Many companies consider phishing inevitable: the best we can do is run training for our employees, and cross our fingers. But does phishing training actually work?
In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing.
Karla Burnett has a varied offensive security background: she's reverse engineered train ticketing systems, written articles on TLS and SSH, and competed in the Defcon CTF finals for the last several years running. She officially works on authentication and application security at Stripe, but builds internal phishing campaigns when she has business hours to spare. She's cumulatively phished nearly half the company, has triggered many bouts of internal paranoia, and has built a reputation as being entirely untrustworthy when it comes to email.