The 20 Words Phishers Use as Bait

Part of defeating spam is knowing what to look for when junk messages are sent.

That is one way in which a spam filter works. Certain words, misspellings, or phrases, are entered into the database and when they appear too many times in the message a red flag is raised by the anti-spam filter.

In previous posts we have talked about subject lines that are commonly used by spammers and trigger words to help you identify spam; but today we are going to look at some words that can help you identify a certain type of spam – the phishing email.

Phishing emails are far more elusive than common spam. In fact, phishing emails are more likely to make it past anti-spam filters that do not use multiple technologies because the content of the email is usually more carefully crafted.

To help identify these “craftier” threats, FireEye put together a list of the 20 most common words used in phishing attacks in the first half of 2012. Each word is coupled with the percent of phishing emails in which they appeared. Please note, this number represents the number of identified phishing emails, not the percent of emails in general:

  1. Label, 15.17%
  2. Invoice, 13.81%
  3. Post, 11.27%
  4. Document, 10.92%
  5. Postal, 9.80%
  6. Calculations, 8.98%
  7. Copy, 8.93%
  8. FedEx, 6.94%
  9. Statement, 6.12%
  10. Financial, 6.12%
  11. DHL, 5.20%
  12. USPS, 4.63%
  13. 8, 4.32%
  14. Notification, 4.27%
  15. N, 4.22%
  16. IRS, 3.60%
  17. UPS, 3.46%
  18. No, 2.84%
  19. Delivery, 2.61%
  20. Ticket, 2.60%

With the words label and invoice topping this list, it is no wonder that words related to shipping made up 26.3 percent of phishing emails, up from 19.2 percent in the second half of 2011. However what is not represented in this list is the fact that words used to create a sense of urgency were also prevalent among phishing emails. While they did not make the list, the same analysis found that there was a rise from 1.72 percent to 10.68 percent in language that was used to create this sense of urgency.

What this means for email users

Phishing and spam utilize technology to perform successful attacks. We have seen mail servers compromised and botnets created to launch these attacks. However when it comes down to brass tacks, these attacks employ the tactics of social engineering as much as they rely on technology to be successful because if they don’t trick people into clicking on a link, entering data, downloading a file or buying a product then they aren’t successful.

Scam artists know that people are under serious time constraints and that email takes up a great deal of time each day. By creating that sense of urgency the bad guys know that more people will likely fall for their scams because they are in a hurry, especially if they are able to convince them that they will get something out of it; hence the package delivery scam. By convincing their victims that a) there is something waiting for them (a package) but b) they have to act quickly so it doesn’t go away there is a high likelihood that they will get some people to fall for it.

But the changes also mean that these key words aren’t going to be the most commonly used ones for long. People will eventually catch on and start to realize that these messages are attacks so the conversion rates for the bad guys will begin to decline. When that happens, they will change their tactics.

To fight back, organizations need to rely on technologies that can quickly adapt to emerging threats and are easy to configure so that when new trigger words emerge someone can update the database and remain confident that things will still work properly to protect their users.

Some other interesting stats

In addition to the most commonly used words, the report also showed the most common categories for these attacks to be:

  • Postal (package delivery) 26.3%
  • Confirmation and alerts 10.68%
  • Banking or tax related information 3.83%
  • Travel 2.45%
  • Billing .68%

Like the keywords, these categories will likely change over the course of the year. Without the proper tools in place to protect against them organizations will wind up spending more money and resource cleaning up after the attacks than they would if they were more proactive in preventing them.

Written by Jeff


  1. Lisa S. · October 28, 2012

    The problems is that these words, i.e. ‘invoice’, ‘document’, ‘statement’, etc. are common in legit emails as well, so if you set a filter to catch emails that contain them, many legit emails will fall victim as well. The words on the list are common for sure but I only wonder why the number 8 (i.e. number 13 in the list) is so common with phishers. Any explanation?

  2. Jeff Orloff · October 28, 2012

    Very true, but you can teach your users to be on the lookout for certain words used in phishing attacks. As for the number 8, I am not too sure why it is so commonly used but it is something I will look into.

  3. Shanna Lang · November 1, 2012

    If there’s one thing I digest out of the list is this: these spammers and phishers are taking advantage of the growing phenomenon of e-commerce. Millions of people are shopping online! That’s true, since I’ve been doing that myself. If you can refer back to the list, there’s shipping and shopping processes. Now I can also assume that most of those who fall victim to these phishing schemes have also given their credit card details to these criminals. That’s such unfortunate as that would mean their identities are also stolen in the process. Hopefully more will pay attention to the dangers of phishing.

Leave A Reply