Security teams are constantly trying to stay one step ahead of phishing email scammers. What pitches are they using? Who are they targeting? What strings are they pulling to get people to click on malicious links?
One way to gain that insight is to study the email messages that the scammers send. Gary Hayslip, CISO at cybersecurity and threat intelligence services firm Webroot, has been collecting phishing email samples for the last four years, starting when he was CISO for the city of San Diego. “I started noticing the spam I was getting was not the usual prince from Nigeria, please respond. Instead, some of these [scammers] have done some research on the accounts receivable department or on specific managers, and the emails were tailored towards them,” he says. “I thought it was interesting and started saving copies of them. You see some really weird stuff at times.”
Those emails became a valuable research tool, especially after Hayslip realized that other CISOs were also collecting them. Another CISO might send him a phishing email sent to their organization to compare notes. “I could show [the CISO], ‘yeah, we got something very similar about 18 months ago and it’s coming back again.’”
He adds that knowing changes to, say, the sender or how they create a sense of urgency allows him and his peers to better identify and block variations on that phishing campaign. Having that record on hand is also good training for his staff.
That training is important, because Hayslip sees criminals becoming much more targeted with their phishing campaigns. “They are targeting specific groups where they know everybody in the group, or they are targeting specific people and the email is written towards them.” That relevancy to the recipient makes the phishing email a lot more destructive if successful, either in terms of damage to the network or size of the financial fraud—for example, getting an executive’s administrative assistant to approve a large fraudulent payment.
Below are eight of the phishing emails that Hayslip has collected. He weighs in on why they are or are not effective, and what gives each one away as a phishing scam.
Phishing email examples
1. Your account has been hacked
The person sending this phishing message found a group email that was publicly available on the Webroot website. Using that list to target the message was smart. Not so smart was the content of the message, with lines like “It’s useless to change the password, my malware intercepts it every time.”
“When you see postings like that, that’s someone who really doesn’t understand how malware works,” says Hayslip. Professional cyber criminals don’t talk that way. “There’s a way in which they talk, and they are very professional about their tools and the way they discuss things. I knew right away that this was crap.”