Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 13 Exercises: Phishing and Fraud

For today’s lab exercises, we are going to “thinking like a hacker”, and try to create phishing messages. Below are a number of situations that a hacker might find themselves in. Your goal is to use everything you know about the target person or people, and everything you learned from the readings to write the best phishing messages that you can.

Phishing Scenarios

Scenario 1: Phish your partner

Turn and look at your partner. Imagine that you are a hacker, and you would like to try to get into your partner’s UW account and access email messages that have been sent or received. To do this, you’ve set up a fake UW login webpage that saves the username and password if you can get your partner to try to log into it.

Your goal is to write an email message – a fraudulent, or fake message – that will successfully trick your partner into reveailing their username and password. That is, your message should include a link to your fake UW login webpage, and it should try to trick your partner into clicking on that link and entering their username and password into that page.

What should this message look like? Be specific – draw out the message on a piece of paper and write down the contents of the message. Who should it appear be from? (You can pretend to be from anyone, but if you use a real UW email address, UW will notice and likely block it.) What should the subject line say? What should the message be about? Where will you put the link, and how will you trick them into clicking on it?

Use your knowledge of your partner to create a really good phishing message that is really believable. Work together on this; ask questions about how they do email, what they are intersted in, and why they might click on a link in an email.

Yes, there are two of you, so you should each write a message for your partner. They don’t need to be the same; in fact, if they are the same, they probably won’t work very well.

Scenario 2: Phish the professor

Once you’ve got a good phishing email for your partner, let’s try something a bit more challenging: Write a phishing email that will trick me.

Same instructions: draw out a message on a piece of paper, complete with from address, subject line, and contents of the email.

This one will be harder. You don’t have me in front of you to ask questions about what I’m interested in. I’m also an expert on this; I’m generally skeptical of emails and have a lot of experience identifying phishing emails. How will you trick me?

Scenario 3: Mass Phish other students at UW

The first two scenarios are “spear-phishing”: they focused a lot of effort at trying to trick a very specific person. This is harder – you’ve only got one shot – but also, you know a lot more about the person and their skills and interests.

For the third scenario, let’s change things up. You are a hacker who wants to break into as many UW student NetID accounts as they can. You aren’t after any specific person, but the more accounts you can break into, the more money you’ll make.

To do this, you’ll want to send a message to a large number of UW students. You don’t have to trick all of them; just as many as you can. But you have to send (almost) the same message to everyone. You can only make minor edits (like changing out the name of the person) for each person. You’ve still got access to that same fake UW login webpage if you want to use it – or you can just ask people to send you their password?

On a sheet of paper, brainstorm and write out the message you’ll send. First, how will you send it? Will it be an email, a text message (SMS), a Facebook message, a TikTok, or what? Who will it appear to come from? How will you get past the automated filters that check for lots of copies of the same email going to lots of UW addresses? What should the message say?

Try to come up with the most convincing, most effective mass-phishing message that you can.

Scenario 4: Phish parents of UW students with ransomware

For our fourth scenario, we are going to change it up slightly. For this one, you are going to try to phish the parents of UW students. Imagine that I have a list of thousands of email address that belong to parents of UW students. Instead of trying to steal their account information, you just purchased some “ransomware” technology: a program that runs on the person’s computer, locks down their computer to prevent it from doing anything, and demands that the person pay you money to get it unlocked. However, this program needs to be manually run on the computer to work – e.g. by double-clicking it in an email. It is new and tricky, so anti-virus programs don’t recognize it yet.

Your goal is to make as much money as you can by emailing this program to a bunch of UW parents and trying to trick them into running it on their computer. Once they run it, the program will do its work and will work fine until they pay you.

On a sheet of paper, write a new (fraudulent) email that will trick UW parents into running this program. Think about what this email should look like: who should it appear to be from? What should the subject line be? The email will have the program attached; how can you trick the person into double clicking on it and running it? What should you name the file? What should the email say about the attachment?

Write Advice

OK, you’ve now created at least 4 different phishing emails. And this has helped you to “think like a hacker” and get better at fooling people.

Now, let’s take the hacker hat off and put the security hat on. How can we protect people against this?

This is tricky, because we often don’t control most of the technologies involved. e can’t change, or even scan, text messages (scenario 3?), and most UW parents don’t use an UW email account (scenario 4).

Instead, what we can do is training. We can provide suggestions and advice and education to help people recognize phishing messages when they receive them, and hopefully avoid the negative consequences of those messages.

For each of the 4 scenarios above, I want you to go back and try to write down how you would train someone to avoid that message, and other messages like it.

Do each scenario separately. I think you’ll find that there are some things in common across the scenarios, but that there are also some things that are different and unique to each scenario.

Don’t just teach them to avoid that one specific message that you wrote. Instead, try to teach them to avoid the threat: all of the different types of messages that a hacker in that situation might write. What do you need the people to know (that they don’t already)? What advice can you give them to help them figure it out? How can you help them use that advice successfully when they in the middle are reading their email (or text messages or TikToks or whatever)?