How Do We Create Phishing Templates by Hand and By ChatGPT
January 23, 2023
With our phishing simulator out of beta and available publicly, one of the most common questions we get asked by admins, and one of the most common questions we get asked by potential customers, is around the phishing templates we have available for phishing campaigns, how we create new templates, and how often we release templates.
Creating phishing templates is a fun process. It forces you to think like an attacker. And think like a target. Our case also requires us to use customer input and feedback. We want to understand what our customers think are the most pressing phishing threats so that we can incorporate that into our process of prioritizing and creating phishing templates.
We focus on creating phishing email templates that are “realistic” in that they feel like a real message. This is precisely what attackers do as they create phishing emails. This is also why we use ChatGPT to create some of our phishing templates because attackers will use AI tools like ChatGPT to create real phishing emails.
What’s an attacker's goal as they write a phishing email? Phishing succeeds through psychological manipulation. It is a specific form of social engineering.
The goal is to trick the person receiving the email into doing something, most often that something is clicking a link or opening an attachment. To trick a user, an attacker wants to trigger an emotional reaction. The emotional reaction increases the likelihood that a user will do something irrational or rushed without fully considering the consequences.
Attackers trigger an emotional reaction by sending a message that evokes fear or anger. Curiosity or excitement works as well but these are harder to trigger in an email.
We sometimes feel bad triggering these emotional reactions but our goal in doing it is to maximize the chances that people don’t fall victim to real phishing attacks. To do that, we have to mirror the process that real attackers use.
We create phishing templates that fall into 3 categories.
Once we have a phishing email written, we create a landing page for the link in the email. We buy real-looking domains and use different subdomains for each template.
We then write a short Slack training message about the email. This Slack message is sent instantly to users that click the link in the email.
We release 5-10 new phishing templates each month to keep them fresh and to cover new and emerging phishing strategies employed by attackers.
When you launch a phishing campaign on Haekka, you can choose multiple templates for us to send. If you choose multiple templates for a campaign, Haekka will randomly shuffle the templates to avoid simple detection by users.
Schedule a demo
Get started with a free trial by scheduling a demo today. One of our training experts will walk you through a live Haekka demo.