The Anatomy of Phishing Emails

Think Before You Click

The Engineering

Before we get into the anatomy of phishing emails, we need to define what social engineering is. For the sake of simplicity, it’s a scam that is created by con artists using the same tricks from decades ago when scams were done on the street and over the phone to now, where it’s conducted over the phone, but predominately through email.

A report published by The Radicati Group on the volume of daily emails for 2015 through 2019 (predictive). In 2015 205,600,000,000 emails were sent per day with 2016 coming in at 215,300,000,000 emails per day which are  5% year over year growth through 2019 that is predicted to have 246,500,000,000 emails sent per day. The most recent full year of email data is 2016, and of those 215,300,000,000 email sent per day, according to, approximate 50% is a spam email. To break down the spam email category further, of the 50% total spam messages 36% is an advertisement, 31.7% is adult related, financial matters come in at 26.5%, and scam accounts for only 2.5%. That 2.5% of scam emails mostly comprises of identity theft and is devastating to individuals and the economy by extension.

Large companies, defined as having 10,000 employees, spends $3.7-million a year combating phishing attacks per CSO Online covering a Ponemon Institute study. The CSO Online articles goes on to say

The report, which surveyed 377 IT professionals in companies ranging in size from less than 100 to over 75,000 employees, showed that about half of the costs were due to productivity losses.

The average employee wastes 4.16 hours a year on phishing scams.

In addition, 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential, 10 percent was the direct costs of addressing compromised credentials, 9 percent was the risk of a data breach caused by malware, and the remaining 6 percent were the direct costs of containing malware.

Regarding the economy, $500-billion a year is lost to phishing scams. An article from states

From October 2013 to December 2016, the FBI investigated just over 22,000 of these incidents involving American businesses. In total, they saw losses approaching $1.6 billion. That’s roughly $500 million every year being scammed and dollar figures involved have climbed sharply — up 2370% between Janury 2015 and last December.

No business is immune from BECs, it seems. There have been victims in all 50 states, and for the most part no one segment is targeted more frequently than another. Attackers are, however, giving more attention to parties involved in real estate transactions. Lawyers and realtors remained in the crosshairs, but the Internet Crime Complaint Center received almost five times as many reports from title companies last year.

It’s easy enough to see why real estate phishing is on the rise: large sums of money change hands and there are several potential weak links in the transaction process. Compromising any one of those with a successful phish of account details can give an attacker access to a trusted email address from which to launch the second stage of the attack. The fraudster can lie in wait skimming emails for information about a transaction and then send off fraudulent wire instructions to a buyer, seller, or escrow agent when the time is right.

What Phishing Looks Like

Phishing, or a scam in general, are designed to create a sense of urgency that makes a person anxious or on edge by using a situation that has negative consequences if action is not taken.

Thing’s to look for in an email to determine if it’s a phishing email:

  • Are you expecting an email from this person or company?
  • The text of the email is addressed using a general title instead of your name.
  • The company logo doesn’t match the logo on their website.
  • A legitimate email from a company will have a consistent font.
  • Many words are misspelled.

The most obvious type of phishing email is the Nigerian prince that is looking for someone to send money to for safe keeping until he can make it out of the country and all you need to do is cover $500 (amount is variable) in fees. Phishing email can also include malware embedded in a Word document or PDF or a PDF inside of a Word document. The malware usually consists of a keylogger and back-door or one of either, to steal credentials, use your computer as part of a botnet, or take screen captures.

Other notable types of phishing are:

  • Identity theft
  • Romance
  • CEO Fraud
  • Google Docs
  • Pharming
  • Dropbox phishing
  • Spear phishing

The reality is that many people fall for phishing emails because of the lack of knowledge about what a phishing email looks like or they are emotionally compromised and fall victim to romance scams. If you have any questions about a phishing email or specific phishing email techniques beyond what was discussed here you can send an email to [email protected].


Leave a Reply