If you follow this blog regularly, you know that it is no secret that we spend a lot of time writing about how to identify and protect against phishing attacks. A big part of staying safe from phishing attacks is to take a serious approach to running phishing simulations that give your team a very practical opportunity to test their skills at identifying safe versus unsafe emails.
But, what makes a great phishing simulation email? Below we'll share the key factors that make phishing simulation emails effective, and our favorite 113 phishing simulation emails that we use with our clients.
3 Crucial Factors for Phishing Simulation Emails
A phishing simulation email that becomes a terrific learning experience for your team needs the following to be successful:
- Sender Relevance: the most effective phishing campaigns (and simulations) that we've seen, are ones that claim to be from vendors/partners/people that your team expects to hear from. Does your team use Google Suite? A phishing simulation claiming to be from Google Suite will have a higher "Sender Relevance" to your team, than an account alert email out-of-the-blue from Microsoft Office 365 if that is not a product your team uses.
- Contextually Relevant Call-to-Action: the call-to-action needs to be an action that your team would plausibly be asked to do, by the highly relevant sender. If your team uses Avis rental cars when they travel, a well-timed survey from Avis is plausible. So, a phishing simulation that asks team members to click through to sign into their Avis account to fill out a survey, would meet the "contextually relevant" bar.
- Interplay with Training: how do you like the idea of running a phishing simulation, with no training before, after, or during? We don't like the idea at all. The best phishing simulations have a strong tie-in with training. How? We advise most of our clients to run an online / on-demand security awareness training initiative shortly before or after the phishing simulation (opinions and situations differ), and to have a landing page for users who "fall for" (click on) the phishing simulation. Not one that makes the user feel bad -- one that educates on what about the email should have seemed suspicious enough to hold off on clicking.
With that context now set, let's look at some real phishing simulation email topics that we use with our clients at Havoc Shield.
113 of Our Favorites
Here are our favorites. This isn't a complete list of phishing simulation emails that we use with our clients, but it's a representative sample that should give you a flavor for the types of emails that we believe to be effective.
- Active Directory Password Reset
- Adobe Password Reset
- ADP Password Reset
- AGL Energy Electricity Disconnect Notice
- Alaska Airlines Password Expired
- Alitalia Free Ticket
- ANZ Customer Service Confirmation Request
- Apple Confirm Account
- Apple YouTube Red Confirmation
- AT&T Order Confirmation
- Atlassian Account Locked
- Australia Post Ground Post Delivery Exception
- Avis Free Rental
- Avis Survey
- Banana Republic Gift Card
- Bank of America Strange Purchase Activity
- Bank of England Account Reset
- Bank of Ireland New Authentication Process
- Best Buy Reset
- Bigpond/Telstra Service Suspension
- BoA Wire Transfer
- Carfax Report
- CDC Health Alert
- CenturyLink Account Locked
- Chase Payment Past Due
- Chase Secure Message
- Cigna New Benefits
- Cisco Webex Verify Account
- Citi Card Payment
- Coinbase New Deposit
- Commonwealth Bank Account Locked
- Commonwealth Bank Verify Disabled Account
- (removed)
- Craigslist Password Reset
- Credit Karma Reset
- DocuSign COVID Forms
- Dominos Gift Card
- DoneDeal Password Reset
- DropBox Password Reset
- e-SignPackage: Closing Documents
- eBay Credit
- Energia Past Due Bill
- Event Tickets Download
- Evernote Offer
- Experian Credit Update
- Experian Free Credit Monitoring
- Facebook Account Locked
- Geico Payment Alert
- GitHub Account Compromised
- Gmail Password Change
- GoDaddy Account Past Due
- GoFundMe Campaign
- Google Security Alert
- Google Security Issue
- Google Suite Offer
- Holiday Inn Express Survey
- Kohls Gift Card
- LinkedIn Invitation
- LogMeIn Failed Login Attempt
- LogMeIn Update phish
- Lyft Free Credit
- Macys Account Locked
- Marriott Account Compromised
- Marriott Hotels Free Stay
- Microsoft Account Compromised
- Microsoft Office 365 Mailbox Shutdown
- Microsoft Office 365 Password Expired
- Microsoft Teams Added Notification
- Mint Credit Score Dropped
- Mint Purchase Alert
- Namecheap Free Domain
- Netflix Account On Hold
- Netflix Account Reset
- New Company Policy: Communicable Disease Management Policy
- Newegg Free Gift Card
- Norwegian Air Free Flight
- OKCupid Matches
- OneDrive Shared Document: Bonus payments and other reimbursements
- OneDrive Shared Document: New Project response
- Paypal Payment Received
- Paypal Unusual Log In Activity
- Pinterest Fresh Pins
- Salesforce Account Locked
- Service Desk Quarantined Mail
- Skype new voicemail
- Spotify Password Reset
- Strava Account Locked
- SunTrust online banking unusual activity
- Telstra Bill Arrival Notification
- Telstra Refund Notification
- Tesco Account Compromised
- (removed)
- (removed)
- Twitter New Follower
- Uber Free Credit
- UPS Account Locked
- UPS Delivery Notice
- UPS In Transit Notification
- Venmo Payment
- Verizon Account Verification
- Vueling Flight Cancelled
- Walmart Free Credit
- Webex Invitation
- Wells Fargo Insufficient Funds
- Wells Fargo Security Alert
- WHO Consumer Stimulus Package
- WHO Solidarity Response
- WHO Virus Awareness Safety Measures
- WHO WFH Grant
- YouTube Account Locked
- Zillow Alert
- Zoom Account Suspension
- Zoom Missed Meeting
Want us to run a phishing simulation for your team, as part of our broader security awareness training offering? We're standing by to help.