Rapid7 scam busters: Using social engineering to train your users about phishing attacks

Blog Post created by rapid7-admin on Dec 20, 2010

Originally Posted by Chris Kirsch



With the holidays approaching, many people are looking for gift ideas and deals. Holiday season is also hunting season for malicious hackers who send out gift idea and deal phishing emails. 

How do you protect your employees from divulging their personal and even corporate passwords to an attacker? It’s hard to combat phishing with technology. Training employees to spot phishing scams is the most effective, but training is time intensive and may impact productivity. 

What if you could find a way to only train the people that are vulnerable to an attack? Well, we can. It’s simple to set up a social engineering campaign in
Metasploit Pro to send out emails to your user base and directing them to a “malicious” website that you host. Using Metasploit Pro, you can easily clone well-known and trusted websites and request the user to provide their login. People who log on to your site are by exactly the people you need to provide the phishing training to, and – bingo! – you have them on your custom website. 

Instead of writing a page on phishing, why not present them with a short YouTube video on how to recognize phishing emails and how to protect yourself against them. I really like this In Plain English video - just embed it in your social engineering website:





"Video: Phishing Scams in Plain English"

If you want to try out social engineering campaigns with Metasploit Pro,
download a free, fully featured Metasploit Pro trial

I wish you and your users a merry and safe holiday season!