For the past six months, I’ve been writing and sending phishing emails to thousands of innocent people and analysing the results. This is what I’ve learned.
(Disclaimer: This is for educational and authorised testing purposes only. Please don’t break the law, it isn’t nice.)
My victims have no idea who I am, why I would want to steal their login credentials, or what I could do with them. They are trusting, hardworking people who just want to do a good job and go home to take care of their families.
Fortunately, I’m not a criminal. The emails I send are authorised phishing simulation tests. They’re designed to test our employees and their responses to various scenarios presented to them in email form.
Phishing Simulation and Awareness Training
With phishing simulation, we can measure how susceptible people are to real attacks, provide just-in-time training to those who take the bait, and measure the effectiveness of our overall training strategy. No amount of phishing awareness training is ever going to be 100% effective but if we can raise the level of caution even slightly we’re in a better place than before. No matter what we do, people will always be phished. Even me, even you.
At work, we employ people based on their ability to provide products and services to our customers, not their ability to distinguish real emails from malicious ones. Phishing simulation is a useful tool but to protect our people we need many others in our toolboxes. Things like Multi-Factor Authentication (MFA), email filtering, and a secure web gateway (filtering proxy) to name a few. Awareness training needs to be part of our defence-in-depth approach.
What I Learned Writing Phishing Emails
Writing phishing emails is a copywriting task, not a creative writing task. Creative writing is an art. Copywriting is a science. Writing phishing emails is more like writing sales and advertising material than anything typically associated with cybersecurity. The same things that convince us to buy products and services, book a holiday abroad, or subscribe to an email mailing list are the same things that make us click links in phishing emails and give away our login credentials.
Copywriting is the science of influencing people to take defined actions with the written word. Copywriters are effective through their ability to empathise with the reader and play upon their emotions. They use psychological tools such as the power of perceived authority, our natural bias towards loss aversion, a false sense of urgency through an imminent deadline, and many others. Ultimately, writing effective phishing emails is no different from convincing someone to upgrade their smartphone or buy a new car.
With that said, this is what I’ve learned so far:
1. Context is King
People respond well when an email matches the context of the mailbox it lands in. That is, work-related in the corporate mailbox, personal in the Gmail mailbox. Emails in the work mailbox pretending to be from HR or IT have a significantly higher conversion rate than those pretending to be from another company the reader buys personal products from. Even if they are legitimate customers of that service, if it isn’t ‘work’ at work, they’re not that interested.
The inverse is true for ‘work’ emails landing in a personal mailbox. If all you get is shopping offers and Facebook updates, an unexpected email about ‘your expense claim’ isn’t going to be taken seriously. An update from ‘The Facebook Security Team’ however has a much better chance of succeeding. Make your phishing emails match the context of where they are sent.
2. It Matters What Time You Press Send
As studies by email marketing companies have shown, the time of day a recipient receives an email drastically affects the effectiveness of the email. 8 am – 10 am and 3 pm – 4 pm is widely accepted as the most optimum times for the average person working a 9-5 but work patterns at your company could skew this. Find out what shifts people are working before you set the delivery schedule and adapt accordingly.
If a mail isn’t opened in the first 10 minutes to 1 hour it probably never will be. We’re looking for the highest open rate possible as if emails aren’t read the results of our test will be skewed due to smaller sample size. As any statistician will tell you, the bigger the sample size and more proportionately representative of the population it is, the higher your confidence level is of the results. If you email 10,000 people and only 3 read it, it will be impossible to infer anything from it. If 8,600 people read it, that’s a different story. Make sure your phishing email is at the top of the reader’s mailbox when they open it to check emails.
3. Set a Deadline with Severe Consequences
If you email someone pretending to be HR and demand a response within the next 2 hours or the reader won’t get paid… there’s a strong possibility that they’ll do what you ask. Self-preservation (getting paid) trumps company preservation (not getting hacked) almost every time when people believe it’s real.
If you’re pushing a fake promotion with big discounts, make the offer expire in 4 hours or at midnight. If you’re pretending to be someone’s boss, implicitly threaten them with a disciplinary of they don’t get done on time. The shorter the deadline the more effective it can be. It works by invoking a fear of scarcity (time) and fear of loss which clouds our judgement, also known as the amygdala hijack. Make sure you add a deadline that your desired action must be completed by, near enough to cause a slight panic, but far away enough to not expire before they can activate it. If your victim doesn’t read the email until after the deadline and nothing happens, the game is up.
4. Mobile Victims are Easier to Hook
People using mobile devices are much easier to phish. The limited screen size reduces a lot of the protections that come with the desktop environment. People are often distracted and more inclined to simply do what they’re asked, especially with a threat of loss if they don’t respond in time.
Mobile browsers and mail apps can’t show all of the usual telltale signs that a website or email is not as it seems. The responsive view of a webpage abstracts away a lot of the details. A small screen showing yet another login form is just an inconvenience that they need to fix before they can get back to doing whatever they were trying to do while commuting to work or eating their lunch.
While corporate devices often are configured and forced to use secure, filtering, web access gateways (proxies), mobile devices today typically are not. This bypasses all of the protection that the desktop environment receives through the proxy and leaves it all down to their browser and their judgement. Ensure phishing pages are responsive and look like the real sites they pretend to be. Just as web developers are becoming more mobile-first in their development cycles, be mobile-first in your phishing tests.
5. Authority Grants Access
If you pretend to be a peer or a supplier you’ll have greater difficulty convincing someone to take action than if you pretend to be someone higher in their food chain. Their boss, CEO, the police or government, etc. are all common authority figures which can be used. Writing phishing emails from authority figures invokes fear of retribution for not complying. When combined with a short deadline the effectiveness increases.
Carrot and stick are two approaches when crafting a phishing email. When the promise of a reward won’t work, try the threat of reprisal from someone with power over the victim.
6. Not All Responses Appear In Your Tool’s Results
On several occasions, I’ve had people contacting HR or IT trying to stop them from doing whatever I’ve said ‘they’ would do. Most phishing simulation toolkits track sent emails, delivered emails, opened emails, number of links clicked and how many times, and when credentials are entered into phishing pages. What they can’t see is the worried phone calls and emails that go to the authority figures you’re pretending to be.
These are also useful metrics as although the victim might not have given you their login details, they were still convinced your email was legitimate. Try to find a way to capture or record reports to other departments and include these in your reporting as they are still indications of compromise. “Please don’t delete all my files” could just as easily have been the leak of a password.
7. Real Phishing Attacks Look Like Phishing Simulation Tests
When you’re running phishing simulation campaigns it is important to inform your operations teams of what you’re doing. Subject lines and senders addresses are critical as without that your tests blend in with the real attacks coming in every day. Best case, your tests will be blocked and removed from mailboxes by the Ops team, skewing results and detracting from your efforts. Worst case the Ops team will assume real emails are your tests and allow them to reach end-users with disastrous consequences.
When your phishing simulation emails are written well they look just like the real thing – that’s the whole point. Ensure that those who need to know are informed of tests ahead of schedule so that they don’t interfere. Likewise, don’t inform those who don’t need to know otherwise your testing isn’t going to be effective.
8. People Write Awful Emails That Looks Like Phishing, But Aren’t
Once you start testing on a regular basis, people get really paranoid. People suspect foul play When genuine but unexpected emails come from internal or trusted third parties. Then they delete them or refer them to the IT Security team for investigation. The more awfully written, the more likely they are to be perceived as phishing.
Your phish-aware employees are now looking for emails with spelling mistakes, bad layouts, images with paragraphs of text on them, random-looking senders addresses, and more. Work with other departments to ensure that unexpected emails come with an advanced warning. Try to preempt the “this is bad” reaction and ensure legitimate actions are performed as expected. After all, you’ve invested a lot of time into raising awareness, don’t be surprised when you get what you wanted.
9. Don’t Overdo It
With phishing simulation tests there is a balance to be found. We want to test people frequently enough that “is this real or trying to trick me?” becomes a regular thought when opening email, but not so often that we create numbness through overstimulation. When employees do fall for a phish be sure to provide training there and then. Supplement this with appropriate and engaging training on a regular basis. For repeat offenders, a slightly stronger approach is needed to ensure behaviour improves, but don’t stress them too much. Spotting a phish isn’t their main job, it’s ours. We’re here to help people, not beat them down.