Creating Effective Holiday Shopping Phishing Templates

Katalina Millan

As the holiday season approaches, cybercriminals ramp up their efforts to exploit shoppers’ excitement for deals and promotions. Crafting realistic phishing templates that mimic the offers from popular retailers is a crucial step in preparing security awareness training for employees and customers alike. In this post, we’ll walk through four new phishing templates designed for a general audience, each themed around a major holiday shopping event. For organizations looking to bolster their defenses, these examples illustrate how attackers might target users—and how vigilant everyone must be. 

To use these templates in Mimecast Engage or Mimecast Awareness Training, see instructions at the end of this post.

 1. Amazon Black Friday Special (Medium Sophistication) 

Black Friday is synonymous with steep discounts and flash sales, making it a favorite for both shoppers and phishers. Our Amazon-themed template leverages urgency and the promise of exclusive deals to entice clicks. 

amazon-black_friday-medium.txt

 2. eBay Cyber Monday Steals (Medium Sophistication) 

Cyber Monday offers another prime opportunity, especially as consumers scour the web for last-minute deals. The eBay template is designed with minimal sophistication—basic branding and straightforward messaging—to reflect the lower effort often seen in mass phishing campaigns. 

ebay-cyber_monday-medium.txt

 

3. Walmart Super Saturday Savings (Medium Sophistication) 

Super Saturday (the last Saturday before Christmas) sees a surge in last-minute shoppers. Walmart’s reputation for one-stop shopping makes it a prime target. Our template for this event employs a more polished design and carefully crafted copy to better mimic legitimate communications. 

walmart-super_saturday-med.txt

 4. Nike Boxing Day Blowout (Medium Sophistication) 

Boxing Day sales attract bargain hunters, and our Nike template is styled to capture the excitement of post-Christmas shopping. This low-complexity variant uses simple graphics and persuasive language, focusing on luring sportswear enthusiasts. 

nike-boxing_day-medium.txt

Key Takeaways 

• Seasonal awareness is critical: Phishing campaigns spike during major shopping events, leveraging urgency and excitement. 
• Template sophistication varies: Attackers may use both basic and advanced tactics, so users should be cautious regardless of the message quality. 
• Training matters: Use realistic templates in security awareness programs to educate users about the latest phishing strategies. 

By examining these templates, security teams can better anticipate the types of lures their users might encounter and prepare accordingly. Always verify the sender, avoid clicking on suspicious links, and report any dubious emails to your IT department. Stay safe this holiday season! 

Instructions for creating a phishing campaign

Download your HTML template

1. From the blog post above, download the .txt file associated with the template you'd like to use.

Import your HTML template

1. Navigate to Phishing Training
   • In the Engage platform, go to the Phishing Training section.
2. Open the Template Library
   • Click on the Template Library menu item.
3. Customize an Existing Template
   • Find any template in the library and click the Customize button.
   • This will open the template in the WYSIWYG editor.
4. Access the Source Code Editor
   • In the WYSIWYG editor toolbar, locate and click the View Source Code button ( represented by </> ).
   • An editable pop-up modal will appear, displaying the current HTML source code.
5. Replace with Your HTML
   • Open your .txt file containing the HTML source code.
   • Copy all the HTML from your file.
   • In the Engage source code modal, select all existing code and paste your HTML in its place.
   • Click Save.
6. Preview Your Template
   • You should now see your custom email template rendered in the right-hand preview pane.

Optimize and Save Your Template

• Give your template a unique name for easy identification.
• Update the Subject Line to match your campaign’s theme.
• Set the Difficulty Level and select a Phishing Category that best fits your template.
• Add a Display Name and any relevant tags to help with organization and reporting.

Launch a Phishing Campaign Using Your Template

1. Go to Campaigns
   • Under the Phishing Training menu, select Campaigns.
2. Add a New Campaign
   • Click Add Campaign.
3. Configure Your Campaign
   • Fill in the campaign details as you normally would.
   • When prompted to select a template, choose your newly created template by its unique name from the Templates dropdown.
4. Complete and Launch
   • Review your settings and launch the campaign.

Pro Tips

• Double-check your HTML for broken links or missing images before saving.
• Use descriptive tags and a clear display name for easier tracking and reporting.
• Make sure to test your template by sending a preview to yourself or a test group before launching to all users.

Toby Metcalf