This examination on bulk phishing focuses on looking at the rhetorical situation to understand the context of the emails. It also assesses the use of the rhetorical appeals – ethos, pathos, logos, and kairos – to gauge the phishing email's effectiveness. Finally, an examination of bulk emails' simulative properties assesses whether the email mimics legitimate communication, but more importantly, whether that matters if the appeals and situation are successful enough.
Bulk phishing uses impersonation, threats, and urgent-sounding language to obtain information and credentials from their victims. As the name implies, bulk phishing works by sending out multiple copies of the same email to anyone and everyone regardless of whether there is an existing business relationship with the victim. While tempting to think of them as clones, bulk phishing emails are not clonephishing attempts as they do not outright mimic official emails but rather design them based on existing emails to elicit an emotional response.
This designation is critical as these phishing attempts rely on the attacker's ability to create provoking and trustworthy writings to be successful versus relying on an existing brand's official communications. Since phishing relies on FUD - fear, uncertainty, and doubt - to push the victim to act, bulk phishing needs to expertly employ this strategy to be successful for a broad audience. Any indication that the author is not who they appear to be through the unexpected use of language, visuals, or overly dramatic threats breaks in the illusion portrayed and renders the attack ineffective.
Bulk phishing emails are not personalized, referencing general information vaguely connected to the victim. Bulk phishing emails can also operate by giving a notice or alert that an issue with a customer's account exists or suspicious activity has been detected. The intended recipient was assumed to have been a customer of the company contacting them, either randomly targeted or reached out to because of recent account activity. Recurring themes in bulk phishing include incorrect account information, unauthorized access attempts from foreign IPs, or unauthorized purchases. Generally, all of these "infractions" result in a violation of account policies or procedures that require urgent attention, or the victim's account will be terminated. A great example is this eBay email here, informing the victim their account is suspended due to a policy violation.
While the above email reads like a personal letter, it appears to have been sent directly from one of eBay's Certified Information Privacy Professionals. I assume a non-performance infraction is related to not fulfilling orders. Still, it's unclear precisely what that means, which generates curiosity to click on the link in the email. Most emails like this have their form complement the content, with business emails generally looking like formal communications. Logo placement and text styling appear to match up to brand standards on most emails. The main ideas of the messages presented - account alerts and notifications - mimic business communication well, but some common errors tend to break the illusion.
In another example from Amazon, the text states: "We will be upgrading our yearly SSL EncryptedServer to prevent fraudulent activity." SSL EncryptedServer looks strange because it is. A quick search of that term pulls up phishing email examples on various forums that look precisely like this one. While a more technically-minded person might see the SSL EncryptedServer and know this isn't how you'd refer to an SSL certificate, phishing emails intend to have the victim respond quickly without much forethought. SSL EncryptedServer certainly sounds enough like an SSL certificate, which is a term most people recognize. The word "encrypted" also appears in this phrase, further creating a safe feeling for the victim. The rationale then is that if the email's worried about fraudulent activity, then the email isn't fraudulent itself. Therefore, the context of security is still "valid," even if we know it's not after deconstructing.
In this phishing email from Blizzard, the situation presented is that the victim's friend has gifted them a new pet in the game World of Warcraft, and need to claim the pet by logging into their account. Gifts are always lovely, and the recipient might be too excited to notice that it doesn't even say who sent the email, only "Your friend." But the telltale sign that this situation is not what it appears are the random question marks entered the sentences, making the email look that it's unsure of itself. Interestingly enough, the company transitioned away from the Battle.net name to adopt Blizzard as its branding in 2016, so this email campaign starting over six months after they transitioned is another red flag.
While the contextual situation may differ depending on the manufactured intent of the email, there's a commonality with bulk phishing in that the reason for contact is usually business communication. The success or failure then of each phishing email is dependent on how well the manufactured intent masks the actual intent. Discovering these contextual markers then is essential for learning how to create more effective training programs to combat more sophisticated phishing attempts in the future.
Bulk phishing email's credibility (ethos) is established using brand logos, legal text, and formal language by identifying with the victim through an existing business relationship, establishing itself as legitimate. By communicating to the victim as a valued member and highlighting the importance of privacy and security, it creates a sense of trust that allows the victim to let their guard down. There is often mention that the email cannot be replied to, as it is unmonitored, which is a pretty standard formality in business communications. A common example seen in many PayPal emails is language such as: "Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and choose the Help link located in the top right corner of any PayPal page."
It can be an effective way to mask the phisher's intent if the images are still able to be loaded as it "proves" the email is from whomever the attack is pretending to be. The downside is that it also can dismantle the operation immediately if crucial images aren't loaded. Authority is asserted through forceful language, lack of emotional appeals, and links or quotations of various policies for the company. By including company policies, the email shows it's concerned with privacy and the safety of the community. But by acting unafraid to use legal force or threatening account termination, it creates a detachment that further promotes the phishing email as legitimate communication. The company will use any means necessary to keep the company secure.
While the tone of bulk phishing attacks tends to be formal, they do express urgency and evoke emotional responses through threatening language. For example, this Amazon email issues legal-sounding notices to the victim that they're violating terms of the User Agreement and are at risk of being terminated:
It's curious that an inability to verify personal identification information would be in the same category as financial and legal liability, especially since the assumption that most Amazon customers are buyers, not sellers. Terminating an account due to an incorrect name, address, or credit card number seems to be a bit of an extreme reaction. If the attacker had done less overt threatening and more gentle guiding towards confirmation or reassurance, the attack would raise fewer eyebrows to someone questioning its legitimacy. These heavy-handed stances on company policy are an excellent way to detect that an email may have malicious intent. There's generally no need for a company to be overly aggressive with rhetorical appeals to convince its users that something is wrong.
The language used in the above examples, and many phishing emails, is irrational when we deconstruct them a bit and consider the context. Why would a company use terminating an account as punishment for unauthorized access attempts to no fault of the customer? Arguments made in the emails state the closure would be a security measure and hit hard on ideas of presenting shared values of privacy, safety, and maintaining the existing business relationship with the victim. But often, the presentation is convoluted and doesn't follow a logical customer-business relationship. Genuine alerts notifying you that suspicious activity has occurred only inform you and urge you to contact them, without threatening account closure or disconnection.
Sometimes phishing emails will even go so far as to implicate the recipient as a potential cause for a community's lack of integrity. This harmful use of an emotional appeal feeds on the need for certain people who want to feel "good" or upstanding. Therefore, if the recipient acts on this matter, they retain those intrinsic positive qualities deemed necessary for maintaining their image. It's a complicated use of pathos, but one that indeed feeds on the good intentions of most people.
Great use of emotional appeals surface in this email from eBay, stating they were closing the company due to "repeated abuses on their company." The email instructs the victim to vote in a survey, giving their opinion on whether or not they feel eBay should remain open. At the bottom of the message, it stated the reason the victim received the email is due to their "good account standing." It's flattering the victim's ego, based on their perceived value to the eBay Community. What's interesting, though, is that the email is not personally addressed, merely introducing the email with, 'Dear eBay Community," even though the email states the "registered name is included to show the message originated from eBay." Even with this oversight, the context provided is a survey. Since surveys engage that dopamine feedback loop after giving positive feedback, it's no wonder they've been used for phishing emails. It's a quick, no-think situation that can easily open you up for compromise. This email is an excellent example of how a quick and straightforward (logical) request, which likely prompted the victim to "log in" to submit their survey response, can open someone to having their information stolen.
Often these emails also use logos (the rhetorical appeal, not branding) to try and reason with the user. Examples of this include statements such as a victim's account information being invalid due to verification issues during payment, which appear like a straightforward follow-up. But the email's ethos is disrupted when they attempt to make the user feel bad about specific actions, such as being a "bad" Amazon community member for not having their information up to date. It doesn't make sense logically and rely on a "slippery slope" argument, which states that because their data is out of date, they are at risk of having their account terminated. A business would not forcefully shut down someone's account for typing in something incorrectly; they would verify the information instead.
These extreme (and after examination, unreasonable) threats are successful because fear pushes the victim to act quickly without thinking about what's happening. They could be even more successful if they honed their language towards standard communicative practices from the organization as opposed to merely fear-mongering. Even so, recognizing that invoking an emotional response in the reader through jeopardizing something presumably valuable is an effective mode of attack and one that should be understood further than solely looking for "indicators" on the defensive side.
Most bulk phishing appears as regular business communications, following that genre's form and conventions quite well with minimal emotive language, vague yet formal conversations, and consistent mentions of privacy, safety, and copyrights. What seems to be the biggest issue with these emails is visual inconsistencies that break the simulation they're projecting. The more successful bulk phishing emails operate as a clonephish, which I go into more detail here. Aside from those, the simulation aspect of bulk phishing is not exactly compelling, as there are often glaring formatting and grammatical errors that take away from the presentation of the message. Since many of these bulk emails are meaning to replicate official business communications, the improper use of language is an instant break in the illusion.
Both the improper plural usage in "billing informations," as well as the use of either, which implies a selection between only two things, referencing a list of three things. Another example where a phishing email's disguise becomes quickly dismantled with poor grammar and images in the wrong places is found here:
Knowing that a bank has a reputation to uphold as a professional and trustworthy organization, they would never communicate to their customers using improper grammar or haphazard paragraph formatting for an account warning. The email serves as a "warning," which implies that the customer has done something wrong. If the communication were legitimate, it would most likely be sent as an "alert," suggesting the situation is not the customer's fault. The combination of poor grammar, locking the account due to multiple sign-in attempts, and a new verification process added to protect the customer after they've already been compromised is too extreme of a response given the context. A more blatant giveaway is seen here, with the use of a plain text logo:
Since these emails intend to phish, and not inform or protect, they sometimes simulate legitimate links or information with the malicious (and the real intention) hidden underneath. Often the email header shows the email "From:" field originates from a legitimate source, but the email address is something completely different. My favorite example I found in the Enron Dataset was sent from Trashcan G. Straitjacket, representing Chase from the email email@example.com.
It's evident that an email sent by someone named Trashcan G. Straitjacket is not a real email from Chase Bank, but the language they used in the email was business-like enough that those details may have been overlooked. Deconstructing the message into what it's actuallysaying, we can see the obfuscation of meaning easily:
"Your account access has been limited due to not having enough information in your account. However, your account is limited due to us making sure that an unauthorized third party didn't access you, so to be safe, we limited your access. (Remember, your access is limited now!) Here's a Case ID. We're responsible for your security at Chase. We want you to be safe, so click in this red box to make it better. Thanks!"Intentionally confusing, possibly scary, and convincing enough if you're not reading into it carefully.
The above email from Chase is a good attempt at simulation, especially with the included IP. A quick search on the IP address shows that it's from the Netherlands, and if the victim searched this IP, it would only make the simulation even more real, presuming that they are not from the Netherlands. We can infer this was the goal due to this email example sent to an employee at Enron, which was an American company, but since it was a bulk email, there is no telling whether this was the intended effect. By simulating the attacker is someone trustworthy, or provides trustworthy information, the phishing email becomes a legitimate - even if it's not.
Bulk phishing relies on existing business communications with the victim and the ability to mimic those communications well. The attacks have gotten more sophisticated, and the ability to mask links through services such as bit.ly and others only make detecting these in both spam filters and the individual more difficult. Some attacks use gentle persuasion, but most bulk phishing attempts are aggressive in describing what the recipient has done wrong and how to fix it, trying to force the audience to act on impulse. Other times they're unbiased and informative, attempting persuasion through the presentation of facts with an easy solution such as the account becoming locked due to multiple incorrect login attempts or a recent order failing due to billing information.
Overbearing threats of closure, compromise, and illegitimacy with the right combination of persuasive language makes bulk phishing attempts incredibly successful. But while fear-based aggression garners an immediate emotional response, an email that gives a vast audience nothing to think about, with an easy solution presented to them, is a much more effective tactic. The language in the phishing emails that work quickly is what needs to be examined further to understand how they work so efficiently; pointing out the technical failures in an email's construction is simply not enough.