I used to phish scammers for fun. Most are greedy and stupid. My favorite tactic was to get them to click on a link (usually pretending to be to my bank account, or something they want, actually pointing to my domain) and then have a fake re-auth page for whatever web-based email address they were using where I collected their username/password.
It worked 100% of the time. I usually logged in, changed the password on them, and then proceeded to loot the email account of credentials/other interesting information and warn anyone they were directly contacting that they were being scammed. My goal was to shutdown the entire operation.
The sad part is that it was mostly romance scams with elderly men and women that just lost their spouse, and didn't believe me when I told them they were being scammed.
It gets more complex these days with 2FA, but it's nothing evilginx can't solve.
I used to phish scammers for fun. Most are greedy and stupid. My favorite tactic was to get them to click on a link (usually pretending to be to my bank account, or something they want, actually pointing to my domain) and then have a fake re-auth page for whatever web-based email address they were using where I collected their username/password.
It worked 100% of the time. I usually logged in, changed the password on them, and then proceeded to loot the email account of credentials/other interesting information and warn anyone they were directly contacting that they were being scammed. My goal was to shutdown the entire operation.
The sad part is that it was mostly romance scams with elderly men and women that just lost their spouse, and didn't believe me when I told them they were being scammed.
It gets more complex these days with 2FA, but it's nothing evilginx can't solve.
My failed attempt. They do verification and I failed twice.