The Phishing Ecosystem

1 phish, 2 phish, dead phish, you phish. This is the defective little Dr Seuss rhyme running through my head as I am reviewing phishing emails in my inbox on the weekend.

Seriously - I must be one of the only people in the world that actually likes to see phishing emails arrive in my inbox.

Ohhh, I gasp, that's a good one - very clever.

Mmm - interesting - let's have a little look-see at their bitcoin wallet and see if anyone has fallen for that one yet...

Oh, I made that purchase did I? Nice try buddy-chum but no cigar.

A prize for me? Oh, you shouldn't have. Annnnnd you definitely didn't.

But I can tell you, baby, we're not in this for the long haul.

The reason I am so enamoured with phishing emails currently is because I am designing a course called Phishing Countermeasures for one of the universities here in Australia. But unfortunately for me, I am of the opinion that sometimes the education world sucks at education. Let's slap a slide deck together, give them a boring 600-page textbook to wade through and you go get 'em, tiger!

I'll put my hand up and say I've done similar in the past. Why not? It's easy. It's comfortable. And I am sure the people in the room were concentrating very hard on the (potentially imaginary) flecks of fluff on their pants within five minutes of the session starting.

In this course, I aim to change that. I am of the serious belief that people learn from doing things - hands-on embeds it in our brain. That's how habits form - it becomes an unconscious practice.

Once upon a time, when I was a desktop engineer, I rolled out a new version of software for a Japanese company. Everything on the screen, including the software installation instructions, were all in Japanese. I went to the CEO's desk and installed the software - I clicked the right buttons, chose the right options and turned off the bits that weren't meant to be installed.

Soon after starting the process, the astonished CEO leaned over my shoulder and said: You can read Japanese?

No, I replied and shrugged. I just know the software.

The screens, the options were all embedded in my brain from countless hours of doing the same thing with the English version.

But, some technology concepts are not very hands-on or visual. I hate the networking OSI layers, for example. I get it but it's just so (1) boring and (2) usually abstracted from practical examples when they teach it to you. One day I'll come up with a fabulous visual model and story to explain the OSI model. But not today. Today I focus on my sushi.

For this new course the first step to creating something that people remember is to visualise the ecosystem for them - then with a visual map in hand, I can tell them stories that touch on various ecosystem elements. People love and remember stories. Then, we practice the story by doing it ourselves in hands-on labs. We create our own stories and habits.

Visualise -> Story -> Practical

First - the visuals that will help me tell the stories. I would be very honoured to have you, my dear reader, give me feedback on the technical accuracy of v0.2 of my phishing ecosystem diagram. I am not the know-it-all. Life, after all, is a collaboration.

Here it is - it's not super pretty yet but the basic content is there. What do you think? What have I missed? What can I improve?

If, for some reason, the image isn't appearing below, you can also view the image here.