While phishing emails mimic legitimate communication, we can still examine the presented interaction to understand how it persuades the victim to act. If we know how the email operates as a rhetorical situation, we can understand how the emails build a legitimate reality for the potential victim. As an offensive technique, this communication simulation becomes "hyper-real" to the victim, meaning that the false reality becomes more real than reality. From a defensive perspective, it's necessary to deconstruct what's happening to bring the potential victim back to the "real" reality versus what they've initially constructed. In these analyses, I frame the victim as the "audience" and the attack as the "author/speaker."
Profit is a primary motivator of criminals, but political agenda or personal gratification has equal potential. Since I cannot understand the attacker's motivations just through looking at an email, I assume the intentions of a phisher to be looking for profit either through financial gain or dropping a payload to obtain a foothold on other information they're interested in. Realistically, there is no way to tell an attacker's intention without asking them directly. Regardless of the motivation, I can still examine the language to understand how the attack works. To do this, I consider the rhetorical situation, appeals (ethos, pathos, logos, kairos), and how hyper-reality and simulation manifest through the specific situation created in the email. It's crucial to remain sympathetic to the attacker because if we understand how to phish someone successfully, we can better serve those we want to protect.
A rhetorical situation is the context of an argument. I've created a diagram to help visually explain how the rhetorical situation works. Essentially, the entire argument exists inside this contextual sphere. The three points on the triangle represent different parts of the argument: the speaker, the audience, and the subject at hand. The triangle itself is the intent or purpose of the argument – we can think about this triangle as the "main idea."
The speaker, situated at the top, must understand:
This positioning is crucial when looking at phishing emails because while the email itself creates a rhetorical situation, the situation is deceptive. The attacker is pretending to be someone they are not, but the audience is (hopefully) unaware. The audience's interpretation of the falsified act is the ultimate key to a successful phishing attempt. The falsification of genuine communication adds another layer of complexity to the situation, making us examine the argument through abstraction. If you'd like to dive into this abstraction's theoretical implications, I'd recommend going down the semiotics rabbit hole. It's a fascinating examination of language as a series of signs and the interpretations of those signs – here's a decent writeup on an interdisciplinary blog that will get you started.
Opportunities for phishing are through an existing relationship with the victim. If the author is pretending to be someone, the email must show specific markers to be successful. If the actual recipient of the email isn't the intended target, an attacker might use social engineering tactics to get access to who or what they're looking for. Personal solicitation à la Nigerian Prince tactics are common. General bulk mailings tend to be less successful but do still work.
Content and form are a part of the speaker's intent and what they're projecting to the audience. The text's structure, imagery, and use of color influence interpretation. In addition, spelling and grammatical patterns, colloquialisms, or technical terms familiar to a genre (such as business communications) can affect the reception of a phishing email. Visual aids such as company logos, colors, and branding also create identification through textual and visual language, which substantially impact the deception's effectiveness. But no matter how the email presents itself, it must have a clear purpose and identify with the audience to be successful. The true strength of the phishing email is in its argument.
Ethos focuses on establishing the author's credibility, and phishing emails call upon this appeal through specific markers such as company branding, formal language, and market terminology. How the attacker represents themselves to the audience – the deception – is their ethos. Remember, it's a deception, so the email is looking to present itself as trustworthy. Generally, this is through an appropriate tone for the situation presented, along with reassurances of safety or security. In more personal circumstances, such as a solicitation email, the attackers mimic a specific nationality or religion to gain trust. An attacker's technical ethos can be built through URL masking, email content/design, and email header spoofing. Ultimately, this appeal seeks to create a shared value system with the victim through identification.
Pathos uses emotional appeals to influence the audience into taking the desired action. In a phishing email, pathos generally presents as a fear-based appeal by threatening account disconnection or personal detail compromise. Pathos can also manifest through acts of charity and adventure, feeding the audience's ego with the hope that they act in "good faith." Conversely, some emails seek to reduce a victim's ego through perceived failure or a "lack" of something if they don't comply. Whether it's being offered a life-changing boon or instilling fear and paranoia through threats of loss, phishers that appeal to emotion create an effective way of convincing their victim to act.
Logos is concerned with presenting facts, and it's important to remember that logos doesn't have to be factual. This appeal only needs to appear to offer objective and truthful facts. Logos is constructed by leaving contact information such as addresses or phone numbers. These can even be valid and real places or points of contact, just not for the real author of the email, which only adds to the abstraction of the rhetorical situation. Logos can also show itself as an urgent attachment that needs to get to someone, or somewhere, with the victim's help. Financial or data specificity is a common manifestation of this as well, solidifying the realness of the situation through specific dollar amounts or product SKUs mentioned in invoices. Logos can also point a victim in a direction, such as "your account has been compromised, click here to fix it." It's a tricky appeal since phishing emails are not genuine communication but ultimately function by providing evidence that convinces the audience that the argument is legitimate.
At the root of every phishing email lies exigency – the call to action, or kairos. Kairos shows up as an urgent plea about an account compromise, a request from a higher-up, or some other activity that requires an immediate response. It's an appeal recognized by many anti-phishing campaigns (just not in rhetorical terms) discussing the overly urgent plea to act as a dead giveaway for a phishing scam. I believe these campaigns have changed how urgency presents itself in phishing emails over the years. Many scams abandon the overly emphatic pleas to "act now" with more subtle nudges asking victims to react appropriately. It's evident in my analysis of personal solicitation emails, and clonephishingthat methods have changed compared to bulk phishing emails from the early 00s era..
The simulacrum is a popular trope used to express how a symbol overtakes meaning for something or some action. When I reference the simulacrum, I'm using Jean Baudrillard's definition in his book Simulacra and Simulation. Philosophically complex and the bane of many scholars, Baudrillard states that a simulacrum creates itself through an idea's passage through four phases: reflection, masking/denaturing, absence, and simulacrum. The first phase is reflection, which we believe to be a faithful copy of the original and what Baudrillard calls a "sacramental" representation. The second phase is masking and denaturing, covering the actual reality from us while hinting at the obscured reality. Then the third phase is absence, a representation of an original without an original. And finally, the simulacrum, a representation without grounding in reality. If we think about emails as an "image," then the representation of these emails as real and "correct" representations of emails from the actual company, as opposed to a perversion via phishing attempt, should be followed easily.
If that is still confusing, perhaps a meme would help:
Swedish Fish Oreos are not fish, but the perversion of the original idea from fish to snack food is very similar to an email from Chase asking you to click here, but it's actually a C2 server. The tricky part is that Swedish Fish Oreos are not pretending to pass as fish, but the link to a C2 server is trying to pass as business communication. The deception is the perversion.
Since phishing attacks simulate a "safe" reality to keep the actual "harmful" truth hidden, they must be constructed so that the situation becomes hyperreal and undetectable to the victim. One way this is accomplished is by directly copying and pasting code from a legitimate email, altering it slightly enough to be undetectable. The simulation then becomes solely focused on intent and purpose. The first viewpoint to consider is the attacker's, and their goal is obvious: to persuade the victim into compromising themselves. The presented author of the email and their intent are considered, as well as the victim's interpretation. Since it's a simulated "relationship" between the audience and author, understanding how the mimicry entwines itself with intent is necessary. An attacker will try to do this without blowing their cover, and the process constructed through language should be examined to understand how these attacks are so successful.
How these elements create an identity of the phisher themselves, the false author, and their perception of their victims helps us understand cyber-attacks both from an offensive attack stance and the defensive response from security awareness training. It's a fascinating question to think about - how exactly does an attacker piece together what they perceive as the victim's identity? How do they know who the person is that they're targeting? These questions are more easily answered in some cases than others. For instance, bulk emails tend to care little about who they reach; one successful attempt out of 10,000 still means payday, after all.
People respond to phishing emails because they work - 97% of people even state they can't tell the difference between a regular and phishing email. These attacks succeed because the victims believe the author's intent to be genuine. This misunderstanding is due to perceived existing relationships and persuasive techniques, especially those involving emotion and other similarities in value systems between the email's "author" and the victim. The rhetorical situation in a phishing attack is complex and worthy of examination. Looking at the language in phishing emails as an attack vector instead of treating them as a technical problem is a massive leap towards understanding why they operate so effectively, especially when physical barriers and extensive training programs fail to protect victims.
Please continue on to the bulk phishing analysis.