Design effective phishing templates that test user awareness while maintaining ethical standards.
Creating effective phishing templates requires balancing realism with ethics. Your templates should test user awareness without causing unnecessary stress or violating trust. This guide covers design principles, technical best practices, and compliance considerations for building professional phishing simulation templates.
Effective templates mirror real phishing threats while remaining within ethical bounds. Focus on scenarios relevant to your organization and industry.
| Scenario | Description | Difficulty |
|---|---|---|
| Password Reset | Fake password expiration or reset request | Easy |
| IT Security Alert | Suspicious activity or security update | Easy |
| HR Benefits Update | Benefits enrollment or policy change | Moderate |
| Package Delivery | Failed delivery notification from courier | Moderate |
| Executive Request | Urgent request from CEO/CFO (whaling) | Hard |
| Vendor Invoice | Payment request from known vendor | Hard |
Email clients have limited HTML/CSS support. Follow these technical guidelines for maximum compatibility.
<!-- Good: Inline styles and table-based layout -->
<table width="600" cellpadding="0" cellspacing="0" style="margin: 0 auto; font-family: Arial, sans-serif;">
<tr>
<td style="background: #0078d4; padding: 20px; color: white;">
<h1 style="margin: 0; font-size: 24px;">Security Alert</h1>
</td>
</tr>
<tr>
<td style="padding: 20px; background: #ffffff;">
<p style="margin: 0 0 15px 0; color: #333; line-height: 1.6;">
Dear {{.FirstName}},
</p>
<p style="margin: 0 0 15px 0; color: #333; line-height: 1.6;">
We detected unusual login activity on your account.
</p>
<!-- Call to action button -->
<table cellpadding="0" cellspacing="0">
<tr>
<td style="background: #0078d4; padding: 12px 24px; border-radius: 4px;">
<a href="{{.URL}}" style="color: #ffffff; text-decoration: none; display: block;">
Verify Account
</a>
</td>
</tr>
</table>
</td>
</tr>
</table>
<!-- Bad: External CSS and div-based layout -->
<link rel="stylesheet" href="styles.css"> <!-- Will be stripped -->
<div class="container"> <!-- Poor email client support -->
<script>alert('hello');</script> <!-- Blocked by email clients -->
</div>Use GoPhish template variables to personalize emails and increase realism. Personalized emails have significantly higher open and click rates.
<!-- Effective personalization example -->
<p>Hi {{.FirstName}},</p>
<p>This is a reminder that your quarterly performance review is scheduled
for next week. As {{.Position}}, you'll meet with your manager to discuss
goals and development opportunities.</p>
<p>Please verify your contact information at {{.Email}} is current before
the meeting.</p>
<p><a href="{{.URL}}">Update Contact Information</a></p>
<!-- Advanced: Conditional content -->
{{if .Position}}
<p>As a {{.Position}}, you're eligible for leadership training.</p>
{{end}}| Variable | Use Case |
|---|---|
{{.FirstName}} |
Personal greeting |
{{.LastName}} |
Formal communication |
{{.Email}} |
Account verification scenarios |
{{.Position}} |
Role-specific targeting |
{{.URL}} |
Tracking link to landing page |
{{.From}} |
Sender's email address |
{{.RId}} |
Unique recipient ID for tracking |
Well-designed templates can still end up in spam folders. Follow these guidelines to improve deliverability.
# Spam Trigger Words to Avoid
❌ FREE!!! ACT NOW!!!
❌ URGENT: Your account will be closed
❌ Click here immediately or lose access
❌ 100% FREE NO COST WINNER
❌ $$$ MAKE MONEY FAST $$$
# Better Alternatives
✓ Your password will expire soon
✓ Action required: Update your information
✓ Security notice: Unusual activity detected
✓ Reminder: Complete your profile
✓ Quarterly review: Action neededPhishing simulations must comply with legal requirements and ethical guidelines. Never cross these boundaries.
Here's a complete, production-ready template for a password reset phishing simulation:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Password Reset Required</title>
</head>
<body style="margin: 0; padding: 0; background: #f4f4f4;">
<table width="100%" cellpadding="0" cellspacing="0" style="background: #f4f4f4;">
<tr>
<td align="center" style="padding: 40px 0;">
<table width="600" cellpadding="0" cellspacing="0" style="background: #ffffff; border-radius: 8px; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
<!-- Header -->
<tr>
<td style="background: #0078d4; padding: 30px; text-align: center; border-radius: 8px 8px 0 0;">
<h1 style="margin: 0; color: #ffffff; font-size: 24px; font-family: Arial, sans-serif;">
IT Security Services
</h1>
</td>
</tr>
<!-- Content -->
<tr>
<td style="padding: 40px 30px;">
<p style="margin: 0 0 20px 0; font-family: Arial, sans-serif; font-size: 16px; color: #333; line-height: 1.6;">
Hello {{.FirstName}},
</p>
<p style="margin: 0 0 20px 0; font-family: Arial, sans-serif; font-size: 16px; color: #333; line-height: 1.6;">
Your password will expire in 3 days. To maintain security compliance and
prevent account lockout, please reset your password now.
</p>
<p style="margin: 0 0 30px 0; font-family: Arial, sans-serif; font-size: 16px; color: #333; line-height: 1.6;">
Click the button below to create a new password for account: <strong>{{.Email}}</strong>
</p>
<!-- CTA Button -->
<table cellpadding="0" cellspacing="0">
<tr>
<td align="center" style="background: #0078d4; padding: 14px 30px; border-radius: 4px;">
<a href="{{.URL}}" style="color: #ffffff; text-decoration: none; font-family: Arial, sans-serif; font-size: 16px; font-weight: bold; display: block;">
Reset Password Now
</a>
</td>
</tr>
</table>
<p style="margin: 30px 0 0 0; font-family: Arial, sans-serif; font-size: 14px; color: #666; line-height: 1.6;">
If you did not request this password reset, please contact the IT Help Desk immediately.
</p>
</td>
</tr>
<!-- Footer -->
<tr>
<td style="background: #f8f8f8; padding: 20px 30px; border-radius: 0 0 8px 8px;">
<p style="margin: 0; font-family: Arial, sans-serif; font-size: 12px; color: #999; text-align: center;">
IT Security Services | Internal Use Only<br>
For assistance, contact helpdesk@company.com
</p>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>This advanced template simulates a whaling attack - a targeted phishing attempt impersonating executives:
Subject: Quick favor - need this today
{{.FirstName}},
I'm in back-to-back meetings all day but need your help with something urgent.
Can you purchase 5x $100 gift cards from Amazon and send me the codes?
I need them for a client appreciation event this afternoon.
I'll reimburse you as soon as I'm back at my desk tomorrow.
Please reply with the codes ASAP - running late for next meeting!
Thanks,
Sarah Johnson
Chief Executive Officer
Sent from my iPhoneNote: This template is intentionally simple and text-only, which is common in real executive email compromise attacks. The lack of formatting makes it appear legitimate and urgent.
Always test templates before launching campaigns to ensure proper rendering and functionality.
Build a library of templates at varying difficulty levels for progressive training programs.
| Level | Templates | When to Use |
|---|---|---|
| Beginner | Generic password reset, Security alert | First campaign, baseline assessment |
| Intermediate | HR benefits, IT updates, Package delivery | Q2-Q3 campaigns |
| Advanced | Executive requests, Vendor invoices, Spear phishing | Q4 and targeted training |
Learn how to launch a complete phishing simulation using your templates.
View Tutorial →Our team can help you design custom templates for your organization's specific needs.
Contact Support