Last updated at Tue, 25 Jul 2017 19:11:12 GMT

What are the baits that make people click on a link or attachment in a social engineering email? I've looked at some common examples and tried to categorize them. Maybe this list will trigger some ideas next time you're writing social engineering emails.

Habits: Think of this as exploiting the brain's auto-pilot - standard email triggers standard response of opening attachment or clicking on link:

  • LinkedIn connection requests
  • GoToMeeting invitations
  • Daily reports from a CRM/ERP system

Nosiness: If you're sending something private or confidential to a nosy person (most people), they'll surely open it:

  • Office scandals
  • Someone's private files
  • Email supposedly meant for someone else

Information: Mask your email as information that is important or valuable:

  • New expense policies
  • New time-off regulations
  • Updated 401k matching policy

Authority: Some people just like to follow orders - they are compelled by it. Send emails from a person of authority, asking to complete an action:

  • CEO asking you to fill in a questionnaire
  • Police asking you to identify person in attached picture
  • Court order

Greed: Tell people how they can make more money without effort, such as many Nigerian 419 scams:

  • Inheritance
  • Insider trading
  • Contract fraud

If you have experience with social engineering emails, which campaigns have been successful for you? What other categories have you identified? I'd love to hear about them in the comments.

If you are a social engineer, or need to run a phishing campaign to test user security awareness in an assessment, check out the social engineering campaigns in Metasploit Pro. Download your free Metasploit Pro trial today.