Bait the hook: How to write good phishing emails for social engineering

Blog Post created by ckirsch on Nov 17, 2011

iStock_000014958491XSmall.jpgWhat are the baits that make people click on a link or attachment in a social engineering email? I've looked at some common examples and tried to categorize them. Maybe this list will trigger some ideas next time you're writing social engineering emails.


Habits: Think of this as exploiting the brain's auto-pilot - standard email triggers standard response of opening attachment or clicking on link:

  • LinkedIn connection requests
  • GoToMeeting invitations
  • Daily reports from a CRM/ERP system


Nosiness: If you're sending something private or confidential to a nosy person (most people), they'll surely open it:

  • Office scandals
  • Someone's private files
  • Email supposedly meant for someone else


Information: Mask your email as information that is important or valuable:

  • New expense policies
  • New time-off regulations
  • Updated 401k matching policy


Authority: Some people just like to follow orders - they are compelled by it. Send emails from a person of authority, asking to complete an action:

  • CEO asking you to fill in a questionnaire
  • Police asking you to identify person in attached picture
  • Court order


Greed: Tell people how they can make more money without effort, such as many Nigerian 419 scams:

  • Inheritance
  • Insider trading
  • Contract fraud


If you have experience with social engineering emails, which campaigns have been successful for you? What other categories have you identified? I'd love to hear about them in the comments.


If you are a social engineer, or need to run a phishing campaign to test user security awareness in an assessment, check out the social engineering campaigns in Metasploit Pro. Download your free Metasploit Pro trial today.