---
title: "Five Phishing Tactics Sure to Trick You Into Clicking | Phish Protection"
description: "Five Phishing Tactics Sure to Trick You Into Clicking: By now, most people know that 91% of cyberattacks start with a phishing email. In recognition of this."
image: "https://phishprotection.com/og/blog/five-phishing-tactics-sure-to-trick-you-into-clicking.png"
canonical: "https://phishprotection.com/blog/five-phishing-tactics-sure-to-trick-you-into-clicking/"
---

Quick Answer

By now, most people know that\[ 91% of cyberattacks start with a phishing email\](https://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704). In recognition of this, companies are now beginning to offer \*\*security awareness training\*\*. According to an article on the website\[ Dark Reading\](https://www.darkreading.com/risk/55--of-companies-dont-offer-mandatory-security-awareness-training/d/d-id/1333422), "45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training."

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffive-phishing-tactics-sure-to-trick-you-into-clicking%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Five%20Phishing%20Tactics%20Sure%20to%20Trick%20You%20Into%20Clicking&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffive-phishing-tactics-sure-to-trick-you-into-clicking%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffive-phishing-tactics-sure-to-trick-you-into-clicking%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffive-phishing-tactics-sure-to-trick-you-into-clicking%2F&title=Five%20Phishing%20Tactics%20Sure%20to%20Trick%20You%20Into%20Clicking "Share on Reddit") [ ](mailto:?subject=Five%20Phishing%20Tactics%20Sure%20to%20Trick%20You%20Into%20Clicking&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Ffive-phishing-tactics-sure-to-trick-you-into-clicking%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2019/07/ceo-fraud-6432.jpg) 

By now, most people know that[ 91% of cyberattacks start with a phishing email](https://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704). In recognition of this, companies are now beginning to offer **security awareness training**. According to an article on the website[ Dark Reading](https://www.darkreading.com/risk/55--of-companies-dont-offer-mandatory-security-awareness-training/d/d-id/1333422), “45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training.”

The objective is simple: _teach employees not to click on the links in suspicious emails._ Given the sophisticated nature of some phishing exploits today, that’s easier said than done. With that in mind, we present five phishing tactics being used today that are sure to trick you into clicking, no matter how much awareness training you’ve received.

### Conversation Hijacking

Imagine you’re partaking in a back-and-forth email thread with someone you trust. Would you think twice about clicking on a link in one of their emails? Probably not. And that’s what makes _conversation hijacking_ so effective.

According to[ ZDNet](https://www.zdnet.com/article/this-phishing-trick-steals-your-email-and-then-fools-your-friends-into-downloading-malware/), conversation hijacking occurs when “_hackers infiltrate intimate email threads between people, and use highly-customized **phishing techniques** to make it look as if the victim is the one sending messages back and forth._”

The easiest way to get you to click on a link in an email is to include that link in an email from someone you already trust. In other words, what starts out as a safe email between trusted parties suddenly turns dangerous.

All the **phishing awareness training** in the world will not protect you from this kind of attack. If someone you trust sends you a link in a back-and-forth email thread, you’re going to click on it.

![Ceo fraud](https://media.mailhop.org/phishprotection/images/2019/07/ceo-fraud-6432.jpg) 

### Deceptive Links

One of the first things they teach you in security awareness training is to _always hover your mouse over a link in an email and check to see where it links to_. This is sound advice. Unfortunately, it’s also something hackers can use to get you to click on a _deceptive link_.

A deceptive link is just a link that looks like a legitimate link at quick glance. Most people are in a hurry and so only look at the first part of the link and if it looks good, they assume it’s good.

Here is the URL displayed on a mouse over a link in a Stanford University email (from[ an article found on their website](https://uit.stanford.edu/emailcalendar/phishing)):

axess.stanford.edu.nr-9138.ul.forour.info/l/index.php

Does it look legitimate to you? The link is supposed to direct the user to Stanford’s Axess system. And if all you do is look at the first part of the URL, you’ll be deceived into thinking it’s the real thing and you’re going to click on it.

### Invisible Links

If you think it’s hard to avoid clicking on a deceptive link, try avoiding an _invisible link_.

One of the newest phishing techniques is a type of[ clickjacking](https://www.owasp.org/index.php/Clickjacking), targeted at mobile devices, which incorporates an invisible link (using the opacity setting in CSS). The link is instead replaced by a “bothersome” graphic element that’s made to look like a small hair or a speck of dust. This tricks the user into wiping the hair or dust off the screen, which activates the link and launches a connection back to a rogue website. Or worse, releases some form of malware.

These “rouge wiping elements” are a form of **social engineering** which is almost impossible to prevent with education alone. Afterall, it’s human nature to want a touchscreen free of debris. _The scary thing about invisible links is that you’ll click on them and not even know it._

### Password Reset Email

Of all the simulated phishing templates used in awareness training, the most effective is the one that looks like it comes from your IT department and requests that you reset a password. That according to Wombat’s[ State of the Phish Report](https://www.wombatsecurity.com/state-of-the-phish).

Wombat Security Technologies conducts tens of millions of simulated phishing attacks sent through their Security Education Platform each year. And what they found in their most recent report is that _phishing templates that masqueraded as a password reset alert had a near 100% click rate_.

When you get an email asking you to reset your password are you going to click on it? Probably.

### Links in PDFs

PDFs have become ubiquitous in business as a way of sending documents over the web and unfortunately, hackers know that. According to[ SonicWall Capture Labs](https://www.helpnetsecurity.com/2019/04/23/fraudulent-pdf-files-increase/), “there has been a substantial increase in fraudulent PDF files. \[The\] fraud campaign takes advantage of recipients’ trust in PDF files as a ‘safe’ file format.”

What makes it so hard to defend is that in most cases, the PDF itself is harmless. It does not contain an executable file or active malware within the document. So, _antivirus software meant to screen attached documents will see the PDF as safe_. And once it gets past the antivirus, you inherently trust the PDF, and that makes it more likely that you’ll click on a link inside without giving it another thought.

![Ceo fraud](https://media.mailhop.org/phishprotection/images/2019/07/ceo-fraud-6433.jpg) 

#### Summary

Awareness training is good, but hackers are better. They create classes of exploits so refined that they get most of us to click on malicious links. And unfortunately, hackers keep evolving their techniques, so we’re likely to see more of these in the future.

If you haven’t already figured it out, sooner or later you’re going to get phished and all the awareness training in the world won’t change that. You’re going to need some help. You’re going to need technology that doesn’t get fooled as easily as you do. You’re going to need an [anti-phishing solution](/content/anti-phishing-solution/). You’re going to need Phish Protection.

Phish Protection is a cloud-based [email security solution](/) that protects you from these five phishing techniques and more. With real-time link click protection, spoofing protection and malicious attachment blocking, it relieves you of the responsibility of having to figure out which links you can safely click.

Try [Phish Protection](/) free for 30 days. No contracts to sign. No credit card required. You’ll be up and running in 10 minutes.

## Topics

[ Phishing ](/tags/phishing/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Foundational 5m  0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks  Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[  Foundational 4m  13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization  Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[  Foundational 4m  All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center  May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[  Foundational 4m  2021 Phishing Trends You Need To Be Wary Of  Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Five Phishing Tactics Sure to Trick You Into Clicking","description":"Five Phishing Tactics Sure to Trick You Into Clicking: By now, most people know that 91% of cyberattacks start with a phishing email. In recognition of this.","url":"https://phishprotection.com/blog/five-phishing-tactics-sure-to-trick-you-into-clicking/","datePublished":"2019-07-03T10:48:32.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2019-07-03T10:48:32.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/five-phishing-tactics-sure-to-trick-you-into-clicking/"},"articleSection":"foundational","keywords":"Phishing","wordCount":1001,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2019/07/ceo-fraud-6432.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Five Phishing Tactics Sure to Trick You Into Clicking","item":"https://phishprotection.com/blog/five-phishing-tactics-sure-to-trick-you-into-clicking/"}]}
```