Phishing: How Easy It Is to Get Compromised

At BootCon, a mock cybersecurity conference, my peer and I demonstrated how easy it is for attackers to execute a phishing attack—one of the most common and effective cybersecurity threats today.

Why Phishing?

Phishing remains the #1 attack vector for credential theft, malware deployment, and corporate breaches. Even with a dedicated security team, a single mistake by an employee can open the door to attackers.

We created a hypothetical gym, Straya Strength Co. as our target model to showcase how attackers exploit trust and branding to deceive users. Many businesses, including gyms, rely on online portals for both employees and members, making them an ideal phishing target.

The Attack: Building a Phishing Website

For this demonstration, I built a lightweight phishing site using Flask, running inside a Docker container. The goal was to replicate a gym’s login page, mimicking its branding and layout to appear as legitimate as possible.

Key components of the attack:

• Phishing email: Crafted to create a sense of urgency, prompting users to click the link.
• Fake login page: A near-identical clone of the real gym login page.
• Credential capture: Any login attempts were logged in plaintext.

Mitigation: Why Training is Key

While technical defenses like email filtering and MFA help, human error remains the weakest link. Employee awareness is the best mitigation against phishing threats.

At the end of our demo, we share how effective corporate training programs should focus on:

1. Recognizing phishing attempts: Checking sender addresses, hovering over links, and spotting urgency tactics.
2. Reporting suspicious emails: Encouraging employees to report instead of engaging with unknown requests.
3. Simulated phishing exercises: Regular training campaigns to reinforce awareness.