Phishing with actual bait

If you received an email like the one below, would you try out the voucher code and see if it works? I sure as heck would, there is literally zero risk from doing so. Assuming the voucher code works and your account is credited with $5 immediately, how far would you be willing to go to get an additional $10? I believe many people would not even think twice about clicking on a link, disabling AV, enabling macros, double clicking on exe files, or even lying to IT support...


In the grand scheme of things, a determined adversary would have no qualms spending a few hundred to gain a foothold in your organization. Checking which voucher codes are used can also help the attacker determine how many targets have opened the email but chose not to proceed with the document. Preventing attackers from gaining entry works only to a certain extent, early detection of compromise is equally important.