Phishing Attacks: Learning by Doing


Tom Chothia, Stefan-Ioan Paiu, and Michael Oultram, Univ. of Birmingham


Phishing, and particularly spear phishing, is a major security concern, however it is often not taught in any detail on security courses. Showing students examples of what they know to be phishing e-mails tends to give the incorrect impression that phishing is easy to spot and those that fall for phishing e-mails are foolish. Phishing students without their knowledge might be an effective way to teach students the dangers of phishing, but would lead to ethical and legal issues.

We have developed a framework in which students can try to perform phishing attacks against a simulated company. The framework takes the form of a single VM which the students download and runx on their own machines. On this VM the students find a website for a fictional company (with employee details), an e-mail client and common tools used for phishing.

Using what they can find out about the company employees the students need to carefully craft spear phishing e-mails. A script in the VM processes every e-mail sent by the student and uses rules to decide if they have produced a realistic spear phishing e-mail. If the e-mail passes this test then any attached executable, or any macros in Office documents will be run. Hence, the students need to both craft a successful phishing e-mail and a malicious payload. There is a docker container for each possible phishing victim, successful payloads may give the student a shell on this container, where they can find a flag, which they can submit to show they successfully completed a phishing attack.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {219734,
author = {Tom Chothia and Stefan-Ioan Paiu and Michael Oultram},
title = {Phishing Attacks: Learning by Doing},
booktitle = {2018 USENIX Workshop on Advances in Security Education (ASE 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {USENIX Association},
month = aug