If you’re doing physical penetration tests or testing the human component of security, it’s inevitable that you’ll come across the need to write some phishing emails.  Here are five elements to get a better click-through-ratio (CTR).

1. The Subject is the Headline

One of the first things that people see in pretty much any email software is the subject line.  This means that the subject line fulfills the same role as the headline in advertising: it pulls the reader in.  Here are some things that have worked well in the past:

• State the benefit for opening the email.  Ever wonder why all those spam emails advertise “Get XXX tonite”?  It’s simple: it works.
• Create curiosity by asking question.
• “Break the news”  Studies have shown that advertising in the form of news is read more.  Same goes for phishing emails.

2. Make it Easy to Read

This one actually came from Mike Murray. It’s the idea that certain types of writing are easier to read and understand.  The easier an email is to read, the more likely it is to be persuasive.  So how can you write in a style that’s easier to read?  Copyblogger has some good tips.   Here are a few others:

• Learn Basic (British American Scientific International Commerical) English.  It’s how to communicate in English using only 850 words (for the most part )
• Spend some time on the “Simple Wikipedia“
• Check the reading level of your emails with the Flesch-Kincaid Readability Test

3. Look Legit

Phishing emails that have poor grammar, spelling, etc. just look plain fishy.  Emails that don’t look legitimate are less likely to get clicked.  If you’ve ever seen one of the 419 emails you’ll know exactly why.  Make sure you:

• Use a spell checker (if it make sense)
• Verify all links and images work (if you’re using HTML)
• Look at the message for any “substitution errors” (e.g. “Hello $USER”)

4. Give a Reason to Click

In order for someone to take action you need to give a reason.  The reason can vary, but if you want to increase your chances of success make sure your emails have this element.  Here are some examples:

• Click here for 101 ways to make money now!
• Hey, is this picture really of you?
• You have notifications waiting!

5. Make it Fit

One way to trip suspicion is to send an email that is out of place.  Going back to the 419 scam emails, if Prince Njoku of Nigeria sends you an email asking for help to get money out of the country, it just doesn’t make sense. ¹

Much of this will be situation-specific, so this is one place reconnaissance can be useful.  You may want to consider:

• The environment the target is in:  Are they at work, at home, in the coffee shop?
• How the target reads email: Does their reader support HTML, is it a mobile device?
• Who the target is:  Are they a secretary, a gamer, an IT professional?

Other things you think should be added?  Feel free to leave a comment below.