What goes into a successful phishing attack? Study has the answers

Phishing is the primary choice for hackers looking to steal sensitive information or infect users systems’ with malware. But how is it that they’re so good at these attacks? 

The short answer is they learn from experience. And so should you.

PhishMe, a security company that provides a means for organizations to phish their users for educational purposes, recently put out a report on what goes into a successful phishing campaign based on internal data.

Here’s what it found:

  • Time of day matters. Regardless of when a phishing email was sent, the most likely time to get a response was early mornings, before 8 a.m.
  • Business subject lines work. The research found if users were given a business communication subject line, they were more likely to respond. For instance, “File from scanner” was opened by 36% of users, and 34% opened “Unauthorized Activity/Access.”
  • Users do learn. While 35% of users fell for one phishing email, only 13% responded twice, 4% responded three times and 1% responded four times. No one responded more than four times.


Phishing your own users may seem like a rotten trick to pull, but it can be an effective way to get the point across. Many people see themselves as far too clever to be fooled by a fake email.

But hackers are clever too. They know which buttons to push emotionally to get users to respond or download malicious files.

Some users just won’t learn until they’re confronted with evidence that phishing attacks can and will happen to them. But if you’re going to use this method to make your point, here are some ways to do it responsibly and without upsetting users in the process.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy