 Good afternoon. Welcome to Fishing Without Failure or Frustration for that matter. Or how I learned to stop worrying and love the layer 8. Otherwise known as 11 Stories of Fail. Brought to you by J.B.B.E.L. Larry Pashie. Yay. Welcome to day whatever of DEF CON. Some of you this may actually be a continuation of yesterday because you haven't slept yet. Okay? Or some of you you've got lots of sleep. Right? Who got lots of sleep? Lies. Lies. If you see anybody wandering around and kind of looking, if you could either choose one of two takes, either ignore them fully, like just I would stare right over their shoulder, menacing growl, like I would stare right over their shoulder, menacing growl, like I would stare right over their shoulder, menacing growl, like I would stare right over their shoulder, menacing growl, like I would stare right over their shoulder, menacing growl, let them know that there's no way they're getting a seat. Or, well, let's go for the second option. Please scoot in, make room, pull your legs back, make friends. Hopefully you all showered today? Nope. Okay. Alright. Yup, I did. Thank you. Alright. So let's talk about some fishing without failure and action. So as us, for Jay and I and the InGuardians crew, this stuff for fishing should be really easy. From the technical side, you know, you create a really witty or crafty email that sends the readers to a website with some URL. You set the website up. I mean, this is easy. Apache on Linux takes you about 10 minutes to do. It's one form. You build a one form page and it's really crappy with H1 tags and Blink and Marquis and we collect credentials. We get client approval of steps one and two and we send that email to as many email addresses that we can possibly find. And you watch the passwords fly in. And it's, you get 10 to 40% of the employees in most cases. And sometimes you get lucky and it really is this easy. Yeah. And now our job is done, right? So thanks for coming. That's how you do fishing without frustration. No. Welcome to fishing. This is all there is to it. No, it doesn't work that way. It would be nice if it did. Sometimes you get really lucky. However. Sometimes you get really, really lucky. Larry Pesci here once had a fishing campaign with a success rate of more than 100%. He sent an email out to some number of employees of the company, like let's call it half the employees. And he had the routine scary email that has all the things he needs to have. It has to have a call to action. That call to action says to say bad things will happen otherwise or engage you to be helpful and has to give you a nice deadline, right? So he crafted that email. Great. And it scared people hardcore. So they forwarded that email. The people who got it and their colleagues hadn't gotten it. They forwarded it over to them too. They're like, dude, you have to do this or else your access is going to get cut off. But I didn't get that email. Can you forward it to me? I'll send you a copy. And the people who were sending copies, I would actually send copies out to their other accounts. So a lot of us, you know, we've got a normal user account. We've got our admin account. And then we've got our domain admin account. And so you got it on one of the three and you send it to the other two. And just to make sure that Larry gets domain admin accounts. Bingo. It worked out really well. I hope everybody, I hope I'm not too old. And everyone does recognize in excess our rates in excess of 100%. You're too old. You're too old. So am I. Yeah. All right. So why are we doing this phishing to begin with? So the intent for doing the phishing to begin with probably don't need to tell a lot of you, but to make sure we're covering this is we're here to try to do this fish to quote make the organization staff hard ass mofos, right? We're trying to build the firewall of the human, right? We're trying to train the users to be better at this so that they don't click on stuff. And this stuff works after, you know, after you get through your second or third time getting, you know, finding out that you got caught by a fish, you tend to be a heck of a lot better. You're a little gun shy, right? Yeah, you start looking at every one of those emails rather critically and going, is this real or not? And sometimes the fishes are so good you wet your question. I have actually seen some folks send me some sample phishing emails and almost clicked on them because they were that good. Like, why did I just get an email from FedEx? I know I'm waiting for a FedEx package. No, don't click that. So it's about hardening the humans and not necessarily testing the technology to prevent it from getting in the organization in the first place. Now the problem is that most peoples, if you're, so we're taking the, we're taking the perspective that you are either a consultant like us or you're in your own organization, you're trying to get a fishing program going to harden your users. Which ultimately if you're running a fishing campaign in your own organization, so when we say clients we mean potential clients that we work with from a consulting perspective or you are in fact having your users in your organization be your clients. You are working within your department and your management and you are a client of that management staff. Yeah, when I was internal I like to think of myself as, I like to still think of myself as a consultant. I still, I like to think of myself as having clients because that got me to understand who I was trying to work with. Okay, so most peoples' attempts don't go this well. Years ago when Engardin started doing more regular fishing work, when we were doing it often, we'd watch our consultants get so frustrated with the situation when they were, when they were fishing and we got better. And so the rest of this talk is talking about all the frustrating situations that we and others ran into and trying to tell you, teach you how to avoid them yourselves so you could just have fun with this because fishing when it goes well is really, really fun. Get the passwords, harden the users, make everybody happy, this is awesome. But for most people their first attempt or two or three ends up being frustrating in a way that leaves them blaming their client, blaming themselves, frustrated and even though they get technical success they end up just saying God, I hope I don't have to do that again. Alright, so we're taking the approach of more of a pen test type of scenario here. This isn't about the red team, although red team is the quote new sexy. We do that too, but we're talking a little bit more about doing a generalized based attack as opposed to a very specific, targeted red team type of attack. We're going to share 11 stories of our failures and the solutions that we found that seem to work really well to avoid those. And we're going to generalize, we're going to generalize this and honestly this stuff should be useful way outside of fishing. It should be useful in the rest of your professional life. It should be useful in your families. So we're basically going to say that any effort that you're attempting professionally, it's going to involve a certain amount of and hopefully and usually more than you realize, communication, collaboration and negotiation. And I'll say something like this again, but I want you to know my role is anything in life that involves more than one person, it's a negotiation whether you realize it or not. Otherwise you're just playing with yourself. You're the expert there. Somebody's got to do it. It's a dirty job. Somebody's got to do it. Alright, so red team fishing on the other hand as opposed to sort of more traditional pen test type fishing, we're looking for that, not to test everyone, we're looking for that for an access methodology and it's going to be a very detailed, tailored, very focused attack with a very small pool of emails, typically one to ten, usually one to two, sometimes even just one. We're going to do lots of open source intelligence. We're going to be delving into finding out what attack is going to work and what attack is going to work the first time because that's all we've got. And we need to build a lot of infrastructure around that with having backstories and great pretext and you name it, we're going to have to spend lots and lots of time for a single red team type fishing email may take months to construct from both the email content to building fake LinkedIn profiles to setting up domains and you name it to build that specific pretext. And getting those domains to have some history behind them so that they'll make it through the filters. Right, so that they have some provenance as it will, so that those domains that we want to use for fishing have some trust based on use and organizational application and so forth. And some of the things that we found that work really well is using either Office 365 or Gmail Google services to use their trust for all of the spam filtering and so forth to have that reputation built by others first. Their mail servers often get whitelisted so you get the emails through easy. So like we said we're going to tell you 11 stories from real life experience each one of them inform the way that we run our fishing engagements and honestly over time they start to inform the way that we do work for clients and run our company. So as I said we're going to give you this advice as if you're either one of us a consultant or if you're inside a company and you're trying to do a fishing campaign yourself. So no plan survives first contact with the enemy. There is possibly no way we can have any of this fishing fail. I mean this is not going to go wrong like this cat attacking this particular balloon. Because you know what's going to happen here. The cat is going to jump off the door. The door is going to swing closed or it doesn't swing closed and they catch the balloon and plummet to the floor. Or they grab the balloon and the balloon pops and then you know what happens when the cat has a balloon that pops. It's messy. It's messy. Really messy. First hand yes. Yes. It scares the crap out of him. Literally and figuratively sometimes. Alright so first one. Schedule failing. You do a great job. You work with your client. You get the test on the calendar. It's ready to go. You talk with a client and you give them three individual pretexts to choose from. You send those over to the client. The contact that you're working with picks the context. You get all of that built by Wednesday in preparation to send the email out on Friday so that it's in their email boxes first thing on Monday morning so that all of the folks are looking at it. They get it Wednesday. They send over all the stuff so that they can review it. Looks good. And then you find out that on Thursday your contact pushes the email up the chain a little bit and says to the manager hey this is the fishing pretext that we're going to use and we're going to get these emails somewhere between Friday and Monday. Just a quick FYI I thought it would be a good idea to show it to you. Kind of like a last minute here you go. Just want to let you see it. And the manager says look at this. You can't do this. This is all wrong. All our users are going to fall for this. Or this is too believable. Or we're going to get in so much trouble. No, you have to start back over again. Or this has objectionable material in the you can't actually try to sell medicinal drugs to make things bigger or smaller or whatever. Or stand up longer. We're trying to make some side money. So now the manager comes back and says there's no way. You start the pretext over you can't use this one. Do this instead. And now your contact comes back and says so Larry, Jay I'm sorry but we have to pick a different pretext. And we got to start from scratch. You're going to have to build completely new dynamic material. This is going to take a little while and as a consulting firm we're always worried about schedule because if somebody starts some stretch all of a sudden that thing we were supposed to do next week we're going to be doing something else. And we've got someone in the front row of this talk actually who has to manage changing us to something else. Which he refers to it as changing the schedule as rearranging her Tetris board. Because it's like where do you fit these pieces in with these players and it becomes a mess trying to juggle that stuff. But when you do this internally if you're not an outside company or you're doing this as an internal project you're doing schedules that matter. And the thing is if a project starts to run late we all know this from IT. If a project starts to run late it starts to lose credibility and once that credibility is lost you risk the project getting shut down or not repeated or budget or whatever. And so it's important to not it's important to stay on time and it's important to get it right the first time. So don't blow your schedule to bits and make sure that you communicate with the organizations to let them know what some of this stuff looks like. Yes, this is what happens when apparently you fail to communicate when creating some labor at labeling. And yes, Arabic is spelled two different ways because they misspelled it one of the two times. Diesel fuel in Arabic and then non-smoking in Arabic. So how do we fix it? This is the opportunity for you to lead. Never thought you'd be a leader did you? Guess what? You're going to be a leader. Hey, we need to start having some conversation with the folks in the organization to lead them through this from the beginning. Hey, we need to have this approved before we even start building some of this stuff. Let them know what you're brainstorming. Let them have some input into some of the pretext development. At the end of the day even if you're not a manager or you're inside a company you're not a manager, you're a consultant or what have you may feel like you're not the boss. But at the end of the day you're the one who has the responsibility to get this project done and to make it work and work well. And that means you do have to stand up and lead. You have to someone has to stand up and say this is what we're going to do. And so what we do is basically what we do when we get this right is we say, okay, this is what the process is going to be. Here's where the milestones are going to be. Here's what has to be done by when. And by the way if this part doesn't work right, if we don't hit that milestone this is one of the things that's happened in the past. So there are a few other things you find out before you even start creating your pretext. Who can veto it? And you get them involved and you tell them there is. Maybe give them some deadlines or figure out how long they need to get that reviewed so that you can schedule accordingly. Hey, we're going to send this over to you. Who are you going to send it to get to take a look at it? How long do you think it's going to take them? Can we set a deadline so that we can now continue to move forward and we sort of know what the rest of that schedule is going to look like and give them some call to actions for limiting that time frame for that approval. Make sure they know how long it's going to take. Make sure you know whether what time out of time you've said is actually reasonable. Don't build your entire prototype of your pretext until you actually have approval. Like don't spin your wheels building this huge thing for your pretext all the background of the pretext to find out that I just wasted 40 hours building this pretext and it's no good. Well maybe I can use it on another client but depending on how tailored it is to that individual client maybe not so much. So the other part of this is basically just realize you're talking to one person, you're talking to your client, you're talking to your boss. You're in a multi-party negotiation whether you realize it or not because the organization or your client's got a whole bunch of people. So you're in a multi-party negotiation and it's up to you to lead it and rock it and make sure that you're involving enough people. So how many of you guys are introverts in this room? Don't all raise your hands at once. I know you're being introverted right? Yeah that guy in the back he's clearly an introvert right? Yeah. Who's not an introvert who's an extrovert? They tend to raise their hands more. Yeah not many of you. Whose arms don't work? Pretty endemic in our industry right? I think a lot of the folks that I run into that they deal with technology because they don't want to have to deal with people. Well unfortunately we have to deal with people right? Yeah so some introvert pro tips. It's about when you're going to communicate and ultimately the type of communication. So if you communicate more in the beginning about this whole process the communication will be much better. You get an opportunity to excel and to lead and to have fun. Or if you don't communicate enough you end up in these last three bullets which sucks and it takes longer too so it's more effort. You're talking about frustrations, you're assigning blame, you're talking about why the project didn't work you're lamenting the failure. People are getting angry and finger pointing and that never goes well and it's not nice and it makes you not want to do this and it makes you frustrated. So communicate more in the beginning. Cool. I can't wait until my kids start sending me Father's Day cards via email because they're cheap. I already do that. See I can't send Father's Day cards. I can't send Mother's Day cards. My father passed away. I can't send Mother's Day cards to my mom via email. You know why? She can't use a computer. I took it away from her. Alright. What do you mean? Oh now we can mess with the transcriptionists? No. Did you check your spam folder? This is something that happened that used to happen us. We actually had one of these happen us recently but in our story you spend a whole bunch of time developing that pretext landing page, go through all the negotiation we've been talking about. None of your emails make it through the organization spam filters. At this point the spam filters have been trained on your emails so you don't get to use it in the future. So your spam filters trigger maybe because your domain is too new or it has broken SPF or maybe just the spam filters get lucky and you're back to the drawing board schedule suffers. Your contact or your boss is annoyed. Yeah check out this pretext. Let's go test it. No it doesn't work. Testing would be good. So let's do some user testing on our user testing. So we've tested the test with some user testing. Right. Okay. Go dog. Okay this is the one technical slide we have as an entire talk so on the technical side go and configure SPF and DKIM. Use an MTA that you've tested. It's had a domain for at least a week and it's been assigned to do that and it's a pro tip to your IPv6 assignments for all of the services as well. We recently had a mail server that would do SPF records. One of our clients had a mail server that did SPF record lookups and preferred IPv6 over IPv4 and the IPv6 lookup would fail and then because our SPF record wasn't appropriate they would drop the mail as spam because it was via IPv6 and not IPv4 and it took us forever to figure out why this stuff was not making it through. So with that said we like the human fix for this one. Basically you talk to your client, your contact, your boss and you say you're testing the human it's not the technology the point of we talked about red teaming and it had a different focus but in this you look and say what's the overall mission. The overall mission was to get an email to everybody in the org or to a large portion of the org and see how they respond to an actual phishing email. So if the technical solutions get in the way then you're not actually able to do the test. So at this point we're going to go and ask to be whitelisted. Hey could you just let our mail server send through and make sure that you budget time and to test the whitelist because if you don't then you still end up in this failure if your whitelist was set up and didn't work. So for example this is testing the human not the technology because we know the technology fails. How many of you folks have a spam filtering or some type of solution in your organization? How many of you still get spam? I rest my case. It's broken it doesn't always work. So it's not about testing the technology you know you have it you know it doesn't always work and it takes one email to get into someone's environment for one person to click on. And you know what's going to get there because do you know why they keep doing spam? Because it works! Damn it. Alright math is hard. Find the volume and surface of the area right of the cylinder. Sushi. So the numbers game fail. So some interesting things you know you're going to go do a phishing test and you need to have some emails to send these to. You use all of the best tools in your arsenal to go collect email addresses from the internet. Maltigo. You name it. Google. All of the tools that you use to populate those list of emails from publicly available sources. And you end up with 15 email addresses in a company that has a thousand employees. This is not a good test. Okay. So you're really looking to test all of the humans and to see how all of the humans react to based on some of their internal training or to gauge what type of training that they need to do. You need a whole lot of email addresses. 15 isn't going to cut it. The thing is the block hats they get to brute force the mail servers to find valid email addresses. They get to send you tons of spam to do that. They get to buy mailing lists. And if they're particularly questionable this guy named Bob, they can go and say pull all the pager traffic. If their client or their target well not their client, if their victim is say a hospital nearby with tons of pagers going, that'll get you some address. Yes, that'll get you some addresses. So math, why are you so hard? Why does this have to be so hard? How can we get around this whole 15 email address problem and be semi-ethical about it and or do this affordably and not have to buy really expensive mailing lists or do bad things with poxag and flex pager traffic? So let's just tell the client or the boss that an attacker could get a really comprehensive list of email addresses. We know they can. We know they can. When we tell them that we're going to prove it. I can brute force every email address at your mail server. You're not going to like it. It's going to be a bad day for your email admin. So the thing that the objection that we might get from purists is like wait a second, you want this to be an accurate test. And I'll say this is where the red teams military red teams for a long time have been throwing, have been saying this is our white card. We're going to say let's just stipulate that we could get all the email addresses you give them to us. And that way we're spending our time in smarter ways. So in our case, this is the first place where the negotiations really becomes really obvious. Your client may just say no, I don't want to. And at that point you have the opportunity to just walk away and say okay, well I'm going to send them 15 emails. This phishing test is going to suck and you know it's okay it'll be his fault. So I don't care. But most of us when we do anything in life we actually care about the outcomes. And when we say I don't care we're usually in some kind of pain. So what we could do instead is try to get creative. We could talk to our client and say how about this. We'll do the first step. We'll find all the addresses we can find. And if that's 15 grade, if it's a thousand grade, at the end of that we're going to give you those addresses. We'll put them in the report. Heck if you want we'll do those first. But ahead of time give us the rest of the email address of the organization. That way we get to do a comprehensive test where we know that we actually got to test a large enough number of users to be helpful. And you get to get that thing you wanted which was that accuracy. You can kind of see both outcomes. And it won't ruin your day when we topple over your mail server by sending it too much through email. And your email admins will have a bad day for that. And maybe not engaging in illegal behavior for finding addresses via other means. So brace yourselves. The open floor plan office is coming. Winter is coming. So your email, let's consider a pretext. I did this once. Your email says it's from... Do you consider the pretext once? I did. No I wrote one damn it. Have you been drinking again? Not yet. So the email says it's from Robert Smith. He's the director of information technology. You send it out. The director of information technology says anybody who's given their passwords is going to lose their job. Blah blah blah. This kind of thing. That's my pretext. I didn't really know my client. The whole organization sat on one floor in a very large airplane hanger style building in an open floor plan. And so people just started walking over to Robert's desk here at which point he alerts everybody. He tells a few of them and then one of them stands up and says hey that email from Bob don't open it. And your success rate goes to utter dog. What success rate? So having an open floor plan has helped me bond with my coworkers who also despise having an open floor plan. So know your target. Know what the environment looks like as part of developing that pretext. Because again you want to help the folks that you're testing to become better. You want to have some good success and not have the alerts. You want to test individual people and not have that alert go out necessarily so that all those people can get tested. Talk with your client about what does the office look like. Hey who may be a good person in the organization for us to send an email in from if it's a legitimate source. What day is he going to be on vacation so they can't go over to his office and knock on his door and see hey did you just send that email. Now find out what he's going to be on vacation. Find out where people sit in the organization is it difficult for them to potentially go ask those folks. Talk about what their escalation procedure is for getting spam emails and malicious emails and those types of things. So then you can start understanding who they're going to potentially escalate it to so maybe you can notify those people to say hey you just got an escalation good we're doing a fishing campaign don't tell anyone. See how many people report it. Absolutely so the other big one for us that we learned was make your client or your contact within your organization and at least one level of management above them is part of the pretext brainstorm so you catch things early. They tell you yeah that's not going to work we all sit on one floor. They're just going to walk over to Bob's office and ask him if he sent the email. I'm going to let this one speak for itself. Okay so here's another one I've gotten nailed by your client asks you to send the email slowly so you're going to avoid detection just you know send one wait 10 more minutes send by the time you've got 10 emails out what's that math is hard an hour and 40 minutes you've given people plenty of time and someone's gone and alerted security or compliance with a help desk they send out a mass email the jig is up. You've only got 140 email addresses into the organization out of 3,000 and your campaign is effectively over that wasn't a good test of the humans. So the only time you should be doing low and slow is barbecue Carl come on. That's how you do good barbecue low temperature long period of time. God F my life. Barbecue Carl barbecue. Alright so fishing is truly about speed you want to get as many emails in front of people's eyes before they can collectively make a decision that this is bad and past notifications. You're racing the organization's ability to communicate and collaborate and detect you and they will humans are social creatures oh wait this whole talks about communication right you're trying to exploit the race condition of getting your email in front of as many eyeballs as possible before they start communicating internally that hey maybe we have a problem and start doing some reporting and so make sure your deadline is really soon don't give them two days don't tell don't even give them a day you want to get people into the lizard brain part that's scared and has to act fast and the other reason you want to make them act fast is they don't have a chance to talk to each other because communication is their big defense. And that's one of the other things as an aside that we found that has worked really well in the fishing if you're asking someone to perform some action give them a call to action and have some penalty behind it hey if you don't go to this website and put in your username and password in the next 15 minutes we're cutting off your access and what happens when you cut off their access you can't do your job and then your manager gets mad at you so what do they do oh crap I better go do this before the lizard part of the brain catches up and says this is not where did my tail go oh right so you're exploiting that race condition okay so is my tail sticking out so this poor gentleman he chose poorly this is in fact not Indy he was not named after the dog right I remember he didn't do that right yeah he drank from the wrong chalice right okay so Jay sure so poor domain choice we everyone learns this one really early on you choose a domain badly one of the great things that most most people most noobs will try and I'm not going to admit whether I've done this too is they will pick you know they've got their target Eli Lilly and we've never done work for Eli Lilly so I felt safe putting them in here hopefully just happen to have a company name that has lots of eyes and L's that can be replaced with ones so you know you try something along the lines of changing an L or an I to a one or changing an I to an L or an L to an I the problem is font collision attack the problem is the employees are trained to catch this this is like one of the few things that user awareness training does tend to get consistently right across the organization so nobody's fooled your numbers are awful and everyone says uh yeah they didn't they don't do good phishing tests you don't want that to be you so choose wisely okay drink from the woodcutters the the carpenter's chalice right not the most lavish one because yeah that's not the right one okay so pick a really good domain use the use the customer use your name in the domain but add additional quote entropy to it you know in this case say Eli Lilly benefits or pick a domain that you can use for multiple clients and then use subdomains per to sort of make it look like maybe you've partnered with the third party so that they now have multiple subdomains for each one of the clients and so forth and and honestly figure out what will work so you're going to come up with those ideas and before you just stand up the domain and go on ahead go and talk to your client but also go and talk to your co-workers you know one of my co-workers sitting in the front row John Sawyer is the one who got me to pick better domain names and told me what kinds of things worked and one of the co-workers who's also sitting up front is the guy who said you know what we should use domains we should buy domains keep them for the long term and start using subdomains of those and honestly just talk to other people and collaborate that's the biggest thing with so fishing is one of those things where we all just think okay it's a one person job I'm going to sit down and do it myself and then whatever goes wrong you're like ah shit we could have avoided that but if you talk to more people whether it's at your client whether it's in your company that collaboration ends up producing better results. Don't do it in a vacuum. So what if your clients this is where we're going to break from a story or talk a little bit more about this story what if your client is the one who asked you to take their Eli Lilly domain name or what have you and change the L to a 1. So the client in fact wants to choose poorly the client wants to choose poorly you know it's not going to work you know why it's not going to work or you think it's really unlikely to work all that well and now you have to realize you're in a negotiation you can just say ah he made me do it he made me pick a bad domain so it didn't work out so well it's all his fault who cares. I don't care. Yeah screw that. As humans that's not what we're about we care about what we do so we want to make it better. So realize that this effort's about collaborating about communicating about negotiating so the easiest way to lose in a negotiation is to not realize you're in one and you're basically always in one but sometimes that means that you have something besides just yes or no besides just go with his idea or you know stomp your feet on your own idea and that's to get more creative. Sometimes that's as simple as just saying okay I'm not really sure about that one before we lock in on it can we brainstorm as part of a larger group can we you know can we get some more people from your organization in and yeah somebody else calls somebody else calls bull on the on the domain and and that makes it easier some more choosing poorly right the amount of people who has correct grammar is too damn high. So one of the ones we used to get hit with early on our clients the client would ask us to use broken grammar and spelling to simulate what they get you get frustrated because you know that'll lower your success rate heck maybe you go ahead and do it and you send out the broken grammar you end up frustrated the client's given his company a false sense of security so by winning by winning the negotiation when the client was pushing you to when the client was using broken grammar he just lost and that's that's my number one rule of negotiating if anyone loses everyone loses it's kind of like the if mama ain't happy ain't nobody happy it's actually if anybody ain't happy ain't nobody gonna be happy so grammar Nazis be like wait no are like okay alright so communicate with the organization and tell them how exactly that happens broken grammar actually reduces the effectiveness of testing the humans they're trained they know that if you're sending email to look like it's coming from a company as part of a phishing campaign to have it be somewhat legitimate and there's incorrect grammar do you think many people send out emails as their corporate organization as part of some marketing type of thing with incorrect grammar not usually because that probably goes through about 12 rounds of proofing and absolutely now start going digging into your spam and showing them to the people you're working with like look I just got this email it was spam and the grammar is immaculate this is this is key you know like if you're in that situation the client just feel it seems like the client just won't listen to reason your goal or your you know your boss won't listen to reason what have you your goal is to you know kind of take a breath stay present and get creative and if you can just stick with it and try again you'll often get a much better result and so it's like okay well tell me more about what your concern is why are you digging your heels in and they say all the stuff we ever get has broken grammar and you say okay let me show you some of the stuff that I get that isn't and that ends up being convinced and be willing to do both send some with broken and send some with good grammar and send it to two disparate groups within the organization and see how the numbers turn out and that's where creativity gets you that better result yep I love this one some cops are Jedi they're just holding this fence back with the Jedi mind trick okay so sometimes your fish is so good that some federal authority gives you a call and said what in the hell are you doing yeah so yes why because in many of the cases the organization that you're sending the email into doesn't involve enough people to tell them that hey we're doing a fishing campaign and then they escalate appropriately and they escalate way too far so we've had this kind of thing happen a couple times and when it happens it usually starts with the engagement where the client says the only people are going to know about this fishing exercise are me and my boss we're both in the phone no one else is going to know about it not the help desk not HR not legal not audit not whoever no one and then what happens they get one it goes to some C level manager and the C level manager freaks out and says oh my gosh this is super legal we need to report this and so they contact someone and they call the IT department and IT security guy calls reaches out to their infraguard contact and next thing you know the federal authorities are involved yeah that's not a good day trust me we're invisible or invisible rather yeah no didn't see that didn't see that so like we said before this is your project whether you're the outside consultant whether you're a mid-level manager whether you're the person lowest in the totem pole nobody works for you realize you have to lead you make this a mandatory part of the test when you're explaining what the test is you manage everyone's expectations here are the steps in the test we're going to follow steps one through one through eight and step three is you've got a you've got to involve HR and legal and that and that may that usually means that somewhere right there you're going to sit down with your client and brainstorm who needs to who might get called in the escalation and so who needs to know about this effective ways to do that tell this story so tell our stories or tell other people stories the human mind is basically set to remember stories and to pass them along it's what kept us alive so use stories and then finally know your organization yep and tell them about some of the escalation paths and maybe have some of those folks at some of the top of the escalation know about the phishing test so that they can you know they can put off calling the authorities and involving organizations okay so first you don't succeed fail fail again I love grumpy cat alright so the story of the unhappy client right you do this awesome phishing campaign you had a high success rate or you depending on what success is for your customer for the people you're working with the outcome for this phishing campaign was fantastic you got it in front of a bunch of eyes and they didn't fall for it because they had great training or they did fall for it because they had really poor training and then you start writing the report and you're almost done with the report and you're ready to turn into the client and they said hey did you guys finish the test like two weeks ago yeah and maybe or maybe just otherwise you just you did that you do the test you achieve great results you feel like it was totally success and your and your client you know client if you're outside or your boss just feels like it the effort didn't go well they didn't feel the love hey how many results hey how many results that's the other one hey how many results calls you what if your client or somebody calls you every 30 minutes you're trying to get your darn job done you're trying to do the phishing and you keep getting all these phone calls what do you do about it how many results yeah success alright happy client is a good client right a good client is a happy client okay set some expectations about the types of communication you're going to give to them during the engagement manage their expectations hey we're going to give you some updates a couple of times on the first day because it's typically when a lot of the results come in and then we're going to I'm going to call you end of day tomorrow and I'll call you the end of the day after that let you know how many results and then we'll let you know when it's over and you know when it should be over the call to action but some people are still going to do stuff after the call to action so we'll let you know when some of these come in or writing the report so next thing you know you're going to write the report we'll tell you when the report will be there set the stage for when you're going to do the communication so there's no surprises manage expectations and then finally empathize with your client your client usually has been rooting for this for a long time or your boss has been rooting for some kind of security test for a long time because they think that there's something to be worried about don't reinvent the wheel okay don't do this every time you do a phishing campaign if you do multiple even if you're doing it in your own organization retain the infrastructure that you built and fix the infrastructure based on lessons learned from your engagement don't spool this up every time what we found many years ago is that when we were doing this stuff every one of our consultants would spool up new infrastructure for every test and every one of them did it differently and everyone had different problems and we weren't learning anything yep because we're too busy trying to fix problems okay so we watched it a fail more because they're so innovative right create maintain and publicize the fix is either use existing good free tools we like phishing friends a lot or develop your own and whatever you choose lock in on it for a while and teach everybody how to use it maybe even record that maybe even record when you teach everybody how to use it so you can get everybody on the same page and that means that every assessment you do after that makes you better at doing this because now if you build any new if you build onto the infrastructure you're building a capacity you didn't have before yeah so automate and script it so that you can reuse it multiple times okay I love this one roses are red my name is not Dave this makes no sense microwave okay what are you talking about exactly we have no idea what we're talking about because we didn't follow up with the right people after the engagement to see how they thought it went what they and what did they do after the campaign and this is one we didn't even know was a failure this is one we didn't even know we were failing at because we had an unknown hard error right we had no idea what their outcome was and we learned when a client called us and started telling us about the results of the phishing they said okay ever since you ever since you did that phishing you've raised our reporting rates you've reduced our click rates because they're still testing themselves and they said we're getting higher report rates we're getting we're getting what we want and I said good I've never bothered to ask a client before how that worked out for them like I'd come back to them a year later but I didn't ask them for specific numbers and yeah find out yeah so need to say we've done a lot of frustration with phishing to the point that Mr. Breel used to have hair okay I pull it all out all of it okay so the overall lesson what's the take away phishing is all about collaboration okay again if you're having a conversation with two people you're having a negotiation whether you know it or not Jay and I negotiated several times on this stage we did we did and before here and with goons so most of the failures most of the failures we've been describing are failures either to think ahead and communicate collaborate and lead even that means even when that means lead with so we hope that you'll use these stories to persuade and plan and win at phishing at your work at life for whatever definition winning is remember remember the final store remember the final lesson if anyone loses a negotiation everyone loses so don't lose yeah thank you