Security awareness

How to Phish Like a Hacker with SecurityIQ

January 5, 2018 by Megan Sawle

SecurityIQ clients understand that the best way to beat hackers is to think like them. To help you improve your phishing simulation difficulty and effectiveness, we’ve gathered four frequently asked phishing questions and answers below. Recommendations are made using our team’s expertise and real data on hacker activity from ProofPoint’s 2017 Human Factor Report.

What Day of Week Should I Send My Phishing Simulations?

Like good email marketers, hackers understand phishing emails will have better open and click rates during certain days of the week. Here’s a quick look at weekly email-based threat arrival trends from the team at ProofPoint.

As you can see, most malicious emails are sent on Wednesdays and Thursdays. This is unsurprising — midweek, employees are most attentive and caught up with their workloads, giving them more time to to read and click through emails in their inbox. As expected, few email-based threats arrive over the weekend.

Tip: Consider modeling your own phishing simulation campaigns after the chart above. Using SecurityIQ, you can schedule campaigns just like hackers would to optimize your simulation campaigns. This will mirror when hackers are targeting your team and better prepare them for real-world threats.

What Time of Day Should I Send My Phishing Simulations?

To answer this question, think about the times of day you are actively checking email. If you’re like the majority of professionals, you are most active at the beginning of the day and around lunchtime. ProofPoint summarizes malicious link clicks by hour of day.

While users are clicking malicious links at all hours of the day, the trend is clear: users are most likely to click phishing emails from 8:00 a.m. to 1:00 p.m.

Tip: Schedule your next phishing campaign early in the day to optimize difficulty and team interaction. The resulting open and click rate report from SecurityIQ will give you insight on when your team is most vulnerable and let you quickly address any emerging behavioral trends

How Much Should I Personalize My Phishing Simulations?

In short — as much as you can. With the rise of spearphishing, many phishing emails have become highly sophisticated and personalized. Hackers will research your co-workers on social networks to gather titles and personal information and then use this information to send targeted spearphishing campaigns.  

Tip: Customize your phishing simulations in multiple ways to increase campaign difficulty. This approach will mirror the methods hackers use to target your team and prepare them for real-life attacks. Customization options in SecurityIQ include:

  • Subject line: Add your coworkers’ first names into the subject line, e.g., “Joe, Your 25% Off Coupon is Inside”
  • Greeting line: Be sure to add the custom name field to your phishing email template to personalize email greetings
  • Email body: Use your organization’s name somewhere in the email to increase authenticity
  • Attachment: If you are using attachments in your campaign, customize the file name to your organization’s business
  • Domain: Send your next simulation using a SecurityIQ Phishy Domain. We recommend using a domain name similar to your organization’s to increase difficulty

Who Should I Send My Phishing Simulations From?

Hackers often pose as popular or familiar organizations to build trust with their victims and harvest their credentials. Generally, they pose as a trusted contact and request some form of link click or download. This is known as a credential phishing lure. Below is a table of the top-ten phishing lures used in 2016.



Apple Account


Microsoft OWA


Google Drive






Adobe Account










Source: ProofPoint, The Human Factor 2017

Hackers will use different phishing lures depending on the size of group they are targeting. Social media lures are generally more effective in small, targeted campaigns, while document sharing lures (such as a fake request from DropBox) are used consistently regardless of target size or location.

Tip: Consider using a phishing template modeled after the lures listed above in your next campaign. You can use these as a starting point, or use lures more closely associated with your own organization. This will prepare your team for the phishing attacks targeting them in the wild, and improve the effectiveness of your simulation campaigns.



The Human Factor 2017, ProofPoint

Posted: January 5, 2018
Megan Sawle
View Profile

Megan Sawle is a communications and research professional with 10 years of experience in cybersecurity, bioscience and higher education. Megan leads Infosec’s research strategy, leveraging study findings to mature its cybersecurity education offerings and build awareness of cybersecurity diversity and skill shortage challenges. Since joining the team, she’s directed research projects on a wide variety of cybersecurity topics ranging from dark web marketplaces and phishing kits to the Workforce Framework for Cybersecurity (NICE Framework) and the importance of soft skills in cybersecurity roles. Megan is a University of Wisconsin-Stout graduate, an avid equestrian and (very) amateur mycologist.