All Collections
Creating a phishing simulation
How to craft a high-engagement rate phishing simulation
How to craft a high-engagement rate phishing simulation

Find out how you can craft a phishing email like a real cyber criminal to gain an accurate picture of your end user risk.

Micke Ahola avatar
Written by Micke Ahola
Updated over a week ago

Cyber criminals have a number of tricks up their sleeve that they use to get their unsuspecting victims to click on the links in phishing emails.

Here's how you can start thinking like a cyber criminal - and accurately test the responses of your end users.

How to create a successful phishing simulation

These are our top five tips:

  1. Carrot or the stick. An end user will only click a link on an email if they have something to gain by clicking it - or something to lose by not clicking. The better the promise, or the scarier the threat, the more likely they are to click.

    Consider: What does the user have to gain by clicking the link?

  2. Familiarity. Most end users these days have enough know-how to think twice before clicking on links in email from people they don't know. On an email purporting to be from their own CEO, or from a software tool they use? They'll click before they can finish reading.

    Consider: Does the email pose as a person, team or service the user knows? If nothing else, drop in the company's name to make the email customised enough to get a user to click.

  3. Authority. If the email poses as coming from someone in a position of authority, it is more likely to grab attention, and get the user to act immediately.

    Consider: Could you write an email that poses as the company CEO or a senior director?

  4. Urgency. The most likely way for a user to not compromise in a phishing simulation is that they're given time to consider - or hear about the simulation from their colleagues. To avoid this, make the email urgent.

    Consider: Is there any time limitation on the email? The email could offer something to the first ten users who click - or ask all employees to complete by end of the workday under risk of penalty.

  5. Timing. End users are far more likely to click on emails that arrive during office hours. Even better, they are likely to immediately click for emails when they're at work and looking for easy distractions - such as Friday afternoons.

    Consider: Are the users going to be at work when the email is sent out? Are they going to be busy or looking for a distraction?

Example phishing email

The email template below has been used in numerous successful phishing simulations - with an average compromise rate of 39%!

The email promises the receiver information on the new company holiday policy. Who wouldn't click on that in a heart beat?

The email succeeds because it:

  • Promises something desirable - information about holidays

  • Is familiar - it mentions the name of the company

  • Is urgent - the title says 'Action Required' and it mentions the policy is changing soon.

Read next

Did this answer your question?