While phishing emails are mimicry of legitimate communication, we can still examine the presented interaction to understand how it persuades the victim to act. As an offensive technique, this communication simulation becomes "hyper-real" to the victim, meaning that the false reality becomes more real than reality. From a defensive perspective, it's necessary to deconstruct what's happening to bring the potential victim back to the "real" reality versus what they've initially constructed. Fundamentally, if we understand how the email operates as a rhetorical situation, we can understand how the emails build a legitimate reality for the potential victim. In these analyses, I frame the victim as the "audience" and the attack as the "author/speaker."
Since I cannot understand the attacker's motivations just through looking at an email, I assume the intentions of a phisher as looking for profit either through financial gain or dropping a payload to obtain a foothold or other information they're interested in. Realistically, there is no way to tell what the intention of an attacker is without asking them directly. Profit is a primary motivator of criminals in general, but political agenda or personal gratification has equal potential. Regardless of motivation, I can still examine the language to understand how the attack works. To do this, I consider the rhetorical situation, appeals (ethos, pathos, logos, kairos), and how hyper-reality and simulation manifest through the specific situation created in the email. It's crucial to remain sympathetic to the attacker because if we understand how to phish someone successfully, we can better serve those we are looking to protect.
A rhetorical situation is the context in which an argument is presented. I've created a diagram to help visually explain what a rhetorical situation is. The entirety of the argument present is inside this contextual sphere. The three points on the triangle represent different parts to consider in an argument: the speaker, the audience, and the subject at hand. The triangle itself is the intent or purpose of the argument – we can think about this triangle as the "main idea."
The speaker, situated at the top, must understand 1) who they are and how that relates to the audience, 2) anticipate what the audience needs to hear to communicate their message effectively, and 3) demonstrate their knowledge of the topic being argued. While I’ve framed the explanation from the speaker’s perspective, notice that the arrows are bidirectional; we could just as easily state that the audience must understand what they’re looking to hear from the speaker, as well as the combined knowledge of the topic at hand to make judgments about the speaker’s argument. It’s a way to position yourself in any argument so you can understand each perspective.
This positioning is especially important to use when looking at phishing emails because while the email itself creates a rhetorical situation, the situation is deceptive. The attacker is pretending to be someone they are not, but the audience is (hopefully) unaware. The audience’s interpretation of the falsified act is the ultimate key to a successful phishing attempt. The falsification of genuine communication adds another layer of complexity onto the situation and forces us to examine the argument through abstraction. If you’d like to continue the theoretical implications of this abstraction, I’d recommend going down the rabbit hole a bit with semiotics. It’s a fascinating examination of language as a series of signs and interpretations of those signs – here’s a decent writeup on an interdisciplinary blog that will get you started.
In a phishing email, if the author is pretending to be someone, the email must show specific markers to be successful. Also, if the actual recipient of the email isn’t the intended target, an attacker might use social engineering tactics to get access to who or what they're looking for. Overall, the opportunity presented at face value is created through an existing relationship with the victim. There are also instances of phishing opportunities created through personal solicitation à la Nigerian Prince tactics, or general bulk mailings.
Content and form are a part of both the speaker’s intent and what they’re projecting to the audience as well. The text’s structure, imagery, and use of color influence interpretation. In addition, spelling and grammatical patterns, colloquialisms, or technical terms famliar to a genre (such business communications) can affect the reception of a phishing email. Visual aids such as company logos, colors, and branding also create identification through textual and visual language, which have a strong impact on the effectiveness of the deception. But no matter how the email presents itself, it must have a clear purpose and identify with the audience to be successful.
Because ethos focuses on establishing the author's credibility, phishing emails call upon this appeal through certain markers such as company branding, formal language, and market terminology. How the attacker represents themselves to the audience – the deception – is how ethos is constructed. Remember, it’s a deception, so the email is looking to present themselves as trustworthy. Generally this is done through an appropriate tone for the situation presented, along with reassurances of safety or security. In more personal circumstances such as a solicitation email, the attackers present a specific nationality or religion to gain trust. An attacker's technical ethos can be built through URL masking, email content/design, and email header spoofing. Ultimately, this appeal seeks to create a shared value system with their victim through identification.
Remember that pathos uses emotional appeals to influence the audience into taking the desired action. In a phishing email, pathos generally presents itself as a fear-based appeal by threatening account disconnection or personal detail compromise. Pathos can also manifest itself through acts of charity and adventure, feeding the ego of the audience with the hope that they act on "good faith." Conversely, some emails seek to reduce a victim's ego through perceived failure or a "lack" of something if they don't comply. Whether it’s being offered a life-changing boon, or instilling fear and paranoia through threats of loss, phishers that appeal to emotion create an effective way of convincing their victim to act.
While logos is concerned with presenting facts, it’s important to remember that logos doesn’t have to be factual. This appeal only needs to appear that it’s presenting objective and truthful facts. Logos is constructed by leaving contact information such as addresses or phone numbers. These can even be valid and real places or points of contact, just not for the real author of the email, which only adds to the abstraction of the rhetorical situation. Logos can also show itself as an urgent attachment that needs to get to someone, or somewhere, with the victim's help. Financial or data specificity is a common manifestation of the as well, solidifying the realness of the situation through specific dollar amounts or product SKUs mentioned in invoices. Logos can also point a victim to a direction, such as "your account has been compromised, click here to fix it." It's a tricky appeal since phishing emails are not genuine communication but ultimately functions by providing evidence that convinces the audience that the argument is legitimate.
At the root of every email lies exigency – the call to action. In terms of rhetorical appeals, we see this as kairos: the urgent plea about an account compromise, a request from a higher-up, or some other action that requires an immediate response. Since the situations are manufactured, often with excessive situational severity, it’s important to the phisher that the communication ties in the specific context in order to be relevant to the victim. It’s an appeal that’s been recognized by many anti-phishing campaigns (just not in rhetoric terms) discussing the overly urgent plea to act as a dead giveaway for a phishing scam. Personally, I believe these campaigns have changed the way that urgency is presented in phishing emails over the years, with many scams abandoning the overly emphatic pleas to “act now” with more subtle nudges asking victims to react appropriately. It’s evident in my analysis of personal solicitation emails, as well as clonephishing, that methods have changed compared to bulk phishing analyses of older emails from the early to mid-2000s era.
The simulacrum is a popular trope used to express how a symbol overtakes meaning for something, or some action. When I reference the simulacrum, I'm using Jean Baudrillard's definition within his book Simulacra and Simulation. Philosophically complex and the bane of many a scholar, Baudrillard states that a simulacrum is created through an idea’s passage through four phases. The first phase is reflection, which we believe to be a faithful copy of the original and what Baudrillard calls a "sacramental" representation. The second phase is masking and denaturing, covering the actual reality from us while hinting at the obscured reality. Then the third phase is absence, a representation of an original without an original. And finally the simulacrum, a representation without grounding in reality. If we think about emails as an "image," then the representation of these emails as real and "correct" representations of emails from the actual company, as opposed to a perversion via phishing attempt, can (hopefully ) be followed easily.
To try and simplify, a great example of a simulacrum in popular culture is Hatsune Miku. Miku is a Vocaloid – a voice synthesizer made with Yamaha's synth technologies, complete with an animated character to bring her to life. She is one of the most popular Vocaloids to date, not only because she’s the first Vocaloid produced, but the most heavily marketed. She’s been featured in advertisements for Toyota, Domino's, racing events, and a variety of other promotions across the world. She even stars in her own video games! Miku is a digital construction successfully pretending to be a person, and as a Vocaloid, she gives the ability for anyone who has access to the technology to create music using her. There is a massive fandom for Miku alone, and many fans have created elaborate (and conflicting) backstories for her. A quick search for ミク (Miku) on niconico.jp, a Japanese video-sharing site often credited with the rise in popularity of Vocaloid, gives a variety of results with Miku as a variety of archetypes. Miku is carefree, sad, sensual, happy, violent, or even a cockroach; she's everything and nothing all at the same time. Her personality has been crafted through her fans (and her Crypton Future Media "parent"), but each version of Miku is just as real as the other:
Default Hatsune Miku
Sakura Miku Hatsune
Miku even has live concerts and performances for real, fleshy people from songs that the fans have created. But these visual tricks are not copies of an original person; they're a copy of an original that's never existed. Even the countless representations of her that exist are copies of the idea of Miku created through her amalgamated identity. Miku (in all her forms) has become just as real as an original, making her a simulacrum. The image of Miku is a real and correct representation of her, even though she's never existed.
Coming back to phishing attacks, they’re simulating a "safe" reality to keep the true "harmful" reality hidden, so they must be constructed that the situation becomes hyperreal and undetectable to the victim. One way this has been accomplished is directly copying and pasting code from a legitimate email, altering it slightly enough as to be undetectable. The simulation then becomes solely focused on intent and purpose. The first viewpoint to consider is the attacker's, and their goal is obvious: to persuade the victim into compromising themselves. The presented author of the email and their intent is considered, as well as the victim's interpretation of the event. Since it's a simulated "relationship" between the audience and author, an understanding of how the mimicry entwines itself with intent is necessary. An attacker will try to do this without blowing their cover, and the process that’s constructed through language should be examined to understand how these attacks are so successful.
How these elements create an identity of the phisher themselves, the false author, and their perception of their victims helps us understand cyber attacks both from an offensive attack stance, as well as the defensive response from security awareness training. It's a fascinating question to think about - how exactly does an attacker piece together what they perceive as the victim's identity? How do they know who the person is that they're targeting? These questions are more easily answered in some cases than others. For instance, bulk emails tend to care little about whom they reach, and more that they reach someone; one successful attempt out of 10,000 still means payday, after all.
People respond to phishing emails because they work - 97% of people even state they can't tell the difference between a regular and phishing email. These attacks succeed because the victims believe the author's intent to be genuine. This misunderstanding is due to a lot of different factors mentioned above - perceived existing relationships, persuasive techniques - especially those involving emotion and other similarities in value systems between the email's "author" and the victim. The rhetorical situation that exists in a phishing attack is complex and worthy of examination. Looking at the language in phishing emails as an attack vector instead of treating them as a technical problem is a huge leap towards understanding why they operate so effectively, especially when physical barriers and extensive training programs fail to protect victims.