Psychology of Phishing
The purpose of phishing is to exploit social cues in a manner that attempts to persuade the target to open (view) the message, triggering a short-term thinking approach that overrides prior training and common sense in order to take an action on behalf of the Pentester,
Why a Client Should Phish their Users
Phishing has replaced Remote Code Execution (RCE) as the primary method of obtaining a foothold on the target network. Why, because it bypasses the majority of perimeter defenses by co-opting a trusted insider to perform an action on behalf of the attacker. When you phish, you are testing your users susceptibility (e.g. measuring risk). Do users follow the established policies and training regarding phishing? Is the training provided effective and applied correctly? These are all factors the client can measure via phishing.
It is important to educate the client that phishing results are not an excuse for ridicule or Friday Executions in the conference room. People must be encouraged to learn, grow, and develop more effective communications channels with IT security when these events occur. That does happen if users are belittled, abused, or punished as a result of the phishing campaign.
Creating a Believable Campaign
Phishing is an art form; the more you practice the craft, the more proficient you become. There are two schools of thinking when it comes to phishing:
S3 (Short, Sweet, & Simple) aka the ADD Approach
Detailed - Complex and designed to create or follow a prevalent story-line (e.g. Recent Disaster, News Event, etc...)
From a pentest perspective, S3 seems to work best. Most business users are busy and overwhelmed. If you provided them a complex story-line, most will view, decide the message is tldr; (Too Long, Didn't Read), and close.
When developing the premise of the campaign, consider scenarios that are relevant to the target. Changes in stability (e.g. mergers or market share), migrations to new and less familiar applications, or changes in status, benefit, or seniority as often effective approaches. It is important to remember, you are a Pentester, not a fraudster! There is a social boundary that you should never cross. Using tactics that cause panic, mental anguish, or threaten the targets well-being are NEVER acceptable. Using such an approach could be illegal, most likely exceeds your authority, likely illegal, and most certainly a sign of a weak phishing campaign.
Another consideration is the use of trademarked, registered, or copy written materials. For instance, using the Bank of America Logo in your phishing campaign could add a sense of realism to the effort. It could also get you reported to the Secret Service for attempted fraud or sued by the company for misrepresenting their trademark. I find it a far smarter tactic to spend 15 minutes to recreate a logo or page banner that is similar but different. For example, if you are simulating a companies VPN portal, consider replicating the logon banner but misspell the Title of the Application (e.g. BlueCoat .vs Blucoat). If you are going to use graphics, consider rewording trademarked phrases or altering graphics in a manner that produces a similar, but different images. In some cases, the client may feel unfairly tricked, especially if the pages are spot-on and other than the URL, indistinguishable from the real ones. One way to de-escalate this issue is through the injection of "tells", which are campaign indicators. When these exist in the message and associated links, you as the pentester can highlight them in your report as indicators the target should have caught when evaluating the message and associate link; this helps defuses any hostility from the client during reporting.
Hosted .vs In-House Managed
In order to phish effectively you will need one or more of the following tools:
Pro's: This by far the easiest method to implement. Using a commercial phishing provider, you can select campaigns from a series of template that you relevant to your users. In more mature providers, you can modify the templates to add additional believably (e.g. name of their supervisor, or links that enhance believability ). These solutions also typically provide reporting histories and correlations (e.g opens, clicks, etc for a single campaign and correlated results over time. These solutions do the heavy lifting such as establishing phishing domains, manage an web infrastructure needed, etc...
Con's: From my experience, many of the canned templates are weak and simply low hanging fruit collectors. If you are looking to check a box, then any appearance of phishing will do that and you shouldn't care. If you are a true security professional and want to really measure the risk to your enterprise, then many of the templates will need some manual modification. Another factor is most email proxy / spam hosts have all the email addresses tagged as Phishing. This will require you to implement White-listing. Since most commercial companies don't keep adding domains to their phishing services, your users will learn over time which ones to avoid regardless of realism.
Pro's: You control the level of believability, the scenario's context, and can add / change the phishing domains at will. You also don't depend on the results being protected by a 3rd party. Because you are using your existing infrastructure, you can potentially by-pass external security measures with greater ease and leverage existing hardware / VM's to lower the overall costs (true operational costs .vs per-box fees from 3rd party hosts).
Con's: You have to do all the work. You have to install and manage the phishing infrastructure, patch it, potentially purchase and configure A-Records for your phishing domains, etc... You also have to spend the time and energy to develop your own campaigns. When things break, you're responsible to troubleshoot and fix them. For all the downside, I favor this as the best solution over the long-haul.
Tools of the Trade
If you are creating your own campaigns, if of all congratulations on selecting the hands-on approach. There are some tools you may want to become familiar with in order to facilitate your efforts. These are provided for your consideration and not an endorsement:
Useful Tools for Campaign Development: