Hands‑on phishing demo

An ICT team ran a classroom demo that rebuilt fake login pages and let staff see, step by step, how credentials get stolen. (x.com) Volunteers opened what looked like normal sign‑in screens. When they typed usernames and passwords, the pages captured those fields and displayed a warning that the input had been “harvested” for training. (x.com) Behind that trick is a simple plumbing: attackers clone the HTML of a legitimate site, host it on a different domain or path, and forward whatever a user types into a storage location the attacker can read. The site can look identical to an email, a Google or Microsoft login, or a vendor portal — and that visual match is enough to make many people enter credentials without pausing. (crowdstrike.com) The demo did more than show the technical setup. Organizers photographed the classroom and pointed out the social levers attackers use: messages that sound urgent (“your account will be locked”) and messages that claim authority (“IT needs you to verify now”). Those two cues make people rush and obey, which is the whole business model of credential phishing. (nist.gov) (cisa.gov) For a K–12 IT coordinator juggling two campuses, the demo suggests three concrete defenses that cost little time once set up. First, teach staff to check the URL before typing: real services appear on their real domains and through the official browser UI, not on odd domains pushed from an email link. (learn.microsoft.com) (crowdstrike.com) Second, require multi‑factor authentication (MFA). If a password is captured, MFA — a one‑time code or push approval — stops most attackers from logging in with that stolen password alone. Enabling MFA is a one‑time admin task that prevents a very common next step after credential theft. (huntress.com 1) (huntress.com 2) (ed.gov) Third, make reporting trivial. The demo emphasized that quick reports turn an isolated mistake into an opportunity to contain access and rotate credentials. Use the school’s incident channel and, for suspicious campaigns, CISA’s reporting paths so analysts can trace broader campaigns. (cisa.services) (cisa.gov) On the device side, the session recommended using an MDM that fits your fleet: Jamf or similar tools for Apple devices, and the Google Admin console for Chromebooks, let one person push MFA policies, browser settings, and app whitelists to hundreds of devices in minutes. Those systems turn repetitive work into a small set of scripted actions you run once, then monitor. (jamf.com) (support.google.com) The value of the classroom demo was immediate. Staff left having touched a cloned page, watched credentials be logged, and learned three things they can do tomorrow: pause and verify URLs, enable MFA, and report quickly. (x.com)