Phishing

Top 10 anti-phishing email templates

Beth Osborne
August 10, 2018 by
Beth Osborne

Phishing remains a prominent way for cybercriminals to attack. It's relatively easy to pull off and very profitable for perpetrators. According to research, the average cost of phishing attacks for U.S. businesses is $1.8 million. Moreover, you don't have to be a genius to pull off a phishing attack. All they need to do is fake an email, so it appears to be coming from a trusted source. That email then attempts to gain sensitive information to be then able to infiltrate systems.

Phishing attacks will never be completely eradicated. Businesses will continue to be targeted, as a recent state of phishing attack revealed 76% of businesses have reported being a victim of a phishing attack.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

As perpetrators become more sophisticated, the phishing emails do, too. It might have been easier to spot an attack years ago due to the content of the email and its broken English. Now, these criminals focus on victims and tailor scams. This is called spearfishing, and it's often executed on businesses. So, what's the solution to keep your employees alert and your company protected?

Education and training are critical, which means deploying phishing attacks on your own staff, so they understand how easy it is to take the bait. Check out these top 10 anti-phishing email templates to use for training.

1. Official communication templates

Your staff should be used to receiving regular communications from your human resources team or corporate communications group. These emails may be simple in design, with brand colors and logos accompanied by text. Users are also used to needing to take an action with this kind of email, like completing benefit enrollment.

So, it's easy for an employee to click the message without thinking. Except that in a phishing email, while everything may look similar, it's not. Moreover, that click would have cost your company if it has been from a real hacker.

2. Your order has shipped

Orders are placed every day from business email addresses. Everything from office supplies to technology to other tangible items may be ordered on any given day, so it's normal to receive a tracking email. You'd be expecting it, and that's a good example of spear phishing. The perpetrator has tailored the message to be more convincing. Using this kind of template to warn employees lets them see how important it is to check every email because it's so easy to be phished.

3. Notifications from Cloud-Based applications

Most employees get notifications all day from project management software, customer relationship management (CRM) platforms, and other cloud-based systems. You open the email and click the link to see the notification and respond. It's second nature and not suspicious. This is another sophisticated set-up by perpetrators. Sometimes, however, the actual system sending the message isn't one your company uses, but in the rush to respond, receivers don't even check. This is a good way to make them aware of their behavior.

4. Password resets

Typically, you should only get a password reset email when you actually request to change it. Yet, many phishing emails asking users to do this are successful—even though they didn't request it. Some may think they have to reset a password on a certain cadence. Or, think they forgot asking for the reset. Another educational opportunity here for this template, reiterating to employees that's not how passwords are reset and to be vigilant whenever receiving any message like this unrequested.

5. Security updates

This is another popular template and accounted for 86% of phishing clicks according to State of the Phish 2018 report. It's ironic that this type of template would generate so many clicks. Users think they need to click to stay secure because if they don't their security protection will expire. It's a very convincing ploy. However, security updates aren't sent via email, make sure your employees know this. Use this template to let them know only a perpetrator would send a message of this nature.

6. Training notice

Many companies require different compliance training for employees, especially in highly regulated industries or companies that are publicly traded. It wouldn't be unusual for an employee to receive a notice that he needs to take training.

While a real email would send employees to a learning management system, that's not where this phishing template leads. This type of template can be an example of how what you think is safe isn't. You'll want to advise your employees of what an official email would look like about mandatory training, including what email address it would come from, to keep them safe from this kind of phishing email.

7. Account upgrade

On occasion, your employees' core software like Microsoft Office may be upgraded to the newest version. This type of template would instruct users they need to download an upgrade to ensure their applications like Word and Excel keep working properly.

Again, this seems like a legitimate message that businesses would send. While you might send a real email informing employees of an upgrade, you'd never ask them to download directly from an email. Make this fact a point in your training, so they aren't tricked by this template.

8. Nonprofit request

Recipients may be more willing to open an email that appears to come from a nonprofit or charity, especially if the company is affiliated with it. It wouldn't be hard for a cybercriminal to find out what charity because there is likely information on your company's website. With this information, an email might be sent asking for a donation or asking for volunteers. So, recipients may click without thinking twice.

The lesson here for employees is that the nonprofit wouldn't send employees an email because the company wouldn't provide a list of employee email addresses to an outside party. Donation or volunteer requests would filter through a committee or human resources. In the world of phishing, perpetrators will take advantage of any opportunity, even posing as a charity.

9. Last reminder

These phishing email templates are laced with urgency. There is some action the user needs to take, or some grave consequence will take place. They could fill the reader with dread, thinking they've forgotten to do something that their employer needs.

When perpetrators use language like "last," they want to cause the subject anxiety to the point where he will click without hesitation. While you may send your employees many different notices, in real communication, you'd probably never say "last." The reminders you also send many times don't include links but rather instructions on how to take an action inside your internal systems. Engrain in your employees that real emails from the company won't use urgency language.

10. Important announcement

Another great template that will make employees take notice is a special announcement from the CEO or another leader. These types of phishing emails would appear to be sent from that party's email address, and of course, every employee will be quick to open a message from the boss.

However, the language in the email will be different when used in a phishing template. It will ask the user to take an action to do something the CEO needs them to do. The reality is, however, that real important announcements from leadership are usually informational messages about the state of the economy or exciting news. Be sure employees understand that these types of emails wouldn't include links or request actions.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

These top 10 anti-phishing email templates are a good start to engaging your employees, so they know what to expect should there be a real attempt. Phishing awareness is an important facet of security awareness education. By partnering with SecurityIQ by InfoSec Institute, you can simulate phishing with templates and conduct anti-phishing training. Get a demo today to see how it works.

Beth Osborne
Beth Osborne