With our phishing simulator out of beta and available publicly, one of the most common questions we get asked by admins, and one of the most common questions we get asked by potential customers, is around the phishing templates we have available for phishing campaigns, how we create new templates, and how often we release templates.

Creating phishing templates is a fun process. It forces you to think like an attacker. And think like a target. Our case also requires us to use customer input and feedback. We want to understand what our customers think are the most pressing phishing threats so that we can incorporate that into our process of prioritizing and creating phishing templates.

We focus on creating phishing email templates that are “realistic” in that they feel like a real message. This is precisely what attackers do as they create phishing emails. This is also why we use ChatGPT to create some of our phishing templates because attackers will use AI tools like ChatGPT to create real phishing emails.

What’s an attacker's goal as they write a phishing email? Phishing succeeds through psychological manipulation. It is a specific form of social engineering.

The goal is to trick the person receiving the email into doing something, most often that something is clicking a link or opening an attachment. To trick a user, an attacker wants to trigger an emotional reaction. The emotional reaction increases the likelihood that a user will do something irrational or rushed without fully considering the consequences.

Attackers trigger an emotional reaction by sending a message that evokes fear or anger. Curiosity or excitement works as well but these are harder to trigger in an email.

We sometimes feel bad triggering these emotional reactions but our goal in doing it is to maximize the chances that people don’t fall victim to real phishing attacks. To do that, we have to mirror the process that real attackers use.

We create phishing templates that fall into 3 categories.

1. Human written plain text. We write these emails ourselves. We try to write emails that feel real and for things that happen - office parties, new policies, benefits, etc.
2. ChatGPT written plain text. In this case, we use ChatGPT to write emails. We write prompts for ChatGPT to write a specific type of email. Here is an example of a prompt we have used - write an email announcing an office party. Include a link to signup if you are attending. the email should come from HR. make the email fun.
3. Copies of real SaaS app emails. For these, we find real-world examples, examples that we have received in our inboxes, and we use them as models for phishing templates. These emails often contain HTML and not just plain text.

Once we have a phishing email written, we create a landing page for the link in the email. We buy real-looking domains and use different subdomains for each template.

We then write a short Slack training message about the email. This Slack message is sent instantly to users that click the link in the email.

We release 5-10 new phishing templates each month to keep them fresh and to cover new and emerging phishing strategies employed by attackers.

When you launch a phishing campaign on Haekka, you can choose multiple templates for us to send. If you choose multiple templates for a campaign, Haekka will randomly shuffle the templates to avoid simple detection by users.