Teach a Man to Phish . . . And Make Him a Millionaire

In his recent Predictions & Unpredictions for 2013 blog post, Return Path CEO Matt Blumberg talked about how brands’ marketing and security functions will need to join forces to fight phishing. One key reason is that phishers and spoofers are continually getting smarter, applying an impressive range of best practices to make their emails ever-more compelling and believable.

Consider this example that I received recently from “Yorkshire Building Society” (YBS):
YBS Phishing Email
It is highly effective because:
  • The subject line inspires real concern (especially if you really are a YBS customer!)
  • The “Friendly From” is believable (see inset)
  • The sender domain is correct (because the real sender is spoofing it!).
  • Branding is consistent with the real YBS website.
  • The language is professional sounding and there are no spelling mistakes.
  • There is a strong, visible call to action – “Click My Account Activity”
  • The disclaimer and contact details all appear to be 100% correct.
I submitted the email to Return Path’s Inbox Preview rendering and content validation tool. The results weren’t good news:
  • It generated a perfectly respectable Spam Assassin score of only 1.5
  • It only identified one potential spam trigger word – “Disclaimer”
  • It even rendered well on most major mobile devices!
Worse news for YBS is that this wasn’t just a random, once-off occurrence – it is clear they are under concerted attack. Using Return Path’s Anti-Phishing Solutions (APS) toolkit, it could be seen that the amount of suspicious email activity being sent using this domain has increased by over 500% during the past 30 days. Because of how rapidly these attacks can be deployed it is essential for brand owners to have real-time access to intelligence that allows them to identify attacks, proactively block them, and then take down the sender.
I then started wondering about the response rates these emails generate, so I used Return Path’s Inbox Insight email intelligence tool to look at engagement levels. This data represents a 90-day snapshot of recent activity:
YBS Inbox Insight Data
Key observations include:
  • Nearly 1 in every 20 of these emails successfully bypassing spam filters successfully delivering to recipients’ inboxes.
  • Average Read Rate for these emails is 3.66%. This is is particularly startling given that:
  1. YBS is a relatively small player in the UK with approximately 1% market share. Assuming that non-YBS customers will almost certainly ignore these emails because they are not relevant, Read Rates for the remainder can be inferred as actually being much higher.
  2. In a number of instances the Read Rate is higher than the Not Filtered rate, implying that recipients are recovering these emails from their spam/junk folders and responding to them!
  • An authoritative report produced by Cisco Systems shows that on average 99% of phishing emails get filtered, with the remainder generating a 3% open rate. This implies the YBS phishing emails are highly effective, out-performing the Cisco benchmark by a factor of 6.
  • Cisco also calculated the commercial impact of a phishing attack at $250 (£155/€190) per compromised recipient. Using the report’s average click-to-open rate of 5%, with 50% of clickers giving up personal data, we can extrapolate the Inbox Insight data to infer an estimated commercial impact in the UK of over £1M pm – for this single scam alone!
Now consider larger players in the UK financial services sector such as HSBC, Santander, and Lloyds TSB. Attacks against these businesses are taking place on a scale that is up to 30 times greater than the YBS example. These following examples further reinforce the levels of gullibility which exist among many email recipients, and explain why phishing is such an attractive proposition to cybercriminals: 
Phishing Examples Lloyds TSB

Spoofed Brand: Lloyds TSB
Date Seen: 29th December, 2012
Subject Line: “Your account benefits all in one place”
Read Rate: 17.39%
Phishing Example HSBC
Spoofed Brand: HSBC
Date Seen: 13th January, 2013
Read Rate: 5.08%
Phishing Example Santander TSB
Spoofed Brand: Santander
Date Seen: 10th/11th January, 2013
Subject Line: “Funds Was Transferred to Your Account Online”
Read Rate: 5.63%
It can also be seen that even phishing attacks that ought to be less effective still generate remarkably high response rates. Consider the following example, where average Read Rates of over 3% are being obtained, despite the obvious spelling mistake in the subject line!
Phishing Example HSBC Spelling Mistake
And before email senders from the non-financial sector get too complacent, let me quickly add that I have seen similar examples from well known retail, telecommunications, and casual dining brands too – the threat is most definitely not sector-specific. I’ll be looking at examples from these sectors in upcoming blog posts.
So what should email senders be doing to ensure that their brands are not being critically damaged by these attacks? Good steps to take include:
  • Read our Anti-Phishing Guide which contains actionable advice on how to achieve brand protection and secure your email channel.
  • Make use of Return Path’s APS suite of tools and services to:

Guy Hanson