Email is the most commonly used delivery method for phishing attacks and has become the tool of choice for online fraud. Private businesses are often the biggest target for phishing because it only takes one employee to let their guard down for attackers to compromise the entire company. Nearly 114 million phishing emails are sent every single day and combined these activities will produce over $5 billion in illegal profits for criminal organizations in 2017.

Being a security focused, private company, some of our engineers thought it would be an interesting experiment to test our defense and response to phishing attacks. Operation TunnelPhish was born.

Teach a Bear to phish

Technology has lowered the bar to entry for everything, including phishing. Campaigns have become so easy to run that anyone with basic knowledge of how to setup a domain and route emails is halfway there.

Technology has lowered the bar to entry for everything, including phishing.

As proof of this, our team quickly found some software that mirrors email marketing tools functionality, but with a few extras. Not only did the phishing software track metrics like open rates and clickthrough, it also captured all information submitted by the victim, including their passwords.

“How do you do, fellow Tunnelling Bears”

Setting up a convincing impersonation is the key to any phishing attack. Phishing attempts succeed because the victims believe they are handing their credentials over to a trusted source. Most people know not to provide their PIN and credit card numbers in an email, even if it looks like it comes from their bank. However, not as many people think about emails from Facebook or Dropbox warning them to take action before their account is canceled. When targets are contacted with a time-sensitive request about an important matter, many of them panic and hand over account credentials without thinking.

To trick the Bears, our engineers needed to make a convincing email address, website and active URL to make it seem like the attack was a legitimate email from a coworker. To make the attacks even more convincing, personal details were added about each staff member so the attack emails had context specific to each role. Our support team received emails that referenced account issues while the emails sent to engineers centred on bug reports. All of these emails forwarded the target to a fake login screen where we could see who took the bait.

Enemy in the cave

Once an attacker has received your credentials, they can do anything they want within the scope of the accounts they’ve compromised. Identity theft is the most common outcome for personal accounts because it’s hard to trace, easy money and doesn’t take a lot of time to get started. If a phisher is on top of their game, they could have bank accounts, mortgages or credit cards made out in your name the same day.

For businesses, attackers will keep sending emails and malware around the company to get as many points of entry as possible or to spread ransomware for maximum damage with minimal effort. Businesses that suffered ransomware attacks were largely responsible for the nearly ten-fold increase in phishing payouts between 2016 and 2017.

Embrace your inner skeptic

If something about an email seems off, trust yourself and be skeptical.If something about an email seems off, trust yourself and be skeptical. By creating good habits, practicing phishing scenarios and communicating with your team, you can help minimize the potential of an attack succeeding. Exercises like TunnelPhish can be a fun way to bring the office together while teaching everyone an important lesson about security at the same time.

Some ways you can help protect yourself and your coworkers:

  • Password managers:

    Password managers are a great tool for phishing prevention because they associate your passwords with specific website addresses. If you’re sent to a fake site your password manager will not present the login. This is a good warning sign that something is wrong.

  • Practice identifying phishing emails:

    Regularly testing your staff’s response to security threats is a great way to keep them alert and engaged.

  • Use 2FA:

    While using two-factor authentication doesn’t fully protect you from phishing, it can make you a less attractive target for the average mass phishing campaign. It can also help against attackers trying leaked or stolen credentials on multiple sites.

  • Confirm through a different channel:

    If you get a suspicious email. Don’t reply directly to the email or click on links in the email. Use a different channel (Chat apps, Phone call, etc) to confirm the sender. Create a culture in your company where that’s the norm.

  • Setup unknown device alerts:

    Many apps have options to alert people if an unknown device tries to access your account. This is an easy and quick way to deny access so be sure to use this feature if it’s available.

Rawwwr, you’ve been phished! What now?

It was a long day, you didn’t have your afternoon coffee and that friend request looked super convincing. You’ve been phished. Whatever you do, don’t hide what happened:

  • Tell your coworkers
  • Change your passwords and logins for all affected accounts
  • Logout and back into apps with your new credentials on all of your affected devices
  • Show your coworkers the phishing attempt so they know what to lookout for
  • Talk about what made the email feel so convincing
  • Identify red flags and what to look out for in the future

The catch of the day

We learned that skilled email phishing is a serious threat. While most employees immediately flagged the suspect emails, in the end Operation TunnelPhish successfully netted a few Bears. This goes to show that even when you’re aware of the dangers, it’s possible for a well-crafted email to sneak through your guard.

The positive takeaways from the experiment were the conversations that came after it. We learned how easy it was to set up an effective phishing campaign, we discovered best and worst practices once a suspect email was spotted, we introduced new expectations and cultural norms around emails and built them into internal security plans moving forward.

We hope sharing our experiment has given you a chance to think about how you manage your own emails, how you can improve your company’s security culture and how to build a plan to handle threats when they appear. If you have any questions about our experiment please get in touch at

One last important note, no Bears were harmed during this experiment, but maybe a few security egos.

Happy Tunneling,
Alex L. - Toque Bear