Tweet
CONTEST RUNS THROUGH JUNE 21! FULL RULES AND SCENARIO ALSO AVAILABLE AT --> https://phishstories.org
I’m an avid fisherman, so I know a thing or two about a fish story. That 12-inch bass somehow becomes a 2-foot monster when you’re telling it. I’m also a hacker with a security day job, so I know a thing or two about the other kind of phishing too. Turns out both have something in common: you’re proclaiming something incredible and hoping someone bites.
Years ago, the bad ones were easy to spot. Nigerian princes, unclaimed lottery winnings, mysterious government agents with secrets only you could know. They were so bad I often wondered if the goal was ever really to get someone to click, or just to make someone laugh. I thought, why not make it both?
That’s Phish Stories. Write a phishing e-mail that gets someone to click and makes the judges laugh. We’ve set the stage with a fictional company, fictional targets, and plenty of background material. The rest is up to you.
How Do I Win?
The best entry will find a way to combine clickability with laughability, what we like to call “targeted absurdity.” A hilarious backstory paired with a phishing e-mail that would actually hook someone is the sweet spot. It’s a delicate balance, but that’s what makes it fun.
That said, you don’t have to nail both. There are three ways to win:
- The Ruler – The best overall combination of clickability and humor. A creative backstory that builds into a phish that leaves us rolling. This is our overall winner.
- The Wizard – The most convincing, technically sound phishing e-mail. Humor is optional here, it’s all about whether your target would actually click.
- The Jester – The entry that made us laugh the most. Maybe it’s not the most clickable, but it’s the one we’ll remember.
Each submission has two parts:
- The backstory – Tell us about your target, why you chose them, what assumptions you made, and what happens after they click. Be creative. This is where you fill in the blanks. 600 words or less.
- The e-mail – The phishing e-mail itself. 600 words or less. Optional header information does NOT count against the word limit.
Save both to a single text file, attach it to an e-mail, and send it to: phishstories@protonmail.com
Contest runs May 10th through June 21st at 11:59pm Las Vegas time.
One entry per participant. If you send more than one, we’re only reading the first.
You’ll receive a confirmation within 48 hours. If you don’t hear back, reach out.
A few other things to keep in mind:
- No illustrations or graphics.
- Include your e-mail address and alias or hacker name (real name is fine too).
- Do not include DEF CON staff or goons without their EXPRESS WRITTEN PERMISSION, which must be forwarded to phishstories@protonmail.com along with their contact info. We’ll verify before allowing the entry.
Scoring
A panel of judges will individually stack rank all entries across six categories:
- E-Mail Clickability – Would your target actually click?
- Use of Sources – Did you read the scenario? There are nuggets in there, some not so obvious.
- After the Click – What happens when they do click?
- E-mail Humor – Did the e-mail make us laugh?
- Backstory Humor – How about the backstory?
- Creative Ingenuity – How outside-the-box did you go?
- Ruler – Highest combined score across all 6 categories
- Wizard – Highest score in Clickability + Use of Sources + After the Click + Creative Ingenuity
- Jester – Highest score in E-mail Humor + Backstory Humor + Creative Ingenuity
Judging will be completed within two weeks of the contest closing.
Prizes (In-Person at the Con)
- Ruler – 2 Human Badges
- Wizard – 1 Human Badge
- Jester – 1 Human Badge
Check out last year’s scenario, entries, and winners if you want to see what you’re up against.
Stay in the Loop
Follow us for updates:
- BlueSky – @phishstories.bsky.social
- Defcon.social – serum@defcon.social
- Reddit – u/phishstories
Questions? E-mail us at phishstories@protonmail.com
Enjoy!