Year after year, statistics show phishing attacks continue to rise. Why? Because they work, and this simple attack brings results. Consequently, this attack has evolved and become more sophisticated and harder to identify. Gone are the days of the error-filled 419 emails from a Nigerian Prince requesting your account details to hide money offshore. Instead, threat actors have enrolled in online email marketing courses to learn how to write content to bypass spam filters and optimise “open rates” (OR) and “click-through ratios” (CTR). To better address this threat, you need to know what they know: “How to write a good phishing email.”
If you conduct simulated phishing attacks on your staff to test their vigilance or include phishing email examples in their information security awareness training — you are on the right track. But are you using emails that match the current threat landscape? And are you writing professional emails that are designed to be opened?
Here are five basic components of a good phishing email:
Compelling subject line
The subject line is the first thing the reader sees – so Threat Actors know it’s got to be good. It serves the same purpose as a headline. First impressions are everything. So, the subject line must be compelling and “sell” why the email should be opened and read. Marketing professionals know this and use subject lines that state benefits, interesting facts, or create curiosity by asking questions, and so do Threat Actors.
For the mail to work – it must make sense to the reader. The content needs to be straightforward and believable. The more credible it appears, the less suspicion it raises. For example, a Nigerien Prince asking for help to get his money out of the country makes no sense (not that it ever did). Today’s Threat Actors do their homework and send emails targeted to their victim’s educational and professional background, and socio-economic status. They understand where the target will open the email (at home, at work or in a coffee shop) and what type of device (desktop, laptop or mobile telephone). Threat Actors know – with more context involved will bring greater chances of success.
That seems obvious, but when conducting simulated phishing attacks against staff, many organisations still send out strange emails filled with poor grammar and spelling mistakes that look dodgy. Phishing emails on the threat landscape today don’t look dodgy. Threat Actors understand that emails that look authentic are more likely to get clicked. When writing a phishing email you should use a spell checker to verify that all links and images work and make sure it doesn’t contain any “substitution errors”. Every element must look genuine because today’s phishing emails certainly do. Phishing your staff with bogus looking emails is does nothing to reduce your risk – it only gives you a false sense of security.
Easy to read
Here’s the thing: some writing styles are easier to read and understand than others, and the fact is that the easier something is to read, the more likely it is to be read and the more likely it is to be persuasive. Good phishing emails are written in a style that’s easy to read. They have something to say. They are succinct and use simple words. Each sentence has one simple thought and doesn’t create complexity or confusion. When something is easy to understand, it is more likely to be acted upon.
Gives a reason to click
Finally, and probably most importantly, a good phishing email provides a clear and valid reason to click on its link or download an attachment. That is the point of the email, after all. Threat Actors know this. So, the reason must be as persuasive as possible. For example, “Click here for your free upgrade”, “Download your free Amazon gift certificate attached” or my personal favourite “Hey, is this a picture of you? (Gets me every time…). Good phishing emails provide great reasons to click on their links and download their attachments. Do you?
Threat Actors know how to write phishing emails that get results. However, in testing and training your staff you need to match the quality of these emails if you want to mitigate this threat. Need help? Our Social Engineering Testing Service is scoped to meet your specific business or compliance requirements and we issue “Testing Certificates” to enable your business to produce evidence of compliance if required. Risk Crew is staffed with social engineering artists ready to meet your needs. We like to help, it’s what we do.