Email Like a Cyber Criminal: Are Phishing CTRs Better Than Marketing Pros?

According to a Wall Street Journal article on social engineering, phishing emails have a click through rate that is 10x greater than professional marketing emails.

The article references Ken Bagnall, Vice President at computer security company FireEye, Inc. as stating that cyber criminals may be more effective at their jobs than professional email marketers…!

What is Click Through Rate?

The click through rate, aka “CTR”, is the number of users who click on a link in a webpage, email, advertisement, etc. as a percentage of the total number of users who sees the webpage, email, advertisement, etc.

According to the Proofpoint Human Factor 2018 Report1, the most common type of phishing email is a Dropbox account-related phishing email…

However, the email with the highest CTR, is a spoofed “DocuSign” phishing email.

Click through rates and common phishing lures-min

Considering the potential rewards on the other end of a malicious, targeted email, a high click through rate is very important for cyber criminals.

And the chart below from Proofpoint seems to indicate that a fake DocuSign email is the way to go.

Relative Click Rates For Most-Clicked Lures

Indeed, the return on investment (ROI) associated with targeted spearphishing attacks is so high that perhaps it is no surprise that cyber criminals are excellent online marketers.

Their approach to developing a strategy of attack may resemble criminal profiling with in-depth analysis of a potential target, scouring online resources and databases for nuggets of useful information.

Emailing Like a Cyber Criminal

The following may be the process that cyber criminals, who are professional emailers, follow in their approach to getting you to click on a targeted phishing email.

1) Collect Profile Data

Cyber criminals collect and assess all the data they can on their target. They answer the question, “Who exactly is this person I am targeting…?”

2) Develop Target Profile

They then organize their profile data. This organization will result in a profile of their target that they can socially engineer. The more information about their target, his or her colleagues, day to day behaviors, family, interests, etc. the criminals can assemble, the better.

3) Develop a Process Model

And the more specific the information is the better… Once the profile data is assembled into a portrait of their target, the “cyber criminal marketer” then tries to determine what the target is interested in, how they behave, and why, and develop a logical behavioral flow chart that represents their target day after day.

4) Evaluate Results

The cost of sending a phishing email is essentially zero. Criminals can send hundreds of thousands of emails for almost nothing. If a particular email doesn’t work, its time to start A/B testing different phishing emails, reevaluate, and try again.

5) Try, Try Again

According to Symantec, the average employee receives 16 malicious phishing emails per month.

Multiply this by the number of employees you have… For instance assume hypothetically that you have 20 employees.

This means that each year your employees must perfectly identify and not click on 3,840 phishing emails.

Are your employees right 100% of the time?

Of course, you know the answer to this… And so do cyber criminals.


  1. Proofpoint Inc. (NASDAQ:PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions to protect the way people work today. Proofpoint solutions enable organizations to protect their users from advanced attacks delivered via email, cloud, social media, and mobile apps, protect the information their users create from advanced attacks and compliance risks, and respond quickly when incidents occur.