60 Phishing Email Jokes Every IT Security Pro Knows

The display name said our CEO. The address was a Gmail account with 14 characters and a number. I almost replied anyway. It was 4:47 on a Friday.

The domain was microsoft-support.help-center.online. The real domain is microsoft.com. I knew this. I still hovered for a second.

Subject: URGENT: Are you at your desk? No CEO has ever asked me this and meant it.

The CEO needed gift cards. Apple, specifically. Five hundred dollars worth. For a client. For a client whose name he would send after I bought them.

The Nigerian prince has updated his template. He is now a Nigerian crypto investor. The grammar is the same.

The email came from Microsoft Account Team noreply@rnicrosoft.com. The r and n look like an m. It worked in 2014. It still works.

The link previewed as login.office.com. The actual href was a 47-character bit.ly URL. The preview was a lie I helped write.

Your password expires today. Click here to keep it active. My password expired last week. I have already reset it. I still hovered over the link.

The email subject was Fwd: Fwd: Fwd: Re: Invoice 8341. There was no original thread. Just the Fwds.

The phishing email was perfectly punctuated, professionally written, and addressed me by name. It was the legitimate email from HR I was suspicious of.

Dear Valued Customer, Nobody who has ever valued me has called me that.

I got an email saying my package could not be delivered. I had not ordered a package. I clicked anyway. The dopamine of a maybe-package overrode the entire security awareness module.

The IT helpdesk sent a password reset link from itsupport@itsupport-itsupport.com. The real address is help@company.com. I have known this for six years. My finger still moved toward the link.

Your storage is 98% full. Click here to upgrade. My storage has been 98% full since 2019. The deletion was a relief I never got.

The email said it was from DocuSign. The document I had not signed was named INVOICE_FINAL_v2.docx.exe.

The CEO sent me a message at 11:14 PM. The CEO has never sent me a message at any time.

We detected unusual activity on your account. The unusual activity was me checking my account. I check it daily. They are correct that this is unusual.

The email was from LinkedIn. The subject was You have a new connection request. The connection request was from a recruiter named Jessica with a stock photo and zero mutual connections. The button was a real button to a fake site. The site was learning my password.

The bank email warned me of a 4,200 dollar wire I did not authorize. For a moment I was furious before I was suspicious. They had me for one full breath.

Click here to verify your identity. I verified my identity to a server in Belarus.

I forwarded the phishing email to phish@company.com. The phish@ address bounced. The reporting workflow had been deprecated. The phisher had not.

The phishing email used my full legal name including the middle initial nobody at work uses. It had been scraped from a 2017 LinkedIn breach. The phisher knew me better than my manager did.

Hello, I am from the IRS. The IRS does not begin emails with Hello.

Hello, I am from the CRA. The CRA does not begin emails.

The phishing email had a logo that was the right shape but the wrong color. It was a teal Microsoft logo. Microsoft is not teal. I have never noticed Microsoft's exact shade of blue before this moment.

The email said: Your colleague has shared a document with you. The colleague was named Karen Smith. There are nine Karens at this company. None of them are a Smith. All of them were plausible for two seconds.

The Outlook external email banner said EXTERNAL. The sender said it was internal. I trusted the sender's word over the banner Outlook had placed there specifically to overrule the sender.

The phishing simulation caught 38 percent of the company. The email it impersonated was a real email the company had sent the week before. We were trained to distrust ourselves.

I hovered over the link. The status bar showed a URL. I cannot read URLs anymore. They are all 200 characters of question marks and equals signs. The bar was meaningless. I clicked on faith.

Subject: Your salary review is attached. This is the only phishing email that consistently works. Curiosity is stronger than training.

The email was from FedEx. The reference number was correct format and correct length. It was also entirely fabricated. The format was the only part they needed to get right.

Reply to this email to confirm your attendance. The meeting did not exist. The calendar invite did not exist. I almost confirmed it anyway because the sender used a calendaring app icon.

The email said: I cannot talk on the phone right now, please email me back. This is the new CEO impersonation gambit. Phone calls have become the trust signal. Removing the phone is the trick.

I am at the airport and my flight leaves in 20 minutes. The CEO has never been at an airport. The CEO has a driver. The CEO has never asked me for anything in twenty minutes. I almost replied.

The email was signed Sent from my iPhone. The legitimate emails are signed with a 14-line signature block including legal disclaimers. The Sent from my iPhone was the giveaway. It was also exactly what made it feel real.

The phishing email pretended to be from Adobe. Adobe has sent me 412 real emails this year. I have not opened any of them. The phisher was the first one to get my attention.

Action required. No action has ever been required by a real email with this subject.

The phishing landing page had a small box at the bottom that said: This site is secured by Norton. It was not. Norton has never heard of it. The box was a JPEG.

The phishing link redirected through six domains before landing on the credential form. The redirect chain was longer than the actual content of the email.

I caught the phishing email. I felt smart for 90 seconds. Then I clicked a real link in a real newsletter and entered my password into a site I had bookmarked. The bookmark was old. The domain had been parked. The smartness did not transfer.

The phisher addressed me as Dear sir/madam. This is the single most effective filter the spam industry has ever invented. The cost of the slash is zero. The cost of the slash to the legitimate sender is also zero. Only the phisher pays.

The email was a meeting invite from the CEO's actual address. The address was spoofed. SPF was not configured on our domain. SPF has not been configured on our domain since 2011. The CTO has been told. Nothing has happened. The phisher knew.

The phishing email included a real screenshot of my Outlook inbox. They had access to my Outlook inbox. The phishing email was the part of the breach I noticed.

We tried to deliver your package but no one was home. I work from home. I have not left this room in two days. There was no package. I clicked anyway.

The phisher asked me to update my bank details for payroll. The HR system has its own self-service portal. The portal is famously broken. The phishing form looked like it worked better. For a moment I preferred the phishing form.

Your subscription has been renewed for 499 dollars. Click here if you did not authorize this. I have never subscribed to anything for 499 dollars. The click was the goal. The subscription was the bait.

The phishing email arrived during the all-hands. Half the company had their laptops open and their attention divided. The phisher knew the meeting schedule. The meeting schedule was on a public calendar.

The training said to look for spelling mistakes. The phisher has heard. The phisher has hired a copy editor.

The training said to look for urgency. The phisher reduced the urgency. The new emails are calm. They are also still phishing emails.

Subject: One quick favor. The favor was never quick.

The phishing email was a reply to a real email thread from three months ago. The attacker had compromised the vendor's account. The vendor was now the phisher. There was no domain to spoof. The domain was real.

The email said: I am in a meeting and cannot speak right now. The meeting was a literary device. The phisher was at his desk.

Your Office 365 mailbox is full. Click to clean up. My Office 365 mailbox has been full for years. The click was the cleanup the phisher needed.

The phishing email included a calendar attachment that auto-added a meeting to my calendar. The meeting was named Important: read the attached document. The attached document was a credential harvester.

I clicked the link. The page asked for my password. I typed it. I realized halfway through. I finished typing because stopping felt rude to the form.

After I reported the phishing email, security sent me a thank you. It was the only positive email I received from security in eight years.

The phishing email passed DMARC, SPF, and DKIM. The attacker had spent more time on email authentication than our domain admin had.

The IT director sent an all-hands warning about a sophisticated phishing campaign. The all-hands warning was the phishing campaign. He had been compromised that morning.

The email said: Please review the attached and confirm by EOD. The attached was a ZIP. Inside the ZIP was a folder. Inside the folder was an LNK file. The LNK file pointed at a PowerShell command 600 characters long. The 600 characters were the entire job description of the phisher.

I almost clicked the link. I did not click the link. This is the only meaningful win I have had at work this quarter.