🎣

Phishing Campaign Case Study

PROOF OF CONCEPT

Social engineering is the biggest vulnerability in any system — it targets people, not software. I set up GoPhish and ran a phishing simulation against my own email to understand how these attacks actually work, and what makes them so effective.

Social Engineering GoPhish Security Awareness Self-Directed Learning

ℹ️

Educational Project -- Controlled Environment Only

This was a self-directed learning project. GoPhish was set up in a controlled environment and tested only on my own email. No real users were targeted. This project demonstrates understanding of offensive techniques for defensive purposes only. I learned these techniques to defend against them, not to use them maliciously. Phishing without authorization is illegal -- always get written permission and stay within ethical boundaries.

How I Built It

GoPhish Setup

I used GoPhish as the phishing platform — it handles email templates, campaign management, and tracking all in one place. Here's what I set up:

Configured SMTP for email delivery to my own inbox
Built HTML email templates using GoPhish's variable injection ({{.URL}}, {{.FirstName}}) to make them feel personalized
Created a fake login page to demonstrate how credential harvesting works
Used GoPhish's built-in dashboard to track opens, clicks, and form submissions

🎣 The Phishing Attack Lifecycle

A humorous look at how phishing attacks typically progress (educational purposes only!)

📧

1. Malicious Link

"Click here to claim your prize!"

→

🎣

2. Credential Harvest

"Please verify your account..."

→

🚪

3. Initial Access

Attacker logs into account

🦠

4. Malware Delivery

Trojan/Keylogger installed

→

🕸️

5. Lateral Movement

Spreads to other systems

→

💾

6. Data Exfiltration

Sensitive data stolen

→

🛡️

Prevention: Security Awareness!

The best defense is education + MFA + email filtering

🎓 What I Learned

Why Social Engineering Works

The biggest takeaway from this project: phishing doesn't exploit software vulnerabilities — it exploits how people think. Even knowing it was my own test campaign, the emails I crafted looked convincing. That's what makes social engineering so dangerous.

Authority: People trust emails that look like they come from IT, HR, or a boss. I tested templates impersonating all three — they all looked real
Urgency: Adding a fake deadline ("Your account will be locked in 24 hours") makes people act before they think
Familiarity: Clean formatting and familiar branding bypasses the gut check. A sloppy email gets ignored; a polished one gets clicked
Context: Timing matters — a "password reset" email right after a company announces a system migration would catch people off guard

Red Flags Users Should Spot

Building these emails myself taught me exactly what to look for when I'm on the receiving end:

Generic greetings like "Dear User" instead of your actual name
Urgency or threats designed to make you panic ("Account suspended", "Immediate action required")
Sender address doesn't match the display name — always check the actual email header
Unexpected requests for credentials or personal info (legitimate services rarely ask for this via email)
Hover over links before clicking — the URL in the text and the actual destination are often completely different

🛡️ Defensive Recommendations

🔐

Enable MFA

Even if phished, MFA prevents access

📧

Email Filtering

SPF, DKIM, DMARC, link scanning

🎓

User Training

Regular simulations & education

🚨

Report Button

Easy reporting mechanisms