Bait for the phish: The subject lines that reel them in.

To those of us who work in the MarComm field – or in business generally – it may seem odd how so many people can get suckered into opening e-mails that contain malware or otherwise wreak havoc with their devices.

But as it turns out, the phishing masters have become quite adept at crafting e-mail subject lines and content that successfully ensnare even the most alert recipients.

In fact, the phishers actually exploit our concerns about security by sending e-communications that play off of those very fears.

To study this effect, cybersecurity firm KnowBe4 conducted an analysis of the most clicked-on phishing subject lines of 2018. Its evaluation was two-pronged – charting actual phishing e-mails received by KnowBe4 clients and reported by their IT departments as suspicious, as well as conducting simulated phishing tests to monitor recipient behavior.

What KnowBe4 found was that the most effective phishing e-mail subject lines generally fall into five topic categories:

  • Passwords
  • Deliveries
  • IT department
  • Company policies
  • Vacation

More specifically, the ten most clicked-on subject lines during 2018, in order of rank, were these:

  • #1. Password Check Required Immediately / Change of Password Required Immediately
  • #2. Your Order with Amazon.com / Your Amazon Order Receipt
  • #3. Announcement: Change in Holiday Schedule
  • #4. Happy Holidays! Have a drink on us
  • #5. Problem with Bank Account
  • #6. De-activation of [recipient’s e-mail address] in Process
  • #7. Wire Department
  • #8. Revised Vacation & Sick Time Policy
  • #9. Last reminder: please respond immediately
  • #10. UPS Label Delivery 1ZBE312TNY00015011

Notice that nearly all of them pertain to topics that seem important, timely and needing the attention of the recipient.

Another way that KnowBe4 analyzed the situation was by pinpointing the e-mail subject lines that were deployed most often in phishing e-mails during 2018.

Here are the Top Ten, ranked in order of their usage:

  • #1. Apple: You recently requested a password reset for your Apple ID
  • #2. Employee Satisfaction Survey
  • #3. Sharepoint: You Have Received 2 New Fax Messages
  • #4. Your Support Ticket is Closing
  • #5. Docusign: You’ve received a Document for Signature
  • #6. ZipRecruiter: ZipRecruiter Account Suspended
  • #7. IT System Support
  • #8. Amazon: Your Order Summary
  • #9. Office 365: Suspicious Activity Report
  • #10. Squarespace: Account billing failure

Commenting on the results that were uncovered by the evaluation, Perry Carpenter, a strategy officer at KnowBe4 had this to say:

“Clicking [on] an e-mail is as much about human psychology as it is about accomplishing a task. The fact that we saw ‘password’ subject lines clicked … shows us that users are concerned about security.  Likewise, users clicked on messages about company policies and deliveries … showing a general curiosity about issues that matter to them.”

Carpenter went on to note that KnowBe4’s findings should help corporate IT departments understand “how recipients think” before they click on phishing e-mails and the links within them.

How about you? Are there other e-mail subject lines beyond the ones listed above that you’ve encountered in your daily activities and that raise your suspicions? Please share your examples in the comment section below.

No End in Sight to the Challenge of Email Deliverability

When it comes to e-mail communications in the B-to-B world, yet another study is underscoring just how challenging it is to reach corporate inboxes.

A new report by cyber-security firm FireEye, Inc. reveals that fewer than one-third of e-mails sent are actually making it into corporate inboxes. The FireEye analysis was based on tracking more than a half-billion e-mails sent between January and June of 2018.

The majority of those e-mails were deemed to be spam or malicious in their intent. Nearly 60% were blocked by threat intelligence and around 10% more were halted by attack prevention tactics such as URL inspection and attachment detonation.

E-mails were deemed suspicious because they triggered one or more of the following “red-light” cautions:

  • Malware-less impersonations
  • Malware viruses
  • Phishing attacks
  • Ransomware
  • Spyware
  • Trojan horses
  • Worms

Interestingly however, it turns out that only a small fraction of the e-mails actually had malicious intent, meaning that the super-strict filters being employed by companies are capturing a huge number of perfectly legitimate e-mail messages in their dragnet and rejecting them out of hand.

On the other hand, the FireEye analysis also determined that impersonation attacks have undergone a shift from domain name spoofing to “friendly” domain name scams – ones in which an e-mail address is manipulated to impersonate a trusted source.

As the study cautions:

“This shift in tactics may be driven by how easily cyber criminals can ‘spoof’ the display name and username potion of an e-mail header. Instead of having to go through the process of buying and registering a domain similar to – or one that sounds like – the recipient’s domain, they can simply change the display/user name.”

The FireEye analysis is a reminder that because of its sheer pervasiveness, e-mail communications are also the most popular conduit for potentially significant cyberattacks. No wonder companies have their guard up.

The problem is, clearly a whole lot of wheat is being thrown out with the chaff.  And that makes e-communications hardly the slam-dunk communications tactic that many people assume it to be.

The Ad Fraud Gravy Train Keeps Chugging Along — No Matter What …

xbnAd fraud is quite a large issue for online advertisers – and it’s been on many companies’ radar screens for a long time.

But even with the higher visibility and greater scrutiny of online ad fraud, it seems to be a problem that only gets bigger.

The most recent example of the phenomenon came to light a few weeks ago, when ad fraud prevention consulting firm Pixalate announced that a newly discovered botnet has been draining literally billions of dollars from advertisers’ MarComm coffers.

The botnet is dubbed Xindi – the same name as the hostile aliens in the Star Trek sci-fi TV series.

Xindi is making money for its creators by serving actual ads – but to simulated audiences.  It has spread via familiar methods such as phishing.

Pixalate estimates that just shy of 78 billion fake ad impressions have been racked up so far.  Even at low cost-per-impression revenue figures, the high volume amounts to several billions of dollars of illicit revenues siphoned (and counting).

What makes the Xindi botnet particularly nettlesome is that it’s designed to go after computers and networks at high-end organizations, enabling it to “mimic” desirable web traffic (i.e. affluent consumers).

xbotAccording to Pixalate, already there could be as many as 8 million computers compromised in more than 5,000 networks, including a goodly number of Fortune 500 companies as well as university and governmental networks.

Such desirable locations and ad audiences translate into lucrative online ad pricing (CPMs of $200 or more).

In the event, advertisers are paying high prices … for nothing.

To counteract Xindi, Pixalate recommends that the Internet Advertising Bureau update its protocols to factor in the pace of ad requests, so that impression generated after a certain time period cannot be accepted as valid — and hence would be non-billable.

Whether this or other remedies will actually happen is up in the air at the moment (the IAB isn’t onboard with the recommendations).

Either way, what seems clear is that whatever the remedial actions that are taken, burgeoning ad fraud activity is bound to continue.

The question is, can it ever be contained, or will it just continue to grow and grow?  If you have any thoughts or ideas on the challenge, please share them with other readers.