Phishing campaign proposal

Exam 2

You are the Sr. Security Engineer for ABC Startup LLC, a 300 user Latin Marketing firm, and your CISO

just got back from the ISSA CISO forum in Georgia. She recently saw a talk by Michael Wylie called

Shooting Puny Phish in a Barrel where he talked about trends in phishing campaigns, decentralized

workforces, and a new technique to phish users with international domain names. She realized on her

flight back that since she’s been the CISO (6 years now), she has yet to run an internal phishing

campaign.

ABC Startup LLC requires budgets for the next fiscal year to be submitted before __10/30/2018 @

10pm__. Your CISO is tired from her trip and she needs to get home to check on Belly Bop, her prized

pet gold fish, after a long trip, so she asks you to do the following:

1. Create a compelling business case to get budgeting for a 2019 phishing campaign. She

recommends the business case be ½ to a full-page executive summary that she can submit to

the CEO, COO, and CFO explaining the trends in phishing, why it’s a concern to the organization,

and justification for why they should allocate business funds to the campaign. The COO is a

smart guy and will ask for any sources if statistics are used. Make sure to include credible

references that he cannot poke holes in (e.g. Harvard Business Review, not Wikipedia).

Remember to make the business case professional as Sr. Management will be reviewing it and

you job could be on the line. (35% of grade)

2. Create a complete itemized budget for the phishing campaign in 2019. Think about software

licenses, implementation costs, training, cost per email sent, professional services, internal

resource costs for you or one of your security engineers to manage the phishing campaign, etc.

The CFO will probably ask you why you opted for the option you’re recommending and ask if

you have compared the solution to other options (e.g. outsource: PhishMe [buy it] vs.

insourced: GoPhish [build-it]). If you don’t have some of the numbers estimate them and

document your justification to the CFO. (25% of grade)

3. Create the basic outline of your proposed phishing campaign for the CISO. Think of a creative

phishing campaign that can be used. Appeal to human emotion. Scarcity, urgency, charitable

acts, and authority generally get good results. (40% of grade)

a. Provide a brief concise 1-3 sentence summary of your phishing campaign and how it will

work. Any specifics that will make the campaign more successful (e.g. time of year)

should go here. (10% of grade)

b. Document how you’d determine success in your campaign (e.g. Open rate? Click rate?

Credentials harvested? Opened attachment? Other?) (2% of grade)

c. Find a good available domain (e.g. delivery-ups.com) for the campaign that would get a

high open/click rate and take a screenshot showing the option to buy it. (5% of grade)

d. Take a screenshot of the real website you plan to clone in your phishing campaign so

that management gets an idea of what the page would look like if a user clicks the

targeted link in your phishing email. (Note: if you plan use an attachment, malware, or

custom site, you’ll need to go into detail or draw up a mock illustration). See screenshot

A below as an example. (20% of grade)

e. Create a compelling phishing email template using Word, PowerPoint, or Photoshop to

illustrate what the final version of the phishing campaign would look like. This is the

most important part as a poorly executed phishing email will have a low success rate.

Attention to detail is critical. See screenshot B as an example. (3% of grade)

Screenshot A:

Screenshot B: