What Motivates People to Click: Phishing Examples and Techniques Used

Spearing, Whaling, Angling, BEC, CEO Fraud – they’re all phishing by any other name. Phishing has evolved and so have the names to go with it. What isn’t really changing is that the attacks tend to play on human emotions and desires. Here are a few phishing examples and the motivations taken advantage of by “phishers” in getting people to click.

Wishful Thinking: The Prince Scam

Likely the original email scam, and this is one phishing example that has unfortunately become synonymous with Nigeria, The Prince scam or 419 spreads a wide net with the aim of luring in the one unsuspecting, lonely and perhaps gambling email user. The wishful thinker would gullibly follow along and send a down payment so that they would free up a much larger amount.

Lonely Man: The Sexy Subject Line

Preying off human tendencies, “A beautiful woman wants to talk to you” is often enough to get a victim’s attention. While it may be harmless to open this email, things go wrong as soon as an email is clicked. Spyware, ransomware, data theft…you name it, it’s possible here.

Fear of Bureaucracy: The Tax Scam

The tax scam continues to grow in popularity with scammers, as the payoffs are huge. There are different forms of scams. There’s the large scale, non-targeted attack often requesting users update information in one way or another (often to receive their refunds). There’s a more sinister one though, such as the W-2 that allows criminals to gain huge volumes of rich employee data in one swoop. 870 Organizations reported receiving a W-2 phishing email, 200 of which lost data to this scam. The fear and dread of bureaucracy can cause us to panic.

Urgent Action: The Paypal Scams

Many scams use the urgent action strategy to get users to provide highly confidential information. Often using spoofing or look-alike domains the email will be formatted how you might expect, and the differences, specifically the sender and reply to domain will be only so slightly different. The urgent action Paypal scam will say something like “until you do (blank) your account will be suspended”. With urgency, as seen in many scams, the victim will feel pressure to act and not consider whether the email is legitimate. And with Paypal, we are talking about easy access to money for the scammer.

Routine Action: The Gmail (or other) Password Reset

Who can forget the Fancy Bear DNC attack? It’s no stretch to say it altered the course of history – ok, short term history. Using a similar spoofing strategy as a Paypal, it ironically will tell you that because it appears a malicious attempt to access your account was made, you need to reset your password. The rest, as we say, is history.

Unfamiliar User Interface: The Netflix Phish

A slightly different take on the previous templates, it’s probably most effective because of brand trust, but also as it is unassuming. Most of our experience with Netflix admin is set and forget. We get a bill every month but rarely even need to login. So, having no extensive relationship with it, and therefore less likely to spot irregularities (call it the “Blink” factor) when the email requests we login to reset our password or billing info, we are less likely to think critically. Once we’ve passed that stage of the phish, and the phisher has gotten its foot through the door, getting more info such as updated credit card information is unfortunately met with little resistance.

Holiday Greed: The Amazon Discount

In a similar vein to the previous ones, this one plays on both greed and often the holiday shopping bonanza. Offering either great discounts, free gift cards or other, these look-alike emails spike around the holidays and claim too many victims.

Trust in Authority: BEC/CEO Fraud

A truly frightening examples of a phishing scam, the Business Email Compromise (BEC or CEO Fraud) takes advantage of a high pressure and fast paced work environment combined with our trust in authority. The scam requests immediate action and looks to be coming from someone with authority to request it, such as a supplier, lawyer, manager, or CEO. Given the routine nature of these requests in many businesses, it is often given only a cursory glance. It is often backed up with phone calls, and advanced social engineering strategies.

“Who Would’ve Thought”: The Invoice as a Malicious Attachment

A phishing attack delivered through an attachment? Most people aren’t aware that this should be a concern. But it’s all too easy. Once the file is downloaded, a malicious code can be installed on your computer and get all kinds of sensitive information. This can install a zero-day exploit, keylogger or all kinds of sinister threats.

Playing on Desperation: The “Find My iPhone” Trick

Besides a still all too common belief that Apple products don’t get viruses, this one is interesting because it takes advantage of people in a vulnerable state. The scenario (with many similar situations) is essentially in a desperate search to recover your iPhone you try any website that promises to deliver. The same can apply to recovering deleted files or most under researched downloads from non-secure sites.

Here is a 7 item quick list to spot a phishing email:

1. It isn’t an email in a template or format you’ve received before
2. It requests an action you’ve never done before
3. It asks for confidential information (no legitimate company would do that in an email).
4. The domain is looks like an official domain, but has a weird modifier
5. It doesn’t have the brand name in the email address.
6. Spelling mistakes are a sure giveaway (scammers might not have English as a first language, and rarely will have proofreaders!)
7. Attachments with weird names or zipped.

And above all…make sure you have targeted phishing protection!