The results are in… and we have a winner! After much deliberation among our panel, we’re pleased to announce Gareth Stanyon as our 2nd Annual Phish Throwdown winner. Gareth’s email “Corporate Information Security Breach” addressed a recipient who supposedly violated company policy regarding social media use. To respond to the allegations, the email directs the recipient to click on a link. The email is personalized with the recipient’s name, organization, and department.
This entry stood out as a realistic and persuasive (who isn’t going to think about clicking on a page to defend themselves against a possible violation of company policy?), and stands as a most worthy winner. While Gareth’s submission was excellent, that’s not to say we didn’t receive other solid contenders.
Highlighting some of the best submissions was one detailing actions a recipient should take in the wake of a high-profile retail breach (with a link leading to a phony log-in page, of course), and another that sent the recipient an attachment with medical lab results using the name of the recipient’s spouse. While both of these created compelling and original phishing scenarios, both submissions unfortunately used copyrighted brand material, a clear violation of the contest rules. We made this practice against the rules because it can undermine the legitimacy of a phishing exercise by creating unnecessary confusion and can also possibly lead to legal problems. The Army learned this lesson the hard way back in March, which we discussed in an earlier blog. The truth is clever scenarios like the submissions we received don’t need to employ copyrighted material to be successful, as recipients will still fall for a well-crafted email even without actual logos and brand names.
We’d like to thank everyone who submitted an entry; you all made our Phish Throwdown a success again. We continue to be amazed at the clever ideas that we receive, and really enjoyed reading all of the entries.