Forum Thread: What Are Your Email Phishing Tactics?

I've cloned many sites, and they've looked convincing, but I've always struggled with probably the most important part. Delivery.

How do you Deliver your social engineering attack?

In many of the books about social engineering and or hacking I've read they've used or mentioned an email spoofing type deal; and I'm sure it used to work fine. But since the crack down of email spoofing through major email services like gmail, hotmail and the like, what works for you?

Do you have some provider that allows you to make convincing spoof emails? I'd love your feedback.


Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

3 Responses

Hmm, how about this:

"You've been pre-selected for the Greatest Job on Earth.

To know more about the goods of our offer, please go to"

I don't think spoofed reply addresses and mass attacks work very well anymore (as in, send out 10,000 emails and hope that one person opens it and clicks the link). Maybe it does for some people and I just don't know about cool tools out there?

In my experience, it's much better to have a specific target -- a person, a single company, a meaningful user list connected to each other in some way.

In terms of just getting an email to someone, I think you more or less have to suck it up and buy a domain (find one that offers bitcoins), and set up the necessary records to get a basic email past spam filters. Even then, you run the risk of having the IP blacklisted if you send out too many emails. Depending on your campaign, you might be able to to get away with using a legit gmail address (not connected to your own, obviously). It depends on your target and what you're after from them.

After that, you still have to do some trial and error to ensure that your email won't get sent to spam. Even legitimate ones aren't immune -- there are a lot of guidelines out there intended for legitimate marketers advising them on how not to fall into spam traps (like don't use CAPITAL LETTERS in the subject line, etc). Those rules apply to phishing as well.

From there it's just a matter of social engineering.

There are other little tips and tricks, but that's the general approach I've used. I've had a lot of success, but for every one email that "worked," the previous 10 or 15 failed completely. You have to keep trying and refining your technique.

What about hosting a private email server on a laptop hiding between a VPN? Wouldn't it be more efficient?


Share Your Thoughts

  • Hot
  • Active