The best phishing lures in 2016

Phishing – the practice of tricking an email recipient into clicking on an embedded attachment or URL to infect their computer or steal information – remains a leading threat to organisations and consumers.

This year the biggest phishing campaigns have focused on delivering payloads that can be rapidly monetised, from banking Trojans such as Dridex to ransomware like Locky. Losses from these campaigns continue to mount, from at least $30 million to Dridex in the UK alone to as much as $1 billion globally for ransomware in 2016.

In the 2016 edition of Proofpoint’s annual report, The Human Factor, data examines how attackers are incorporating and automating social engineering to exploit the human factor on a massive scale. Threat actors are now using a variety of social engineering tricks to convince users that their requests for information or money transfers are legitimate.

Global Manager for Email Protection at Proofpoint, Mark Guntrip, said, “Organisations should evaluate how they assess threats, and therefore risk, from scale to impact. If the potential threat impact is large, then the measures they need to take to stop that threat should match.”

Stopping today’s sophisticated attacks requires security intelligence to understand and quantify potential impact. Organisations also need to use that security intelligence to determine where and how they should be allocating resources to defend their brand, people, and confidential information. Here are the top five email lures baiting users.

Please see your invoice attached

“Money out” lures are the most popular with phishing attackers by a wide margin, accounting for almost half of all observed phishing campaigns. The “money out” category of phishing lure uses the expectation that a payment is, or will be due, to trick recipients into opening the email messages and clicking on the attachment or link. The “invoice” lure was the most widely-observed “money out” lure, followed by the “bill” lure, which appeared to be used more often in campaigns targeting recipients in Europe. “Your order” lures are also common in this category.

“Money out” email lures often include a document attachment with embedded malicious code, frequently in the form of a malicious macro that has to be enabled by the user. Running the malicious code downloads and installs malware, often a banking Trojan such as Dridex, or more recently ransomware such as Locky. Locky ransomware has exploded on the scene in 2016: non-existent before its discovery by Proofpoint in February, it accounted for 69% of malware payloads by message volume in the second quarter of 2016.


Click here to open your scanned document – Fax and scan notification lures

Continuing for another year as the second-most common category of email lure, electronic fax and scanned document notifications were observed in about 1/10 of phishing campaigns. These lures have an inherent urgency, coupled with a historical association of fax with phone lines and audio, which aren’t naturally associated with malware. Employees working through a busy day rarely think twice before clicking to open the attached or URL-linked “fax.”


Your package has shipped – your shipping receipt is attached. Shipping and delivery notification lures

Fake shipping or delivery notifications remain popular with phishing attackers as they capitalise on the widespread use of online shopping. While some of these email lures employ stolen branding from major shipping and delivery vendors to create a more realistic and convincing email, others purport to be directly from the vendor, rather than the delivery service.

As more businesses leverage major online shopping and auction sites as their primary online store, it is not uncommon for an item purchased on a store to be fulfilled by a different vendor that may be unfamiliar to the buyer. This makes the recipient more likely to open emails from a “vendor” from whom they did not directly purchase vendor product.

Shipping notification email lures often include a document attachment with “delivery details.” When the recipient opens the document, and automated exploit runs or they are prompted to click the “Enable Content” button to view the document’s contents, in either case, this will attempt to install malware on the victim’s computer.


I want to place an order for the attached list – Business negotiation lure

Similar in style and technique to invoices and order confirmations, “business transaction” email lures differ in that they purport to relate to potential future business, such as requests for price quotes, import and export arrangements, price lists, contracts, and so on. These email lures typically direct the recipient to open an attachment – such as a document or spreadsheet – to view the details of the request, enabling the attackers to keep messages short and simple while creating a reason for the recipient to open the document and enable its embedded malicious code to run.


Please verify this transaction – Financial transaction notification lures

A perennial favourite of phishing campaigners, financial transaction email lures continue to take a more business-oriented tone but have shifted from relying on URLs to leveraging document attachments to deliver their malware payloads.

Phishing emails in this category typically appear to be from a bank or other financial institution and lure the user with the news of an electronic or online payment intended for the recipient, once they have verified or corrected the account information in the attached document.

Instead, opening the document – and running the embedded malicious code – leads the user to infect their machine with a banking Trojan or ransomware – turning the prospective payee into a paying victim.


On the local front, these join phishing emails from the ATO, other government departments, Australia Post, and many more household names. See here for a recent ATO scam.

Leave a Reply

Your email address will not be published. Required fields are marked *