The next time you get an email from a bank you don’t do business with, asking you to login to verify your account details, enjoy it!
First, forward the email, with all the headers to the bank, so they can protect other users.
Then, click on the links and enter any data you think the scammers would like to read.
- Account numbers and passwords should include fun words like hahahahahaha
- Secret questions and answers are excellent opportunities to send little text messages, such as ‘You have been reported to the authorities’, or ‘Get a real job’.
- View the source for the page to see if there are any additional opportunities to exploit the site. The code is often excellent.
- Practice your security skills by adding interesting strings to the URL, including XSS
- Consider SQL injection, ‘;truncate users; or ‘;delete * from table;
- Check what happens if you paste a huge amount of text into the form
- If you have a lot of time, look into automated answering, using curl or other similar tools to submit more information. This helps the people who are trying to collect data get more data, more quickly.
Bear in mind you may anger some people, and they may not react in a friendly manner. Protect your identity, that of your server and ISP.