That is one way in which a spam filter works. Certain words, misspellings, or phrases, are entered into the database and when they appear too many times in the message a red flag is raised by the anti-spam filter.
In previous posts we have talked about subject lines that are commonly used by spammers and trigger words to help you identify spam; but today we are going to look at some words that can help you identify a certain type of spam – the phishing email.
Phishing emails are far more elusive than common spam. In fact, phishing emails are more likely to make it past anti-spam filters that do not use multiple technologies because the content of the email is usually more carefully crafted.
To help identify these “craftier” threats, FireEye put together a list of the 20 most common words used in phishing attacks in the first half of 2012. Each word is coupled with the percent of phishing emails in which they appeared. Please note, this number represents the number of identified phishing emails, not the percent of emails in general:
- Label, 15.17%
- Invoice, 13.81%
- Post, 11.27%
- Document, 10.92%
- Postal, 9.80%
- Calculations, 8.98%
- Copy, 8.93%
- FedEx, 6.94%
- Statement, 6.12%
- Financial, 6.12%
- DHL, 5.20%
- USPS, 4.63%
- 8, 4.32%
- Notification, 4.27%
- N, 4.22%
- IRS, 3.60%
- UPS, 3.46%
- No, 2.84%
- Delivery, 2.61%
- Ticket, 2.60%
With the words label and invoice topping this list, it is no wonder that words related to shipping made up 26.3 percent of phishing emails, up from 19.2 percent in the second half of 2011. However what is not represented in this list is the fact that words used to create a sense of urgency were also prevalent among phishing emails. While they did not make the list, the same analysis found that there was a rise from 1.72 percent to 10.68 percent in language that was used to create this sense of urgency.
What this means for email users
Phishing and spam utilize technology to perform successful attacks. We have seen mail servers compromised and botnets created to launch these attacks. However when it comes down to brass tacks, these attacks employ the tactics of social engineering as much as they rely on technology to be successful because if they don’t trick people into clicking on a link, entering data, downloading a file or buying a product then they aren’t successful.
Scam artists know that people are under serious time constraints and that email takes up a great deal of time each day. By creating that sense of urgency the bad guys know that more people will likely fall for their scams because they are in a hurry, especially if they are able to convince them that they will get something out of it; hence the package delivery scam. By convincing their victims that a) there is something waiting for them (a package) but b) they have to act quickly so it doesn’t go away there is a high likelihood that they will get some people to fall for it.
But the changes also mean that these key words aren’t going to be the most commonly used ones for long. People will eventually catch on and start to realize that these messages are attacks so the conversion rates for the bad guys will begin to decline. When that happens, they will change their tactics.
To fight back, organizations need to rely on technologies that can quickly adapt to emerging threats and are easy to configure so that when new trigger words emerge someone can update the database and remain confident that things will still work properly to protect their users.
Some other interesting stats
In addition to the most commonly used words, the report also showed the most common categories for these attacks to be:
- Postal (package delivery) 26.3%
- Confirmation and alerts 10.68%
- Banking or tax related information 3.83%
- Travel 2.45%
- Billing .68%
Like the keywords, these categories will likely change over the course of the year. Without the proper tools in place to protect against them organizations will wind up spending more money and resource cleaning up after the attacks than they would if they were more proactive in preventing them.