What are the baits that make people click on a link or attachment in a social engineering email? I've looked at some common examples and tried to categorize them. Maybe this list will trigger some ideas next time you're writing social engineering emails.

Habits: Think of this as exploiting the brain's auto-pilot - standard email triggers standard response of opening attachment or clicking on link:

LinkedIn connection requests

GoToMeeting invitations

Daily reports from a CRM/ERP system

Nosiness: If you're sending something private or confidential to a nosy person (most people), they'll surely open it:

Office scandals

Someone's private files

Email supposedly meant for someone else

Information: Mask your email as information that is important or valuable:

New expense policies

New time-off regulations

Updated 401k matching policy

Authority: Some people just like to follow orders - they are compelled by it. Send emails from a person of authority, asking to complete an action:

CEO asking you to fill in a questionnaire

Police asking you to identify person in attached picture

Court order

Greed: Tell people how they can make more money without effort, such as many Nigerian 419 scams:

Inheritance

Insider trading

Contract fraud

If you have experience with social engineering emails, which campaigns have been successful for you? What other categories have you identified? I'd love to hear about them in the comments.

If you are a social engineer, or need to run a phishing campaign to test user security awareness in an assessment, check out the social engineering campaigns in Metasploit Pro. Download your free Metasploit Pro trial today.