Top five phishing phrases used by online scammers

Don't think you could be scammed or Trojanised in a phishing scam?

We've all seen attempted phishing scams - if only in the spam folder. But what if you work in accounts and are used to receiving and dealing with invoices, or you really are expecting a package from UPS?

While not new, the problem has intensified with the advent of ransomware, with emails looking like they're from the CEO, or targeting mid-ranking staff in financial services organisations.

According to security company Proofpoint, these are the top lines used in phishing campaigns by cyber scammers - with fake invoices by far the most widely used bait.

1. "Please see your invoice attached"

So called "money-out" lures are the most popular with phishing attackers by a wide margin, accounting for almost half of all observed phishing campaigns, claims Proofpoint. The invoice-due is the most commonly seen lure, with the benefit for the scammers that it will most likely be opened in corporate accounts departments (or, perhaps, by desperate freelancers).

"Money-out email lures often include a document attachment with embedded malicious code, frequently in the form of a malicious macro that has to be enabled by the user. Running the malicious code downloads and installs malware, often a banking Trojan such as Dridex, or more recently ransomware such as Locky," warns Proofpoint.

2. "Click here to open your scanned document"

Astonishingly, these account for about one in 10 phishing campaigns - astonishing because who scans documents these days?

However, for some these lures have an inherent urgency, coupled with a historic association of fax with phone lines and audio, which aren't naturally associated with malware. And in document-centric organisations, such as banks and other financial institutions, such emails may be quite common.

3. "Your package has shipped - your shipping receipt is attached"

While some of these email lures employ stolen branding from major shipping and delivery vendors in order to create a more realistic and convincing email, others purport to be directly from the vendor, rather than the delivery service.

Shipping notification email lures often include a document attachment with apparent delivery details. When the recipient opens the document, an automated exploit runs or they are prompted to click the 'enable content' button in order to view the document's contents. In either case, this will attempt to install malware on the victim's computer.

4. "I want to place an order for the attached list"

Similar in style and technique to invoices and order confirmations, business transaction email lures differ in that they purport to relate to potential future business, such as requests for price quotes, import and export arrangements, price lists, contracts, and so on.

These will naturally appeal to desperate salespeople (very few salespeople, driven by the carrot-and-stick of commissions and fear of the sack if they don't achieve targets, aren't desperate at some point during the working quarter).

"These email lures typically direct the recipient to open an attachment - such as a document or spreadsheet - in order to view the details of the request, enabling the attackers to keep messages short and simple while creating a reason for the recipient to open the document and enable its embedded malicious code to run," warns Proofpoint.

5. "Please verify this transaction"

This is a perennial favourite, according to Proofpoint. Phishing emails in this category typically appear to be from a bank or other financial institution and lure the user with the news of an electronic or online payment intended for the recipient, once they have verified or corrected the account information in the attached document.

Like most phishing lures, it will probably only appeal to a minority - but phishing scammers need only a few hooks in every campaign in order to be able to feed very profitably.