How to write a good phishing e-mail

When we were working on the project that required all 45,000 IT accounts on campus to change their password yearly, we had to craft a series of reminder e-mails that the looming deadline was, well, looming. The content was simple enough:

  1. Tell users their password is expiring
  2. Tell users where to go to change their password
  3. Tell users what happens if they don’t change their password
  4. Send the message from our IT support centre so reply e-mails go there

Pretty simple. Let’s see what that e-mail looks like:

Looks good right?

It turns out the University gets a lot of phishing e-mails that are targeted right at us, and they look very convincing. They have a professional polish, use real senior leaders from our leadership team in the from address, and link to a fake version of our login page that is a pixel perfect clone of ours.  This kind of e-mail would either:

  • Scare off users who are rightfully suspect of it
  • Reinforce that these e-mails are legitimate, opening the way for more phishing e-mails

So comes the real challenge. How do you make an e-mail that is actually legitimate be legitimate, in a way that criminals can’t copy and use against you?



There is already several technical solutions to making sure an e-mail is legitimate. SPF is already enabled to protect the ucalgary domains from being spoofed, and DMARC does something similar. DKIM is a way of preventing message headers from being forged using encryption keys. However getting around these is fairly simple:

  • Use a domain that looks similar to a ucalgary domain, and hope the user doesn’t notice the discrepancy
  • Hijack a legitimate ucalgary e-mail account and send out the phishing e-mails before we catch it

So technical solutions are good, and should always be implemented. However, paying attention to both that the correct mail domain was used, and the correct account name (in our case, itsupport) was used is more thought then most people give to an e-mail.


Make it look more official

So lets spruce up our e-mail a bit. It turns out our strict guidelines on use of the University of Calgary logo forbid it from being used in phishing e-mails. So lets add our logo, put the user’s name in the header, add a real name to the signature, and put some warning in the footer.

Now we have digital security, and a very official looking e-mail. Since we are legally allowed to use the crest, and scammers are not, they can’t duplicate this. Right?



Turns out scammers who send phishing e-mails don’t care about the policies governing our logo, they probably haven’t even read the policy.

At this point, we have actually had someone copy our e-mails word for word and send them out, hoping users will click on the link and go to their fake login page that looks identical to ours. They are sent from fake or compromised e-mail addresses and a bunch get through our filter long enough to be read by a few people. The link doesn’t stay available on our network very long before being blocked, but it is still long enough to be an issue.

So we have to take their power away, and teach user’s to not click on e-mail links on messages they didn’t expect. After all, our automated password expiration e-mail is unexpected.

That is, we just remove all the links entirely.

Our user’s are familiar with a very basic set of webpages. The Password Management tool where they change their password wasn’t one of them at the time. However things like our home page at certainly are. So we switched to very simple instructions on how to change your password without clicking on a link.

This e-mail is a mouthful, but it follows our stance on educating user’s to be very wary of unsolicited e-mail. Scammers can copy the e-mail all they want, but they would be hard pressed to add a dangerous link to our home page. It is certainly trivial to copy the e-mail, but add a link back in, however the deception is lost with the visual change.

Our solution isn’t perfect, and we continue to expand on ways to protect user accounts and stop phishing e-mails before they reach the inbox of our users.


Sean Feil