Can you spot the phishing scams in 3 of our most popular templates?
In a Webroot study of 600 IT decision makers, phishing attacks leapfrog from the number three spot in 2017 to the number one breach concern among organizations. Although 100 percent of those surveyed train employees on cybersecurity best practices, that number drops by half when asked if their program framework was continuous. As reports of data breach continue to climb, annual compliance reminders or one-time onboarding briefs just don’t cut it in combatting today’s world of crafty cybercriminals. Threat actors vigilantly adjust and adapt their tactics through social engineering which continues to be the most popular way to launch email attacks.
Building a successful security awareness program starts with education. Phishing simulation campaigns are a great way to kick-off your program, implement ongoing training and keep your employees sharp while identifying additional training needs.
See Infosec IQ in action
Can you spot phishy indicators? Below are a few of our most popular phishing templates used by our clients; see if you can recognize what’s phishy before reading the hints.
From: Hilton Orlando <hilton-orlando@encyrpt-mail.net>
Subject: You Deserve a Vacation - Take One on Us!
Hi Joe,
Have you heard the news? Hilton Orlando has partnered with the Madison Chamber of Commerce to give one lucky Madison resident an all-expenses-paid vacation to one of the most magical destinations in the world!
Enter to Win!
You deserve a vacation this summer. Enter for your chance to win:
- A four-night stay at Hilton Orlando
- Eight theme park tickets to Walt Disney World Resort
- Rental vehicle access for five days
Hurry! The 2018 Hilton Orlando's Summer Getaway Sweepstakes ends 7/31. Enter today to win the Orlando getaway of your dreams!
Learn More
Good Luck!
Merida White
Hilton Orlando Client Relations
What’s phishy about this email?
- The offer is too good to be true. Any time an email subject is offering free goods or services raise your suspicions
- These links don’t tell you where they lead. Hackers use link masking to hide the actual URL of the link. Most browsers will display the true link by hovering the mouse pointer over it
- The personal touches. It is easy to find company logos, signatures and position titles from the internet, and hackers use this to their advantage to make phishing emails look more legitimate and target their victims
From: Dropbox
Subject: Michael Schmidt wants to share "schmidt_2018_1040.pdf" with you
Michael Schmidt invited you to a Dropbox shared folder called "schmidt_2018_1040.pdf" and left you this message:
"FYI"
Download Folder
What’s phishy about this email?
- Do you know Michael Schmidt? It’s easy for hackers to look up employee directories, many are available online
- If you do know Michael, do you work with him regularly? Out of the blue correspondence is a phishing red flag
- Scrutinize the email, from Dropbox and “FYI” as a file name is vague and unclear. Hackers purposefully titillate, giving just enough to entice you further to click and see for yourself
Email #3 Business Email Compromise Attack
From: Samsung mail <samsung@strong-encryption.com>
Subject: Failed payment
Hey Joe,
I just tried making a payment with our corporate credit card and it didn't go through. The number is correct I think. Did we get a new card? Maybe the expiration date or code is different? Can you send me this info quick? I need to get this taken care of today or we’ll be fined.
Thanks,
Jenna Hulbert
Account Manager
Sent from my Samsung Galaxy smartphone
What’s phishy about this email?
- The sender appears to be an account manager. Inspect the sender line, the email is from Samsung mail, and the @strong-encryption is a phishy domain
- A manager is requesting sensitive information via email. You should never share confidential information via email, and any manager would be familiar with this commonplace company policy
- There’s a sense of urgency and pressure for you to act quickly. The short timeline and financial consequence is designed to create anxiety, so you respond with the information before you have a chance to think it through
SecurityIQ’s phishing simulator includes 1,000s of phishing templates in a variety of attack types and difficulty levels. Our customizable templates make training fun, interactive and engaging while building a culture of security awareness for your organization. Teach your team to detect phishing like a pro! Start your free trial.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
In this Series
- Can you spot the phishing scams in 3 of our most popular templates?
- The best 9 phishing simulators for employee security awareness training (2024)
- Keeping your inbox safe: How to prevent business email compromise
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
