In your message, try to reference a familiar business activity. Also, provide the target victim with a clear instruction, while weaving in a sense of urgency. And there you have it: the ingredients for a convincing phishing attempt.
A US threat detection specialist has just published a roundup of the most commonly-used keywords in phishing email subject lines. The research highlights just how easy it is for busy workers to swallow the scammer’s bait…
The elements of a convincing phishing message
The purpose of any phishing attack is to trick the victim into doing what the scammer wants. This usually means either clicking a link to launch malicious script, or else getting them to reveal sensitive information.
Any cyber pro worth their salt should be able to spot a phishing email. And if you work for a cyber team within an organization, part of your job will involve making sure other employees know how to spot a suspicious message.
So in theory, employees will stick to the company’s strict protocols for things like payment authorization and information disclosure. They’ll cross check the sender’s domain. They’ll look at things like formatting, spelling and grammar. They’ll also be very wary of unusual links and forms.
In real life, things are different. Those employees might have a hundred messages to get through before lunch, so they’re not going to forensically examine each one. Hackers know this. They also know that if they focus on certain elements in their scam attempt, it increases the chances of the message slipping through the net.
These elements are as follows:
Imitate a legitimate business activity. This includes things like bill payments, contract renewals and transaction queries.
Create a sense of urgency. Give the suggestion that things will go wrong if the matter is not dealt with.
Call to action. Imply that if the target completes this simple step, it means one less item on their to-do list. The victim thinks that by following the instruction in the message, it will result in an easy win.
The top phishing trigger words
Expel, a US threat detection company, analyzed 10,000 malicious emails investigated by the company’s security operations center in July 2021. The aim was to isolate the most frequently used keywords used by phishing scammers in their email subject lines.
Here are some of the most popular trigger words:
- RE: INVOICE
- Missing Inv [Number]; From [Business Name]
- New Message from [Name]
- New Scanned Fax Doc-Delivery for [Name]
- New FaxTransmission from [Name]
- Message from [Name]
- You have a New Message
- Telephone Message for [Name]
- Verification Required
- Action REquired: Expiration Notice on [business email address]
- Action Required: Password Expiry
- Attemtion REquired. Support ID: [Number]
- You have a Google Drive File Shared
- [Name] sent your some files
- File [Number]
- [Business Name] Sales Project Files and Request for Quote
- [Business Name] SALES PROJECT FILES AND REQUEST FOR QUOTE
- [Business Name] – W-9 Form Request
- Your Service Request [Number]
- Request Notification [Number]
- Action Required: Expiration Notice on [business email address]
- Action Required [Date]
- [Action Required] Password Expire
- File Document [Number]
- [Name], You have received a new document in [Company System]
- Attn: [Name] – You have an important [Business Name] designated document
- Document for [business email address]
- View Attached Documents
- [Name] shared a document with you
- Verification Required!
- eFax from ID [Number]
- eFax message from [phone number] – 2 page(s), Caller-ID: +[phone number]
- VM from [phone number] to Ext [Number] on [Date]
- VM from [Numer] Received – for [user name] [Date]
Social engineering/phishing penetration testing
Pen testers are often tasked with designing a simulated phishing campaign. The idea is to test the susceptibility of employees to attacks. It gives the organization an overview of how vulnerable it is to threats. Afterwards, you can use the results to flag up the areas that need work, and as an educational aid to teach employees about ways to recognize attacks. This type of pen testing can also provide useful information for optimizing your spam filters and other perimeter defenses.
The key to a successful pen test phishing campaign is to make it look convincing. Focus on the activities employees are involved in day-to-day (e.g. if the company doesn’t usually deal with eFax or voicemails, avoid them in your content). Consider inserting references to real-life people and companies they do business with. For the email subject lines, the above list of examples should hopefully give you some inspiration.
For an exploration of how hackers perform phishing scams and why they are often so effective, check out our explainer video. Want to learn more about ethical social engineering? Check out this course.