In your message, try to reference a familiar business activity. Also, provide the target victim with a clear instruction, while weaving in a sense of urgency. And there you have it: the ingredients for a convincing phishing attempt.
A US threat detection specialist has just published a roundup of the most commonly-used keywords in phishing email subject lines. The research highlights just how easy it is for busy workers to swallow the scammer’s bait…
The elements of a convincing phishing message
The purpose of any phishing attack is to trick the victim into doing what the scammer wants. This usually means either clicking a link to launch malicious script, or else getting them to reveal sensitive information.
Any cyber pro worth their salt should be able to spot a phishing email. And if you work for a cyber team within an organization, part of your job will involve making sure other employees know how to spot a suspicious message.
So in theory, employees will stick to the company’s strict protocols for things like payment authorization and information disclosure. They’ll cross check the sender’s domain. They’ll look at things like formatting, spelling and grammar. They’ll also be very wary of unusual links and forms.
In real life, things are different. Those employees might have a hundred messages to get through before lunch, so they’re not going to forensically examine each one. Hackers know this. They also know that if they focus on certain elements in their scam attempt, it increases the chances of the message slipping through the net.
These elements are as follows:
Imitate a legitimate business activity. This includes things like bill payments, contract renewals and transaction queries.
Create a sense of urgency. Give the suggestion that things will go wrong if the matter is not dealt with.
Call to action. Imply that if the target completes this simple step, it means one less item on their to-do list. The victim thinks that by following the instruction in the message, it will result in an easy win.
The top phishing trigger words
Expel, a US threat detection company, analyzed 10,000 malicious emails investigated by the company’s security operations center in July 2021. The aim was to isolate the most frequently used keywords used by phishing scammers in their email subject lines.
Here are some of the most popular trigger words:
Invoice
Examples:
- RE: INVOICE
- Missing Inv [Number]; From [Business Name]
- INV[Number]
New
Examples:
- New Message from [Name]
- New Scanned Fax Doc-Delivery for [Name]
- New FaxTransmission from [Name]
Message
Examples:
- Message from [Name]
- You have a New Message
- Telephone Message for [Name]
Required
Examples:
- Verification Required
- Action REquired: Expiration Notice on [business email address]
- Action Required: Password Expiry
- Attemtion REquired. Support ID: [Number]
File
Examples:
- You have a Google Drive File Shared
- [Name] sent your some files
- File [Number]
- [Business Name] Sales Project Files and Request for Quote
Request
Examples:
- [Business Name] SALES PROJECT FILES AND REQUEST FOR QUOTE
- [Business Name] - W-9 Form Request
- Your Service Request [Number]
- Request Notification [Number]
Action
Examples:
- Action Required: Expiration Notice on [business email address]
- Action Required [Date]
- [Action Required] Password Expire
Document
Examples:
- File Document [Number]
- [Name], You have received a new document in [Company System]
- Attn: [Name] - You have an important [Business Name] designated document
- Document for [business email address]
- View Attached Documents
- [Name] shared a document with you
Verification
Examples:
- Verification Required!
eFax
Examples:
- eFax from ID [Number]
- eFax message from [phone number] - 2 page(s), Caller-ID: +[phone number]
VM
Examples:
- VM from [phone number] to Ext [Number] on [Date]
- VM from [Numer] Received - for [user name] [Date]
Social engineering/phishing penetration testing
Pen testers are often tasked with designing a simulated phishing campaign. The idea is to test the susceptibility of employees to attacks. It gives the organization an overview of how vulnerable it is to threats. Afterwards, you can use the results to flag up the areas that need work, and as an educational aid to teach employees about ways to recognize attacks. This type of pen testing can also provide useful information for optimizing your spam filters and other perimeter defenses.
The key to a successful pen test phishing campaign is to make it look convincing. Focus on the activities employees are involved in day-to-day (e.g. if the company doesn’t usually deal with eFax or voicemails, avoid them in your content). Consider inserting references to real-life people and companies they do business with. For the email subject lines, the above list of examples should hopefully give you some inspiration.
More resources…
For an exploration of how hackers perform phishing scams and why they are often so effective, check out our explainer video. Want to learn more about ethical social engineering? Check out this course.
Thank You for sharing this amazing blog. I really appreciate you for this.
Thank you for the post. After reading it, I do see a lot of phishing emails in my inbox. I have to be more careful before opening them.
This is a must share post specially with my co-workers as one of them recently fell for it. He refused to pay the hackers and he had to loose all his data.
It’s spelled “lose”
The number and sophistication and even non-sophistication of these attacks has exploded. I had to find a better spam solution for our company to protect everyone. Some of the bait is soooooo tempting.
“You are out of e-mail storage. Click here to increase your storage.”
“[Actual supervisor’s name from company] was discussing [Actual employee’s name] salary. Find out what was said.”
“[Actual employee’s name], please review and sign your performance appraisal before this Friday”
Even in cases where you know it is 99% likely a scam, some of this bait is just soooooo tempting. Relying on the human factor is tough. So whatever we could do to reduce the temptation was well worth it.
Being uneducated on this subject and giving in to the impulse of curiosity, has left me a victim to the circumstance created by the BlackHat Hacker.
Nice blog and helpful informations