The new and improved UX of phishing emails

Last year was the year attackers “went corporate” by changing their tactics to focus on businesses rather than consumers, exploiting middle management overload of information sharing, and trading off attack volume for sophistication. Human behavior, not simply system or software vulnerabilities, has significant implications on enterprise security.

Key findings include:

Every organization clicks. On average, users click one of every 25 malicious messages delivered. No organization observed was able to eliminate clicking on malicious links.

Middle management is a bigger target. Representing a marked change from 2013 when managers were less frequently targeted by malicious emails, in 2014 managers effectively doubled their click rates compared to the previous year. Additionally, managers and staff clicked on links in malicious messages two times more frequently than executives.

Sales, Finance and Procurement are the worst offenders. Sales, Finance and Procurement (Supply Chain) were the worst offenders when it came to clicking links in malicious messages, clicking on links in malicious messages 50-80 percent more frequently than the average departmental click rate.

...The most popular email lures in 2014 included: e-fax and voicemails notifications, and corporate and personal financial alerts...

--"How attackers exploit end-users' psychology" Help Net Security

To sum this up, the key offenders who click on these phishing emails fit into a distinct profile:

People overloaded with emails
People who respond quickly to urgent messages by skimming (not reading)
People who's main work focus isn't IT (so they don't really notice the nuances and patterns of the phishing emails or the urls in the links)

We all know what these phishing emails look like.

Poorly designed and written email messages
The subject matter usually informs you that your account has been overdrawn from a bank you have never heard of
Or you hear about an account you never had in another country
Or someone from Nigeria or another African country is informing you of winnings

...and the list continues.

However, these guys are starting to adopt UX and marketing principles to get clicks. They know that we are onto them and won't fall for those scams that they did in the past. They are improving their game.

I have noticed a trend of these emails more closely matching the corporate templates they are trying to copy and leveraging similar language. It's becoming more difficult to identify these emails by skimming alone (the urls are always a giveaway with a rollover).

Here's an example of "American Express"-styled phishing. The subject line definitely got my attention: Member Suspension Notice.

After reading the subject line, I FREAKED OUT!

The thoughts that raced through my head:

Why would my account be suspended?
What did I do wrong?
What's going on?
OH MY GOD!!
Why did AMEX cut off my account?

...and I spiraled downwards into a mental abyss from there.

Of course, I opened the email and I read something about my phone number being updated, which didn't make a heck of a lot of sense in relation to the subject line, but I didn't care because I was too panicked by the subject line. I kept looking for a reason for the account suspension. I initially read this on my phone, so I didn't get the full effect of the odd formatting and the weird account number display to know right away it was from a phishing expedition.

I was close to calling AMEX or using the AMEX app on my phone to learn more about why my account was suspended. I was rational enough to have had good sense NOT to click on the link in the email. There was no reason for it.

When I saw this email on my computer at home later that day, I had to admit that the formatting wasn't bad. (I mean, it's not great, but these phishing emails have come a long way! At least there is formatting consistent with the brand.).

It wasn't until I rolled over the link to see that the URL didn't go to AMEX - it pointed to some crazy, and most likely infected, site. (Unfortunately, you don't get to experience that on the phone - so maintain caution when you tap!)

How are these phisher-men getting smarter?

Their emails are copying the simple, system email templates these companies use. I almost want to say, about time. It's not a hard thing to do. And a basic systems template doesn't take a lot of work to replicate. In general, they are making their emails look better and more convincing.

Marketing 101 - they rely on your emotional response to click. It's not great, but they are leveraging panic for you to open an email. They will also get you to feel excitement to open an email about a potential, yet bogus, LinkedIn connection. And it's through curiosity that you would click on a link to that bogus connection or click a link to some bogus site to accept the stranger's invite.

They are experimenting with social media. I'm not kidding - the Nigerian scam has reached LinkedIn. I got an invite from a "banker" from Nigeria, some nicely dressed older woman. Not even two minutes after accepting her invite, I got an email inquiry about a deal. I immediately un-linked from her and was more careful about who I accept an invitation from on LinkedIn.

The urls to go to are getting better. For this email:

The PayPal Web address is: pypl.com. Yes - it's not that far off from paypal.com. For someone who is not tech savvy, this seems like a reasonable URL to go to. Only people in IT and related professions know that PayPal only will use a derivative of PayPal.com (meaning, paypal.com will be in the first part of the url). Most people don't really think about this - and fall victim because of it.

Knowing that phisher-men are incorporating modern UX design and communication principles into their tactics, you need to be a little more defensive in your email scans.

A few things you always need to be aware of when you get a strange email:

If a subject line is about very unexpected news (like an account closing) - phishing alert! Don't open it. (Most companies communicate that through a letter, anyway.)

If the formatting seems a little unprofessional, the email probably is not originating from that corporation. Corporations monitor email formatting to the pixel. Everything is aligned. This isn't always 100% true for a phishing email.

If an email and its links seems suspect, don't click on them. If you have a question about its legitimacy, go to the company's app or Web site directly to sort it out. Stop using email links. (The same information in the email will be on the site.)

The URLs for the links in an email for a proper company will be a derivative of its formal url. Not something like pypl. Always rollover the link of any suspicious email to confirm where it is going. I have seen that too - respectable companies sending a suspicious email with a real link. Sometimes, a company will be off their game. It happens.

But the rule to rule them all - if in doubt - visit the original Web site or app. The Web site or app has the your most current, accurate account information. If an invitation is legitimate, then the info will be available at the site. If it isn't, you dodged a virus or malware attack.

Please be safe - don't click on suspicious links!

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Process + Brand = Experience

Tuesday, May 12, 2015