For the past six months, I’ve been writing and sending phishing emails to thousands of innocent people and analysing the results. This is what I’ve learned.
(Disclaimer: This is for educational and authorised testing purposes only. Please don’t break the law, it isn’t nice.)
My victims have no idea who I am, why I would want to steal their login credentials, or what I could do with them. They are trusting, hardworking people who just want to do a good job and go home to take care of their families.
Fortunately, I’m not a criminal. The emails I send are authorised phishing simulation tests. They’re designed to test our employees and their responses to various scenarios presented to them in email form.
Phishing Simulation and Awareness Training
With phishing simulation, we can measure how susceptible people are to real attacks, provide just-in-time training to those who take the bait, and measure the effectiveness of our overall training strategy. No amount of phishing awareness training is ever going to be 100% effective but if we can raise the level of caution even slightly we’re in a better place than before. No matter what we do, people will always be phished. Even me, even you.
At work, we employ people based on their ability to provide products and services to our customers, not their ability to distinguish real emails from malicious ones. Phishing simulation is a useful tool but to protect our people we need many others in our toolboxes. Things like Multi-Factor Authentication (MFA), email filtering, and a secure web gateway (filtering proxy) to name a few. Awareness training needs to be part of our defence-in-depth approach.
What I Learned Writing Phishing Emails
Writing phishing emails is a copywriting task, not a creative writing task. Creative writing is an art. Copywriting is a science. Writing phishing emails is more like writing sales and advertising material than anything typically associated with cybersecurity. The same things that convince us to buy products and services, book a holiday abroad, or subscribe to an email mailing list are the same things that make us click links in phishing emails and give away our login credentials.
Copywriting is the science of influencing people to take defined actions with the written word. Copywriters are effective through their ability to empathise with the reader and play upon their emotions. They use psychological tools such as the power of perceived authority, our natural bias towards loss aversion, a false sense of urgency through an imminent deadline, and many others. Ultimately, writing effective phishing emails is no different from convincing someone to upgrade their smartphone or buy a new car.
With that said, this is what I’ve learned so far:
[Read more…] about 9 Things I’ve Learned Writing Phishing Emails