If you want to run phishing simulations (or if you already are), here are 7 relatively varied scenarios that will allow you to test your users with different attack profiles. 

It’s a highlight reel of the attack simulations Mantra has run through different phishing campaigns at diverse companies. 

Have fun and enjoy the phish :)

1. “The fake CRM lead”

Target : Credentials 
Psychological trigger : personal gain
Compromission : 27% *
Comment : You thought you had a new lead? Wrong, you just gave your CRM credentials to hackers. The lure of personal gain is the lever of many phishing campaigns with a broad range of enticements : gift cards, free smartphones, new laptops for employees...

2. “Your password has expired”

Target : Credentials
Psychological driver : security
Compromission : 11% *
Comment : What better way to trick a user than to simulate a security message? All the password update requirements we receive (I used to get one every 45 days at a previous company, needless to say most people only changed theirs marginally) open up a breach for phishing attacks. 

3. “Granting permissions” 

Target : Consent phishing
Psychological drivers : varied
Compromission : 18% *
Comment : One-click authentication, what a convenience… for hackers. They are skilled at turning users’ habits against them (ie. regularly granting permissions in order to access apps, documents…). This type of attack is all the more difficult to detect that the consent page through which hackers get permissions for their app is the real Microsoft Office one. 

4. “Fake security update”

Target : Drive-by-download
Psychological driver : security
Compromission : 16% *
Comment : Updating your browser, your antispam software and firewal, your mac OS: good habit and good practice. Downloading malware after a phishing attack : not so great. 

5. “This mysterious document” 


Target : Attachment with malware
Psychological trigger : Curiosity
Compromission : 21% * 
Comment : Simple. Effective. Few are those who can resist the lure of opening or accessing documents that are sent to them by a “trusted” source… and more’s the pity.

6. "The CEO email”

Target : Attachment with malware
Psychological trigger : social proof and hierarchy
Compromission : 24% *
Comment : Loved, hated, never ignored, no one is indifferent to their CEO. That’s why, after a cursory assessment, one might open his email, and fall into the trap… PS : this doesn’t mean you should ignore all upcoming emails from your CEO. 

7. “Sheer Panic”

Target : Credentials
Psychological trigger : Fear
Compromission : 16% *
Comment : The tender answer project you’ve been working on for months, don’t want to see the files disappear in the fog of cloud-based storage ? For everything to be back to normal, all you have to do is give your credentials to the hackers...

It goes on and on

These are some of the tactics that you can use to start training your teams internally. Of course, this list is (far from) comprehensive, the creativity of hackers is unfortunately boundless…

Just in case, we of course stress that this exercise should only be conducted in a professional work environment (and not to spy on your neighbor). 

If you want to know more about the other methods we use at Mantra to protect your teams from phishing and spear phishing attacks, contact us and book a demo


* compromission is the amount of compromising actions relative to the number of emails sent during the simulations