How to write Phishing templates that work

Andrei Antipov
April 16, 2016 by
Andrei Antipov

Phish me once

Phishing isn't hard. Despite all the frightening news reports about ransomware and millions of stolen dollars and identities, people still happily click on links and open attachments. To be more precise, 11 percent (that's 1 in 10 people!) open attachments. They don't even hesitate: it takes an average of 82 seconds from the start of a phishing campaign to get the first bite. There are numbers of reasons for the continuous success of phishing attacks. One is lack or inefficiency of security awareness training. According to a PwC survey, 4 out of 10 organizations don't provide any ongoing security education to their employees. And of those that do, many still rely on good old PowerPoint presentations shoved somewhere in-between OSHA and harassment parts of the annual "bring-your-pillow-to-work-day" training sessions. Hopefully, you are not one of those companies, and your employees are provided with the quality training offered by SecurityIQ AwareEd, which includes an engaging and interactive Phishing module.

Role-appropriate training to your entire workforce

Role-appropriate training to your entire workforce

Get a free year of cybersecurity skills training with your security awareness training purchase.  

However, another reason for phishing remaining at the top of cybersecurity threats is that the attackers are getting smarter. While blatant typo-ridden requests for Social Security numbers written in broken English and sent from a Yahoo! account are still out there, most of the phishing attacks nowadays employ much more sophisticated techniques. Which means that you, an internal phishing campaign designer, should, too. In this article, we will show you how to easily create effective (read "similar to ones that could potentially cause a great deal of damage if used by a real attacker") phishing templates with InfoSec Institute's SecurityIQ PhishSim.

Phish me twice

It's vitally important to ensure that your employees really learned their lesson, by which I mean the lesson of not clicking on random links in suspicious emails, not the lesson of avoiding that one email they now know is from you. People who fall for phishing attacks repeatedly present a serious risk to your organization. The Department of Homeland Security's (DHS) chief information security officer, Paul Beckman, called for revoking the top-secret security clearance of individuals who keep taking phishing bait. To be able to correctly identify such employees and to cultivate the secure habits, you must use different templates for your phishing campaigns. Again, the goal is for the employees to recognize the threat, not to beat you in a round of Gotcha! With SecurityIQ PhishSim, you can quickly create new phishing templates and modify the existing ones.

Subject matters

How many emails do you get every day? Research shows that an average user receives 90 business emails per day. Less than 30% of emails that are part of a marketing campaign actually get opened by users. So it is very important to give your phishing email a subject line that would trigger the user's interest. You may come up with something closely related to your organization ("New payroll application sign-up") or rely on universal techniques proven to work:

  • What do real phishers use? In 2013, the top phishing email subject was "Invitation to connect on LinkedIn". There is a good chance it will still work today.
  • Include a credible name. "Attention Bank of America customers" should evoke enough curiosity/concern to open the email.
  • Inform the user of an error. Especially effective if that's an error they believe they've made. "Mail delivery failed: returning message to sender" is almost guaranteed to create a "what the …?" reaction followed by opening the message.
  • Get personal: insert the recipient's name. With SecurityIQ PhishSim you can use variables to include your learners' first and/or last names in the email subject line.

Figure 1. Custom subject line in SecurityIQ PhishSim template editor.

Where you from?

A more careful user (possibly one who got phished before) may look at the sender's email address. To make your phishing email more convincing (and get your leaner more confused), add a legitimate-looking subdomain to your "From" email address. Actually, add a couple, and make sure they are long, such as "notifications.accountmanagement". Some email clients, especially the mobile ones, would not show the entire return address.

Figure 2. Adding a custom sub-domain in SecurityIQ PhishSim.

Figure 3. Sender email viewed in iPhone email client.

Phish phillet

Now let's get to the actual message body. Three important things to keep in mind: your message should look right, make sense to the recipient, and provide strong motivation for clicking the link.

SecurityIQ PhishSim includes a feature-rich WYSIWYG template editor, but don't get carried away with graphics! Real email notifications usually contain very few images (mainly logos) or no images at all. The best approach would be to simply imitate an actual email. In Figure 4 you can see a real Bank of America bill pay alert next to one created with PhishSim. Can you tell which one is which? The answer is in the image caption.

Figure 4. Phishing email created with PhishSim (on the left) and a real email message from Bank of America (on the right).

Now that the looking right part is taken care of, let's move on to making sense to the recipient. We are not just talking about learners being able to understand what your email is saying (more on that later). First of all, make sure that the very scenario that the email creates fits within the learner's logical boundaries: for most users, receiving a notification from a foreign bank would most likely raise a red flag. Even with domestic banks, make sure it is either a nationwide institution or a bank that is popular within your region. Don't select obscure product offers or narrowly specialized services for large-scale campaigns. But do use those for smaller spear-phishing campaigns based on specific information about your learners and groups. For example, if you recently started working with a new vendor, you may send some fake bills from that vendor to the group that includes your accounting employees. Regardless of the scenario, using the PhishSim variables to insert learners' names into the message would be a good idea.

Now the language. Well, yes, the email needs to be in English if your learners are English speakers. That's not what we are talking about. You want to make sure your phishing email is not confusing. Your email should be misleading, but its content should be crystal clear to the learner. Keep the language plain and simple, don't use excessive technical terminology or long paragraphs full of complicated explanations and instructions. If your leaner is not able to quickly understand what the email is asking them to do, they may try contacting the sender directly instead of clicking the provided link.

Which leads us to the last part: clicking the link. Your phishing email should give the learner a very good reason to do it, and do it quickly (before something really bad happens, or before something good ends without their chance to get a piece!) The above bill pay alert example is not a very effective bait: someone who does not have an active auto loan would not likely click a payment link for one. They may try calling the bank instead. However, if your link says "Click here if you did not open this account", this will make the phishing attempt much more effective. Expiring file downloads from credible sources and account cancellation notices are some of the examples that create enough urgency for the learners to click the links. An example of an attractive bait would be a link to a satisfaction survey from a popular retailer offering a reward for completion, or simply a discount coupon with the "Print" link. For smaller targeted campaigns the possibilities are endless: you have an advantage over an attacker in that your reconnaissance is already done. So, aside from fake bills from the vendors, you can send fake conference call invitations, internal account password reset notifications, security updates, etc. Just keep hitting that "New Template" button and let your creativity go wild.

Figure 5. PhishSim email template imitating sharing a file via Dropbox.

Switch and bait

Attackers quickly adapt to changes in technology and communications and always come up with new techniques, and so should you. Use SecurityIQ PhishSim reporting features to monitor the effectiveness of your phishing campaigns. Save and reuse the most effective templates, and review and modify the less effective ones. Make sure to reflect any significant changes (logos, message layouts and wording, etc.) you notice in real internal or external emails in your phishing templates. Vary your content: try using a different message content from a sender that proved to be effective. The SecurityIQ PhishSim Clone feature makes it easy to make a copy of an existing template and modify its contents.

A few don'ts

As a conclusion, let's talk about some things you shouldn't do when writing phishing templates.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

  • Don't scare your learners to death (literally). Yes, attackers will not have any ethical reservations, but you most likely won't have to resort to notifying someone about their children getting into an accident to make them click that link. Ethics in internal phishing is a complicated matter that deserves a separate discussion.
  • Don't provide information that is obviously false or easy to check without clicking the link. Don't send Tom an email "from Mark" if Mark is sitting right next to him. Don't send a "tomorrow's meeting agenda" if there is no meeting scheduled tomorrow. Don't send Blockbuster coupons (just don't).
  • Don't try to imitate a "bad" attacker. What will you really achieve with a "0% clicked" result from a campaign made up entirely from templates like "Hithis is messge from PayPa1 CLICk the link heir to recive money"? You may include some of those just to see whether you have employees who really need some serious security awareness training (and perhaps a job re-evaluation), but the majority of your phishing templates should try to imitate sophisticated phishing attacks, because this will help mitigate a much more serious risk.
  • Don't get too sophisticated. We mentioned your advantage over an attacker of having access to a lot of internal information. Make sure to use this information wisely for two reasons. First, you may be putting yourself and your organization at risk by disclosing some sensitive information to unauthorized individuals. Second, it's just not fair. If there is a secret meeting that only a number of people know about, using information about this meeting in a phishing email is not something real attackers would be able to do (or if they would, you probably have some more immediate security issues to take care of than running phishing campaigns).

Always remember than phishing campaigns and security awareness education should go hand-in hand. For that reason, InfoSec Institute's SecurityIQ includes PhishSim, which you can use to create templates and run campaigns of any size and sophistication, along with AwareEd, a perfect companion tool for educating employees about phishing.

Andrei Antipov
Andrei Antipov

Andrei is a security engineer. He holds a cybersecurity degree from Bellevue University and is an Associate of (ISC)² toward CCFP and a Metasploit Pro Certified Specialist. Andrei is interested in reading and writing about all things cybersecurity, with a focus on security governance, penetration testing and digital forensics. In his spare time, he enjoys spending time with his family and talking about weird movies and trip-hop.