How to make your phishing campaign a success

Last updated: 11 July 2023

Phishing is the most frequently deployed method used by criminals to initiate a cyber attack, according to research from IBM. Phishing is designed to trick users into clicking on links or downloading attachments that either install malware or give unauthorized users access to company systems.  

With the growth in AI tools recently, phishing attempts are becoming even more sophisticated and harder to spot. The outcomes of a successful attack can have wide reaching and devastating consequences. Not testing the awareness of phishing among employees, however, is worse.  

Protect your digital assets with simulated phishing attacks 

The best approach to enhance vigilance among employees and safeguard your digital assets is by conducting controlled phishing campaigns, which train employees to recognize and mitigate potential risks. But even after sending out mock phishing e-mails, the outcome can be hard to predict. Will a lot of users click on the link and submit their credentials on our ‘malicious’ website?  

Top tips to improve your phishing campaign 

Lots of employees falling for a phishing campaign may seem like the antithesis of the exercise. But, for those employees who think they are savvy to all the risks, it will be a stark warning for just how sophisticated phishing has become, and how easy it is to fall victim.  

Want to know how to make your phishing campaign more successful? Then continue reading a find our three most valuable tips to improve your phishing campaign, your company’s security awareness, and your cyber security. 

Pressure users to perform an action 

Step one: craft a phishing email scenario that taps into your employees’ interests. When December arrives, what better way to grab their attention than by discussing Christmas gifts? Who wouldn’t be excited about that? By playing on their curiosity and excitement, you increase the likelihood that your employees might overlook certain details in the email, making them more susceptible to falling for a phishing attempt. 

Keep it short and concise 

Second, make sure that the phishing e-mail is short and to the point. Just a quick message with an added link to the page where the employee can submit their Christmas gift preference, for instance. Tone will also be essential here; if it’s for a gift, keep it light and informal. If it relates to a task that needs completing urgently, make sure the message is formal and leans on the importance of the task to the business. This approach increases the chance that users will read the whole e-mail without questioning about its legitimacy, and will eventually click on the malicious link and submit their credentials. 

Make it urgent and add a deadline 

The third and final tip is to create a form of ‘time pressure’ for the user, related to Cialdini’s scarcity principles. Sticking with the Christmas scenario, you can write down that employees have to respond before a certain day in order to receive their gift, so they feel pressured to submit their choice quickly. That psychological time pressure decreases the chance that the user will deeply inspect the phishing e-mail and recognizes it as a malicious message. This results in a higher chance of employees submitting their credentials. 

Now that we’ve covered all three tips, it’s time to put them into action in your next phishing campaign and set yourself up for great success. Remember to follow up with additional training as necessary to reinforce these learnings. Stay tuned for more insightful blogs where we’ll delve deeper into the fascinating world of phishing. 


For further reading please check out the following:  

Leave a Reply

Your email address will not be published. Required fields are marked *