited, but domain expired and re-purchased by attackers
URL is typosquat name of own organization or known (relevant) authority URL is a variation of a well-known URL, where characters are omitted or replaced
URL contains own company nameURL contains organization name. Voorbeeld: organization-online.nl
URL appears to be from relevant / known organizationExample: URL contains for example the word 'Microsoft' or 'Office'
URL seems from irrelevant / unknown organizationExample: URL contains the word 'sneakers', for example, but pretends to be an office organization
URL contains name hosting organizationExamples: site is a Wix site or free website
URL uses a link shortener service Examples: bit.ly, goo.gl
URL is randomExamples: flostracizedent.ru
No URL but IP addressVictim is directed to an IP address instead of a domain name
|
|
| Attachment or download | Document | Office document with macro (possibly in RAR / ZIP archive) Word or Excel document with macro
Executable (could be in RAR/ZIP-archive)Executable like .exe or .dmg
|
| Security and confidentiality | Email signing When possible |
Email is signed Received email has a 'sign' icon next to the email. Note: this is not possible everywhere.
Email is not signed |
| SSL certificate It is recommended to do this: there are almost no phishing campaigns without the use of SSL |
Use of an SSL certificate on website Website referred to contains lock / SSL certificate
No SSL certificate installed on website Website referred to does not contain a lock / SSL certificate |