The Phishing Pond Writeup

Overview

Catch the phish before the phish catches you! This TryHackMe room is an interactive phishing awareness training program that tests your ability to identify suspicious emails through 10 progressively challenging levels.

How It Works

this room presents you with various email scenarios, each requiring you to identify exactly one reason why the email constitutes phishing. The challenges progress in difficulty, testing different aspects of phishing detection skills.

Level Breakdown

Level 1: Suspicious Third-Party Survey

Why is this phishing? Contains a suspicious third-party survey link

The email includes links to external survey platforms that should not be part of normal business communication.

Level 2: Compromised Account Email

Why is this phishing? Unusual request from a normally legitimate contact (compromised account)

When a trusted contact suddenly asks for unusual actions or information, it may indicate their account has been compromised.

Level 3: Social Engineering Tactics

Why is this phishing? Various social engineering techniques (not detailed in this writeup)

Intermediate challenges testing awareness of common manipulation tactics.

Level 4: Personal/Banking Details Request

Why is this phishing? Offers require sensitive personal or banking details

Legitimate organizations rarely request sensitive financial information via email or unsolicited messages.

Level 5: Urgent Scare Language

Why is this phishing? Uses urgent scare language to force action

Creating panic to rush decisions is a classic phishing tactic that bypasses rational thinking.

Level 6: Malicious Attachments

Why is this phishing? Asks to enable macros in an attachment

Requesting users to enable potentially dangerous features like macros in documents is highly suspicious.

Level 7: Email Spoofing

Why is this phishing? Display name looks familiar but the email address doesn't match the organisation

One of the most common phishing techniques - spoofing familiar names with malicious domains.

Level 8: Suspicious Payment Links

Why is this phishing? Payment link points to a suspicious domain

Payment requests should always point to verified, official domains. Suspicious domains are a red flag.

Level 9: Advanced Social Engineering

Why is this phishing? Various advanced techniques (not detailed in this writeup)

More sophisticated phishing attempts requiring deeper security awareness.

Level 10: Domain Look-Alikes

Why is this phishing? Sender domain is a look-alike (e.g., rnicrosoft.com vs microsoft.com)

Typosquatting and domain imitation are advanced phishing techniques that can fool even experienced users.

Flag Capture

After successfully identifying the phishing characteristics in all 10 levels, the room reveals the final flag:

What is Phishing?

Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment.

Common Types of Phishing:

• Email Phishing: Unsolicited email designed to steal personal information
• Spear Phishing: Targeted attack on a specific individual or organization
• Whaling: High-profile targets like executives and celebrities
• Pharming: Redirecting users from legitimate websites to fraudulent ones
• Vishing: Voice phishing via phone calls
• Smishing: SMS phishing via text messages

Common Phishing Indicators

• Urgent Language: Messages that create panic or urgency
• Suspicious URLs: Links that don't match the displayed text
• Unexpected Attachments: Files you weren't expecting
• Generic Greetings: "Dear Customer" instead of your name
• Mismatched Domains: rnicrosoft.com instead of microsoft.com
• Requests for Sensitive Data: Passwords, credit card info, etc.
• Poor Grammar/Spelling: Professional orgs don't send sloppy emails
• Unusual Sender Addresses: Check the actual email address

Prevention and Best Practices

• Verify Sender Identity: Always check the actual email address
• Hover Before Clicking: Check where links actually lead
• Never Share Sensitive Info: Via email or unsolicited requests
• Use Security Software: Anti-malware and anti-phishing tools
• Enable Multi-Factor Authentication: Additional security layer
• Report Suspicious Emails: To IT/security team
• Stay Educated: Regular security awareness training
• Think Before Acting: Question unexpected requests

Lessons Learned

• Phishing attacks are becoming increasingly sophisticated
• Trust but verify - always check sender details carefully
• Urgent language is often used to bypass rational thinking
• Domain look-alikes are a common attack vector
• Security awareness training is crucial for all organizations
• Technical controls should be supplemented with user education
• The weakest link in security is often the human element
• Regular phishing awareness training significantly reduces risk

Real-World Impact

According to the FBI's 2023 Internet Crime Report, phishing attacks resulted in over $4.2 billion in losses. Organizations worldwide face significant financial and reputational damage from successful phishing campaigns.

Human error is involved in 82% of all data breaches (Verizon DBIR 2023), with phishing being one of the most common initial attack vectors.