Blog post

The serious side of pranking

Created:  30 Oct 2017
Updated:  30 Oct 2017
Author:  Ian Levy

I was recently targeted for a prank and have taken the unorthodox step of asking James Linton, the very person who was trying to prank me, to help write this blog.

Our joint aim is to lay bare the realities of email security and, given that a cyber attack looks exactly like a prank, use this unique opportunity to show an attack from both sides.

The National Cyber Security Centre is doing as much as possible to make real people’s lives easier and safer on the internet. Initiatives such as the Active Cyber Defence programme are blocking, disrupting and neutralising malicious cyber activity before it reaches users.

The blog concludes with some hard questions for the tech and security industry about the future of email security.


Ian - Last week, SINON_REBORN (aka James Linton) had a go at pranking me, like he’s done with lots of other – much more high profile and important – people. I was lucky enough to spot it and we both thought it’d be a unique opportunity to see an attack from both sides. After all, James’s prank emails are trying to achieve exactly the same end as spear-phishing emails perform as part of a cyber attack – get someone to trust something they really shouldn’t.

The point of telling this story is to get away from the abstract and show people what attacks really look like. I also want to be really clear: I was lucky. My ‘cyber skillz’ helped, but I could have just as easily fallen for this. Regardless of who you are, we’re all reduced to making informed guesses around email security, so people shouldn’t be pilloried when they make mistakes. Systems should not be designed to fail in the ‘one click and you’re pwnd’ manner we still see.

So, here’s the story from both sides.

James:  Having already pranked lots of high profile people, I was more than a little curious about how a similar prank would fare against a British security person. So I did some initial web searches to establish who I would try and hoodwink. It really didn’t take long to establish that Ian could be an intriguing target, and his claimed technical knowledge in many ways made him the perfect arch-nemesis of a mischievous internet prankster.

Now I just needed my ‘character’ - which I quickly established in my usual way, by looking at the ‘about us’ or ‘directors’ page of the NCSC website. Paul Chichester seemed perfect for the role, so I copy and pasted both Ian and Paul’s name into a web search, and hit the news filter. 

I was after something recent as a ‘hook’ to provide an innocuous topic of shared interest and an article about an NCSC Event was only days old and seemed to tick all the boxes. That was the hook sorted.

prankster image 1

Next step was to create my new email address. I just opened my browser and went to to create my fake account. After double checking the spelling of Paul’s name, I filled in the few details required by and I was all set to go in less than a minute.

I also wanted an extra layer of credibility within my initial email, something that would help maintain ‘inbox hypnotism’ as I like to call it. We all have subconscious triggers that are engrained into us from years of email usage. As a prankster I have to keep these triggers at the very least in the neutral position, and ideally flick a few which positively reinforces the email’s validity, even if it’s not at a conscious level. To try and do this I created what looked like part of a forwarded internal message, using the name of somebody I had also found on the NCSC website earlier.

Now I was good to go. I hit send and crossed my fingers!

Ian - For me, this started when I got two emails apparently from Paul Chichester, the NCSC Director of Operations. I was on the Eurostar to Brussels to talk at a conference. Here’s what I saw on my phone.

Prankster image 2
prankster image 3

As James says, this is a brilliant lure for most people – including me. My first thought was, ‘Chichester, you numpty, you’ve sent me the wrong mail!’ but then I wondered what he was trying to send to the other person, just in case I didn’t know about it. You feel a little bit naughty peeking into a conversation that wasn’t intended for you and I think that’s part of why this sort of thing disarms people. The inclusion of an apparent forward from Nicky Hudson, the NCSC’s awesome Director of Communications just adds to the interest – what was she planning for the NCSC to say publicly that I’d missed??

So, I think I’ll have a look at the article. I am stupidly geeky, so I usually inspect links before I follow them. Yes, it is, on average, a colossal waste of time so I don’t think everyone should do this. It’s easy to do on most devices today, though. On most touch devices you just touch-and-hold the link to see what’s really there. Understanding what shows up is a different problem!

prankster image 4

Hmmm. That’s odd. That’s some sort of link protection for (but see what I mean about understanding what’s there?). We don’t use as our mail platform, so how has that been added if this is a real message from inside the NCSC?? Obviously, it hasn’t and this is what made me realise what was going on – although I didn’t know who was on the other end at that point. As I said, I was lucky. If I’d been tired or really busy (or there was alcohol involved), I may not have bothered checking.

The article this eventually ends up at is real, though, and it’s about an NCSC event we’re running for security researchers next year. James has already explained why he picked that and it worked brilliantly.

James - This is where I became the victim of a technical knock-out courtesy of Ian! I hadn’t realised would change what I thought was a pretty innocuous web address link, I also didn’t know you could view the link in such detail on an iPhone before choosing to visit the URL. Obviously, I was blissfully unaware that I’d not so much hit a trigger with Ian, but stood on the whole control panel. My ruse was rumbled.

Ian - So, where’s this message really from?

prankster image 5

Now we can see it’s really a address, but even so, the address has almost all the right bits in it and if you were busy and reading it quickly you could be forgiven for missing the fact it’s not right. People very rarely look at the underlying address either – especially on a phone where screen real estate is at a premium. Now you can see how lucky I was!

James - I guess I’ve never been too concerned about the actual email address I create, although I do try and make it look believable to some extent if I suspect they are in any way technically savvy. In the past I have pranked people using email addresses with, so I knew generally speaking they were hidden away due the increasing personalisation and simplification of mail app user interfaces.

Ian - I was intrigued, so I played along with the prank until it seemed like a good point to come clean. We proceeded to have a decent conversation over email which is where the idea for this blog came from.

There were a couple of other things in the message that could have given it away as well. The quote format where Nicky’s message was supposed to be forwarded wasn’t right, Nicky’s display name and email address in the quote weren’t consistent with how we do them in the NCSC and, possibly the most heinous thing, was calling Mr Chichester ‘Paul’. Apparently, his mum is the only one that ever does that. But, realistically, can we expect anyone to consistently spot this sort of thing when they’re busy? These sorts of errors are reinforcements when you’ve already decided it’s somehow wrong, rather than high quality indicators of badness.

James - I think I was probably rushing a little when I created the fake forward by Nicky within the email, given a little more planning I think I could have matched that better. I could probably even have managed to get hold of the rough footer format if I’d tried this with someone other than my main target prior to trying to engage Ian in conversation. Another little thing I did, was with each reply I made sure I went back to the previous message I’d sent within the thread and re-typed what I suspected was Paul’s real email address, replacing my fake one. This was just in case there was an unintended or intended scroll down the conversation to either check what had been said earlier, or out of suspicion. People seem to be good at picking out email addresses in quoted messages so inadvertently leaving a trial of giveaways was something I could correct easily. It also added to the validity of the thread if my purpose was to encourage Ian to share the link with others.

Ian - This was a prank, but an attacker trying to get me to install malware or disclose credentials through a spear-phishing attack would go through exactly the same thought process as James did. This is an example of why we say that the accepted wisdom around email security (don’t do something unless you trust the email) is a bit pointless when it comes to spear-phishing.

Whether or not you believe that James’s pranks are funny, they certainly help to highlight the poor state of email security. That’s why the NCSC is doing as much as possible to try to make real people’s lives easier and safer on the internet. Things like our Active Cyber Defence programme and some of the other work we’re doing should start to have an effect on the commodity nastiness on the internet. Then we can concentrate on the more pernicious stuff and help users – who are our first and best line of defence in all this – make better informed decisions. For example, is the user interface design right on most email clients? Look at those screenshots of what I saw on the train and you decide.

We also want the tech industry to help us work out what the future for email should look like – and make it much less dangerous for most people, most of the time.

Whatever that future is, it’s almost certain that at some point, someone in the NCSC will fall for a phishing attack – and it could easily be me (this isn’t a challenge, by the way!). They won’t be ashamed and we won’t blame them. We’re only human after all.


Simon Wilks - 01 Nov 2017
I would strongly argue that inspecting links is not a colossal waste of time. I would also suggest that any reputable email client should refuse to obscure link destinations and, for that matter, show both the 'From' email address in full, the originating domain and whether it matched or was authorised to send on behalf of that address. It would be trivially simple to do this, and need only clutter the screen a little, (and then only for emails from non-previous contacts). For open-source email programs, preferences and plug-ins are freely available that do exactly this, though they're not especially easy to find or use.

For decades, the major vendors have serially refused to address this issue. Whether that's because it's a responsibility they can shirk, or because they make money out of selling solutions further up the chain, isn't clear. Either way, we've seen a flood of initiatives aimed at 'educating' users while, simultaneously, products are increasingly stripped of the tools users need to use that education. In many email clients (including webmail), it's impossible to view the headers at all. That's not an improvement, that's an abject failure.

In short, I thoroughly agree that the interface is far from right. The question is, which of us is in a position to do anything about it?
Martin Hawley - 02 Nov 2017
Brilliant post and I agree with the above comment.
Oscar - 07 Oct 2018
Completely agree. I'm not sure how we'd get it enforced though, as much as it may seem common sense - even if it is just a setting somewhere that you chose when you setup your account, or enforced by a sysadmin?
Might be worth poking those higher up about it though... Hm.
Sandy Forrest, Atos - 04 Nov 2017
Ian, a very worthwhile post that I have copied as widely as I can (especially internally) as it brings home to friends and colleagues that the risk is real and applies to them. As Ricky Gervais said don’t winge and say ‘you think this sort of thing only happens to other people’ as from my perspective your ARE ‘other people’
Will Davies - 13 Nov 2017
Ian, Thanks for this... a very good lesson
Elaine Madsen - 10 Feb 2018
No one will no just how easy it is , until it happens to them. So they say they were just fishing on the Lake .
Kamara A. - 25 Mar 2018
Good read.
I know of certain organizations that run a "Human Reliability Program", where staff are periodically subjected to in-house "phishing" mails.
The objective is to keep personnel sharp, as "victims" aren't subjected to any form of reprimand, but rather a cyber security awareness refresher program.
Kate R, Sociotechnical Security Researcher, NCSC - 27 Mar 2018
We are glad to hear that there are no reprimands for people who click. But there are a few other things to take into consideration when running phishing simulations:
Scott Storey - 15 May 2018
When I've run phishing tests I'm more interested to see how people respond than the actual click rate. Someone is always going to click on an e-mail and it only takes one to introduce malware to the network.

What I like to understand is do people know how to report it and who to?
Do the people who it's reported to know what to do and who to escalate to if needed?
Are there security minded people locally who will tell everybody about it in their immediate area so they aren't caught out?

People are the last line and the bulk should get filtered out by technical solutions where possible.
Gary Hall - 26 Mar 2018
One point to remember, I think, when very senior staff are targeted their email may well be filtered by a PA who may be reluctant to start questioning and who may be focused on forwarding on to the "intended recipient" without delay. So education must be universal.
Ian Dudley - 26 Mar 2018
This highlights something that has been nagging at me for a while. Like my NCSC namesake, I have for years been in the habit of checking the underlying URL in emails as a first indicator that there might be something dodgy going on.

But for the last year or so it has become increasingly common for such URLs to be replaced with virus scan portals, all of now does this, as do many internal company systems. But this makes it much harder to read the original URL, and in some cases I've seen it's not there at all.

I can see the value for anti-malware and general phishing protection, but for any kind of targeted or novel attack like this, it's actually making it harder for the user to spot the threat. I'm not suggesting these technologies not be used, as on balance they are probably improving security as the simple attacks are more common, but it would be even better if the vendors for these products could design them such that the original URL is readable if you want to see.
Martin Ohr - 27 Mar 2018
I've written about this on my blog previously. And also about it how could have been very different if SMTP hadn't won the email war at the turn of the millenium. I won't link to my blog direct from here - you can google it though: m71ohr on the popular blogging platform tumblr
Darren Storer - 18 May 2018
Interesting article. The sophistication of recent whaling attacks is worrying to say the very least. Automatically tagging/marking e-mails that originate from outside of your organisation with [EXTERNAL] and perhaps a suitable caveat definitely helps to alert the recipient that the content should be treated with caution. Regularly circulating reminders regarding e-mail safety and best practice is also essential.
Robin Tinsley (tinsleyNET IT) - 01 Jun 2018
It's been refreshing to see so many of our clients have used the GDPR as a general freshen up of security policies and practices, including email 'safe use' practice. Hopefully this will spill over into their personal lives and they will be better placed to identify fake emails.

It's also telling how easy it is to profile someone with a few simple searches, there is very little effort needed at all, and almost no cost to the fraudster at all.
Philip Hands - 12 Sep 2018
If clients insist on hiding the from address, wouldn't it be a decent idea for them to keep track of a user's email address(es) and alert the user when something doesn't line up properly.

Of course, the from address in an email is very easy to fake if one doesn't care about seeing replies, but I'd imagine that the Received: headers on that mail would also have given things away very quickly if something were routinely examining them.

One cannot expect normal people to look at such things, but the mail client could easily do so, and could give a visual cue (something like grey out the sender's name) when things didn't match what was previously seen.

I don't use a graphical email client, so I don't know, but I was under the impression that the icon (the disc with "PC" in it) was supposed to do something like that.

Does Mr Chichester normally get a different colour and/or initials for his real address? If so, I think the mail client could have made it _much_ more obvious to you that there was a clash going on.
John C - 17 Dec 2018
Very good article and thanks for sharing.

Technical controls (as some have mentioned) are one opportunity to mitigate the threats we all face via email, however education and awareness, are in my opinion the areas which deserves most focus, as the best defense to something which is constantly evolving.

In terms of technical controls, for the risk of family, friends and colleagues legitimate email accounts getting compromised and used in these types of convincing attacks, I do wonder if some of the finance sectors, anti fraud Machine Learning technology is the answer, to assist us recipients in highliting abnormal, out of character communications.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No