Security teams are constantly trying to stay one step ahead of phishing email scammers. What pitches are they using? Who are they targeting? What strings are they pulling to get people to click on malicious links?
One way to gain that insight is to study the email messages that the scammers send. Gary Hayslip, CISO at cybersecurity and threat intelligence services firm Webroot, has been collecting phishing email samples for the last four years, starting when he was CISO for the city of San Diego. “I started noticing the spam I was getting was not the usual prince from Nigeria, please respond. Instead, some of these [scammers] have done some research on the accounts receivable department or on specific managers, and the emails were tailored towards them,” he says. “I thought it was interesting and started saving copies of them. You see some really weird stuff at times.”
Those emails became a valuable research tool, especially after Hayslip realized that other CISOs were also collecting them. Another CISO might send him a phishing email sent to their organization to compare notes. “I could show [the CISO], ‘yeah, we got something very similar about 18 months ago and it’s coming back again.’”
He adds that knowing changes to, say, the sender or how they create a sense of urgency allows him and his peers to better identify and block variations on that phishing campaign. Having that record on hand is also good training for his staff.
Hayslip also emphasizes the need for educating employees on phishing dangers. "I believe it’s important to reiterate that our employees need to be educated and security professionals themselves need to be educated on these threats. They are not going away, they are going to get better and continue to impact organizations."
That training is important, because Hayslip sees criminals becoming much more targeted with their phishing campaigns. “They are targeting specific groups where they know everybody in the group, or they are targeting specific people and the email is written towards them.” That relevancy to the recipient makes the phishing email a lot more destructive if successful, either in terms of damage to the network or size of the financial fraud—for example, getting an executive’s administrative assistant to approve a large fraudulent payment.
Below are eight of the phishing emails that Hayslip has collected. He weighs in on why they are or are not effective, and what gives each one away as a phishing scam.
Phishing email examples
1. Your account has been hacked
The person sending this phishing message found a group email that was publicly available on the Webroot website. Using that list to target the message was smart. Not so smart was the content of the message, with lines like “It’s useless to change the password, my malware intercepts it every time.”
“When you see postings like that, that’s someone who really doesn’t understand how malware works,” says Hayslip. Professional cyber criminals don’t talk that way. “There’s a way in which they talk, and they are very professional about their tools and the way they discuss things. I knew right away that this was crap.”
Hayslip thinks the sender of this email probably purchased a phishing tool online without understanding how it worked. The boasting was just an attempt to scare the recipient into taking the action requested.
2. Charity donation for you
“That was fun one! I’ve seen several versions of this. ‘We’re giving it away! Just contact us and we’ll make sure you’re on the list,'” says Hayslip. This is a common template where the sender might change names. The link, of course, sends the victim to a malware site.
Here, the scammer is counting on the greed (and gullibility) of the recipient. “Social engineering attacks are so prevalent, and they work, because of human nature, whether it’s curiosity, it’s greed or it’s fear.” says Hayslip. “They only need one employee to do something.”
3. You added a new email address to your PayPal account
This is a common seasonal phishing campaign that tends to pop up from November to January, when people are shopping for the holidays. It also appears in March and April during tax season.
“The reason [this campaign works] is that people are doing online shopping, and if they’re not thinking correctly, they think, ‘That’s right, I was shopping for my wife on Amazon last night and that one vendor wanted me to use PayPal. I want to check that,” says Hayslip.
If they took the time to look at the email, though, the signs that it is not actually from PayPal are obvious. The from email address is clearly not a PayPal domain, but the language and tone of the message is also a big giveaway. “That ‘Let us know straight away’ thing, I’ve got real alerts from PayPal, and they are not in this format. They are more formal, and they will not have links, but phone numbers to contact them,” says Hayslip.
4. Reset your password for your ADP service
This was a successful phishing campaign, since several employees clicked on the link to reset their password. The attacker apparently knew that the company used ADP, and which group within the organization might have ADP account logins. In one case, the HR department got an email that the victim’s bank account information had changed.
The attacker was counting on the victim not thinking right away that ADP does not contact account holders this way, says Hayslip. That approach was effective enough that the company had to identify all recipients of the email to delete it and its malicious link from their mailboxes. “For the four or five people [who clicked on the link], we had to jump on it quickly to shut everything down and make sure everybody changed their passwords.”
This type of attack would have been less successful if all the employees were aware that ADP would not contact them directly for them to take this type of action. ADP would first contact HR, which would then notify the employees.
5. FBI Anti-Terrorist and Monetary Crimes Division
You might classify this approach as “let’s throw a bunch of stuff against the wall in one email and see what sticks.” The result, though, is something so obviously wrong that nearly anyone would spot it as phishing immediately. “The guy who sent this over to me was laughing about it,” says Hayslip.
“I’m on the board for Infraguard, so I deal with the FBI on almost a daily basis,” says Hayslip. “When I saw this, my BS light went on immediately.” For starters, the FBI would not have anything to do with the UK National Lottery. The letter would give the fund total is US dollars. The from email address is clearly bogus, and the Attn. Email Owner salutation doesn’t make sense given the nature of the message.
An official FBI email would also be formatted differently. “There are specific ways [the FBI does] its signature block. They have a warning at the end of each email about the protection of classified data,” says Hayslip.
This is an attempt to appeal to a potential victim’s greed that uses the FBI in an attempt to be taken more seriously. “The message of the email itself ends up killing the whole thing. It looks like several emails that were cut and pasted together,” says Hayslip.
6. Microsoft investigating you and your family voicemail
About 400 Webroot employees received this voicemail message. “A bunch of people were freaking out over this one,” says Hayslip. The number of recipients and the fact that it used a voice synthesizer were dead giveaways that the messages were fraudulent. This was the first phishing attack at the company that used voicemail.
Since then, the company has received other phishing attempts, seemingly from Microsoft or the IRS, by voicemail, and the perpetrators are getting better at it. “The message is getting a bit tighter,” says Hayslip, but they all still use the voice synthesizer. “They’ve not really been effective. What we’re waiting for is cybercriminals starting to use AI so that [the voicemail] sounds like a real human. Then we’re going to have issues,” he says.
Education is key to fighting this type of phishing. “If Microsoft is coming after your company because of licensing issues, they aren’t going to leave a voicemail like that,” says Hayslip. “They’ll have their lawyers show up.” Similarly, the IRS would send notices by mail rather than voicemail to anyone who might be in trouble with them.
7. Bank of Ireland payment request for GoDaddy
This email has enough information specific to the target company to give even phishing-savvy recipients pause. “We use GoDaddy, so people wondered, ‘Are we late on a bill?” says Hayslip. “We’ve got an office in Dublin, so the big question we were asking was, ‘Do we have any accounts dealing with Bank of Ireland?’ We were also dealing with accounts receivable. Everything was coming back negative.”
Here again, this phishing attempt is counting on the recipients to be unaware of the processes that the companies actually use. “I’ve never had GoDaddy sic a bank on us. Typically, GoDaddy just sends you an email that says, ‘Hey, it’s time to renew,’” says Hayslip.
While Hayslip’s team was trying to verify the validity of the email with different departments, they also looked into the link. “That’s when we knew we were dealing with malware.”
8. Pay your Amazon seller account balance
This message was sent to Hayslip’s deputy CISO, who is not an Amazon seller. That made it easy to spot as a phishing attempt, even if the recipient had not been a seasoned security professional. Even if the recipient was an Amazon seller, the message does not look like any formal payment communication that Amazon has with its sellers. “I’ve seen what the Amazon seller process looks like, and it’s a lot more than getting a small email saying ‘hey, you owe us some money,’” says Hayslip.
An actual Amazon message would be more formal and include its logo. “Typically, they would not give you anything with links. Instead they tell you, ‘Here are our dates and times when we’re open. Here are our phone numbers. Here’s where you can contact us.’ Then you are supposed to contact them,” says Hayslip. “That’s how these types of emails right away raise alarm bells, because they’re not following the methodology the vendors typically use.”