The Trickiest Phishing Email Templates & How to Spot Them

Want to get ace those phishing simulations that your company sends every so often? You’ve found the right place to get the lowdown on the tactics that are used to catch you out. Start taking notes - today we’re spilling all the secrets!

Be wary of Internal Department Comms

Emails from IT and HR get the MOST clicks because it’s our job to open them. Clever, huh? Take extra care when you’re sent links or attachments by HR, IT, or another internal department. If the greetings and sign-off look legit, always have a quick look at the sender's address. If it is fake, report it! You’ll get brownie points for doing so.


Want to see one way this has been used in real life? The below video shares how a particularly nasty HR impersonation email cost one business literally millions!

Video: Getting Fired Cost My Company Millions! | Termination Scam

Unknown Login Emails are often phish

Did you know an unknown login email you didn't trigger yourself is more likely to be a phishing email than signs of a hack?! If you get an unexpected unknown login email, visit the service it relates to in your usual and trusted way (ignore all links and numbers in the email!) and check the recent logins to the account. If there haven’t been any, then the email is a phishing email, and you should report it.

Message, calls, or tag notifications get you clicking

We’re all used to clicking notifications for new messages, etc, without even thinking about it first. This is why attackers create notification phishing emails. For example, you could get a LinkedIn message notification email while working and just click on it right away in case it’s important. Just like that, you log in and your account has been compromised.

Take a few extra seconds to think over whether this message is coming from a service you haven’t seen before, or if it’s not giving enough detail for what it’s about, it could be someone is trying to phish you. You can log into the account or service directly to check if the notification is legit.

GoToMeeting-november (1)


These phishing templates and more available in Wizer Boost Phishing Simulation.

Time pressures are a red flag

We make mistakes when we’re rushed. Those who write phishing emails know this, too. If you feel excessive time pressure, like “your account will be closed today”, or you’re given the chance to quickly reverse something you don’t want - like a payment going out or a large order you did not place - be super careful, as these are secret tactics that can be used. Nothing is ever so urgent that you can’t take an extra 30 seconds to make sure it’s the real deal and not a phishing email. If you feel panic or pressure, pause and see if there’s a way you can check legitimacy without using any links or phone numbers in the email.



Your CEO emails you asking to send a document over, and your work buddy emails you asking you to send a document over. Which email are you more likely to immediately respond to? Exactly! Those who craft phishing emails know this all too well, which is why they often pretend to be someone of authority because they know it makes people act, and act fast. If you get any unusual requests, especially if they’re sent directly to you, take extra time to verify the legitimacy of the email and contact the sender through other means of communication, like a phone call.

Video: How Donna's Office365 Account Was Hacked



Using a complete security awareness training and phishing simulation solution like Wizer's,  upgrade your program to lay the ground work for developing a security mindset and enhancing your security culture.

That's it for this month's phishing template ideas - looking for more ideas for phishing templates? Check our blog for more examples of phishing templates.