This examination of bulk phishing focuses on looking at the rhetorical situation to understand the context of the emails. It also assesses the use of rhetorical appeals – ethos, pathos, logos, and kairos – to gauge the phishing email's effectiveness. Finally, an examination of bulk emails' simulative properties assesses whether the email mimics legitimate communication, but more importantly, whether that matters if the appeals and situation are successful enough.
Bulk phishing uses impersonation, threats, and urgent-sounding language to obtain information and credentials from its victims. As the name implies, bulk phishing works by sending out multiple copies of the same email to anyone and everyone regardless of whether there is an existing business relationship with the victim. While tempting to think of them as clones, bulk phishing emails are not clonephishing attempts as they do not outright mimic official emails but rather design them based on existing emails to elicit an emotional response.
These phishing attempts rely on the attacker's ability to create provoking and trustworthy messages to be successful. Any indication that the author is not who they appear to be through the unexpected use of language, visuals, or overly dramatic threats breaks in the illusion portrayed and renders the attack ineffective. Since phishing relies on FUD - fear, uncertainty, and doubt - to push the victim to act, bulk phishing needs to expertly employ this strategy to be successful for a broad audience.
Bulk phishing emails are not personalized, referencing general information vaguely connected to the victim. Bulk phishing emails can also operate by giving a notice or alert that an issue with a customer's account exists or suspicious activity has been detected. The intended recipient is assumed to have been a company's customer contacting them, either randomly targeted or reached out to because of recent account activity, even if they aren't. Recurring themes in bulk phishing include incorrect account information, unauthorized access attempts from foreign IPs, or unauthorized purchases. Generally, all of these "infractions" result in a violation of account policies or procedures that require urgent attention, or the victim's account will be terminated. A great example is this eBay email informing the victim that their account is suspended due to policy violations.
While the above email reads like a personal letter, it appears to have been sent directly from one of eBay's Certified Information Privacy Professionals. I assume a non-performance infraction is related to not fulfilling orders. Still, it's unclear precisely what that means, which generates curiosity to click on the link in the email. Most emails like this have their form complement the content, with business emails generally looking like formal communications. Logo placement and text styling appear to match up to brand standards on most emails. The main ideas of the messages presented - account alerts and notifications - mimic business communication well, but some common errors tend to break the illusion.
In another example from Amazon, the text states: "We will be upgrading our yearly SSL EncryptedServer to prevent fraudulent activity." SSL EncryptedServer looks strange because it is. A quick search of that term pulls up phishing email examples that look precisely like this one. While a more technically-minded person might see the SSL EncryptedServer and know this isn't how you'd refer to an SSL certificate, phishing emails intend to have the victim respond quickly without much forethought. SSL EncryptedServer certainly sounds enough like an SSL certificate, which is a term most people recognize. The word "encrypted" also appears in this phrase, creating a safe feeling for the victim. The rationale is that if the email's worried about fraudulent activity, it isn't fraudulent itself. Therefore, the security context is still "valid," even if we know it's not after deconstructing.
In this phishing email from Blizzard, the situation presented is that the victim's friend has gifted them a new pet in the game World of Warcraft, and they need to claim the pet by logging into their account. Gifts are always lovely, and the recipient might be too excited to notice that it doesn't even say who sent the email, only "Your friend." But the random question marks in the sentences are telltale signs that this email is not what it appears. (Future phishers, make sure you have proper grammar!) True Blizzard fans will also know the company transitioned away from the Battle.net name to adopt Blizzard as its branding in 2016, so pushing this phishing campaign six months after they transitioned is another "oops" to a trained eye.
While the contextual situation may differ depending on the manufactured intent of the email, there's a commonality with bulk phishing in that the reason for contact is usually business communication. The success or failure of each phishing email depends on how well the manufactured intent masks the actual purpose. Discovering these contextual markers then is essential for learning how to create more effective training programs to combat more sophisticated phishing attempts in the future.
BBulk phishing email's credibility (ethos) is established using brand logos, legal text, and formal language by identifying with the victim through an existing business relationship, establishing itself as legitimate. Communicating to the victim as a valued member and highlighting the importance of privacy and security creates a sense of trust that allows the victim to let their guard down. Often mentioned is that the email cannot be replied to due to coming from an unmonitored mailbox, which is a standard formality in business communications. A typical example of many PayPal phishing emails is language such as: "Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and choose the Help link located in the top right corner of any PayPal page."
Images also mask the phisher's intent as it "proves" the email is from whomever the attack is pretending to be. The downside is that it also can dismantle the operation immediately if crucial images aren't loaded. Authority is asserted through forceful language, lack of emotional appeals, and links or quotations of various policies for the company. By including company policies, the email shows it's concerned with privacy and the community's safety. The company will use any means necessary to keep the company secure. Acting unafraid to use legal force or threatening account termination creates a detachment that promotes the phishing email as legitimate communication.
While the tone of bulk phishing attacks tends to be formal, they tend to express urgency and evoke emotional responses through threatening language. For example, this Amazon email issues legal-sounding notices to the victim that they're violating the terms of the User Agreement and are at risk of being terminated:
Curiously, an inability to verify personal identification information would be in the same category as financial and legal liability, especially since the assumption that most Amazon customers are buyers, not sellers. Terminating an account due to an incorrect name, address, or credit card number seems like an extreme reaction. If the attacker had done less overt threatening and more gentle guiding towards confirmation or reassurance, the attack would raise fewer eyebrows to someone questioning its legitimacy. There's no need for a company to be overly aggressive with rhetorical appeals to convince its users that something is wrong. These heavy-handed stances on company policy are an excellent way to detect that an email may have malicious intent.
The language used in the above examples, and many phishing emails, is irrational when we deconstruct them a bit and consider the context. Why would a company use terminating an account as punishment for unauthorized access attempts to no fault of the customer? Arguments made in the emails state the closure would be a security measure and hit hard on ideas of presenting shared values of privacy, safety, and maintaining the existing business relationship with the victim. But often, the presentation is convoluted and doesn't follow a logical customer-business relationship. Genuine alerts notifying you that suspicious activity has occurred only inform you and urge you to contact them without threatening account closure or disconnection.
Sometimes phishing emails will even go so far as to implicate the recipient as a potential cause for a community's lack of integrity. This harmful use of an emotional appeal feeds on the need for certain people who want to feel "good" or upstanding. Therefore, if the recipient acts on this matter, they retain those intrinsic positive qualities necessary for maintaining their image. It's a complicated use of pathos, but one that indeed feeds on most people's good intentions.
Great use of emotional appeals surface in this email from eBay, stating they were closing the company due to "repeated abuses on their company." The email instructs the victim to vote in a survey, giving their opinion on whether or not they feel eBay should remain open. At the bottom of the message, it stated the victim received the email due to their "good account standing." It's flattering the victim's ego based on their perceived value to the eBay Community. What's interesting, though, is that the email is not personally addressed, merely introducing the email with, 'Dear eBay Community," even though the email states the "registered name is included to show the message originated from eBay." Even with this oversight, the context provided is a survey. Since surveys engage that dopamine feedback loop after giving positive feedback, it's no wonder they've been used for phishing emails. It's a quick, no-think situation that can easily open you up for compromise. This email is an excellent example of how a quick and straightforward (logical) request, which likely prompted the victim to "log in" to submit their survey response, can open someone to having their information stolen.
Often these emails also use logos (the rhetorical appeal, not branding) to try and reason with the user. Examples include statements such as a victim's account information being invalid due to verification issues during payment, which appear as a straightforward follow-up. But the email's ethos is disrupted when they attempt to make the user feel bad about specific actions, such as being a "bad" Amazon community member for not having their information up to date. It doesn't make sense logically and relies on a "slippery slope" argument, which states that because their data is outdated, they risk having their account terminated. A business would not forcefully shut down someone's account for typing in something incorrectly; they would verify the information instead.
These extreme (and, after examination, unreasonable) threats are successful because fear pushes the victim to act quickly without thinking about what's happening. They could be even more successful if they honed their language towards standard communicative practices from the organization instead of merely fear-mongering. Even so, recognizing that invoking an emotional response in the reader through jeopardizing something presumably valuable is an effective mode of attack and should be understood further than solely looking for "indicators" on the defensive side.
Most bulk phishing appears as regular business communications, following that genre's form and conventions quite well with minimal emotive language, vague yet formal conversations, and consistent mentions of privacy, safety, and copyrights. What seems to be the biggest issue with these emails is visual inconsistencies that break the simulation they're projecting. The more successful bulk phishing emails operate as a clonephish, which I go into more detail about here. Aside from those, the simulation aspect of bulk phishing is not exactly compelling, as there are often glaring formatting and grammatical errors that take away from the presentation of the message. Since many of these bulk emails are meant to replicate official business communications, the improper use of language is an instant break in the illusion.
Both the improper plural usage in "billing informations" and the use of either (which implies a selection between only two things) referencing a list of three things. Another example where a phishing email's disguise becomes quickly dismantled with poor grammar and images in the wrong places is found here:
Knowing that a bank has a reputation to uphold as a professional and trustworthy organization, they would never communicate to their customers using improper grammar or haphazard paragraph formatting for an account warning. The email serves as a "warning," which implies that the customer has done something wrong. If the communication were legitimate, it would most likely be sent as an "alert," suggesting the situation is not the customer's fault. The combination of poor grammar, locking the account due to multiple sign-in attempts, and a new verification process added to protect the customer after they've already been compromised is too extreme of a response given the context. A more blatant giveaway is seen here, with the use of a plain-text logo:
Since these emails intend to phish and not inform or protect, they sometimes simulate legitimate links or information with the malicious (and the real intention) hidden underneath. The email header often shows the email "From:" field originates from a legitimate source, but the email address is entirely different. My favorite example I found in the Enron Dataset was sent from Trashcan G. Straitjacket, representing Chase from the email firstname.lastname@example.org.
Of course, we know that an email sent by someone named Trashcan G. Straitjacket is not an actual email from Chase Bank (right?), but the language they used in the email was business-like enough that those details may have been overlooked. Deconstructing the message into what it's actually saying, we can see the obfuscated meaning easily:
"Your account access has been limited due to not having enough information in your account. However, your account is limited due to us making sure that an unauthorized third party didn't access you, so to be safe, we limited your access. (Remember, your access is limited now!) Here's a Case ID. We're responsible for your security at Chase. We want you to be safe, so click in this red box to make it better. Thanks!"Intentionally confusing, possibly scary, and convincing enough if you're not reading it carefully.
The above email from Chase is a good attempt at simulation, especially with the included IP. A quick search of the IP address shows that it's from the Netherlands, and if the victim searched this IP, it would only make the simulation even more real, presuming that they are not from the Netherlands. We can infer this was the goal due to this email example sent to an employee at Enron, an American company, but since it was a bulk email, there is no telling whether this was the intended effect. By simulating the attacker is someone trustworthy or provides trustworthy information, the phishing email becomes legitimate - even if it's not.
Bulk phishing relies on existing business communications with the victim and the ability to mimic those communications well. The attacks have gotten more sophisticated, and the ability to mask links through services such as bit.ly and others only makes detecting these in both spam filters and the individual more difficult. Some attacks use gentle persuasion, but most bulk phishing attempts are aggressive in describing what the recipient has done wrong and how to fix it, forcing the audience to act on impulse. Other times they're unbiased and informative, attempting persuasion through the presentation of facts with an easy solution, such as the account becoming locked due to multiple incorrect login attempts or a recent order failing due to billing information.
Overbearing threats of closure, compromise, and illegitimacy with the right combination of persuasive language make bulk phishing attempts incredibly successful. But while fear-based aggression garners an immediate emotional response, an email that gives a vast audience nothing to think about, with an easy solution presented, is a much more effective tactic. The language in the phishing emails that work quickly needs further examination to understand how they work so efficiently; pointing out technical failures in an email's construction is not enough.
Please continue on to the clonephishing analysis.