SSST #34: The Language of Lies

I often take time to warn about phishing attacks, and for a very good reason: THEY’RE EVERYWHERE!

Email scams have significantly surged during the pandemic, exploiting our fear, confusion, and remote working situations. Two million new phishing websites registered in early 2020, and the hoaxes have further expanded this year.

Instead of stressing consequences or tech countermeasures, today’s tip focuses on the language of lies these “phishermen” spin. A recent analysis covering thousands of bogus emails has identified their most prominent go-to words and phrases, letting us study the vocab for better detection.

Phishing attacks work by tricking us into actions that undermine our security: clicking on links, downloading code, or changing settings to make us more vulnerable. As the deceptive messages must seem legitimate to avoid suspicion, they aim to mimic recognized senders.

That’s why the best ones are tough to spot – they’re crafted like everything else in your mailbox. Yet even sophisticated phishing attacks are still scams at their core and rely upon recognizable tactics.

Hackers use a variety of methods to win our TRUST. They’ll often start by impersonating a known contact (even spoofing web addresses and logos), then use subject lines that sound somewhat familiar. These subject lines will also include URGENT language, prompting us to open the message and complete some ACTION quickly.

The specific words and phrases used will vary by context, but studies show they’re most likely to fall into one of these categories:

Professional Messages

Masquerading as messages from your employer, clients, or service providers, these attempts prey on the desire to be an attentive employee.
Buzzwords
IT Desk Documents Request Invoice Policy
Urgent Action File Follow-up Meeting

Security Messages

These emails offer to help with protection (or alert you to hacking) while aiming to corrupt your system.

Buzzwords
Verify Reset Compromised Validate Suspicious
Update Login Unauthorized Password Activity

Headline Messages

Using anxiety tied to news of the day, these emails tempt us with promises of important info.
Buzzwords
COVID Vaccine Lockdown Virus Ransomware
Stimulus Corona Checks Quarantine Mandate

Personal Messages

Hoping to interest us with social media activity or blend with online orders/interests, these messages often pretend to be from apps or retailers.
Buzzwords
Delivery Address Purchase Tagged Mentioned
Refill Account Expired Balance Notification

These buzzwords alone don’t make an email phishy but should raise suspicion. More so when they’re coupled with phrases that prompt quick action or accompanied by poor grammar and misspellings (many scams originate overseas with non-native speakers).

Ironically, language can be either the camouflage that masks a convincing scam or the flaw that gives it away! Whenever in doubt, don’t click on anything — close the email and independently navigate to verified domains.

To learn all the ways of spotting phishing attempts, make sure your team has security awareness training. Meanwhile, enabling two-factor authentication and monitoring the Dark Web can provide notice and protection if your credentials do fall into hackers’ hands.

Be careful, be alert, and stay safe…and get all the help you can!

Comments are closed.
_320343 - Stupid Simple Security Tips - A4 Landscape

Want to receive more
Stupid Simple Security Tips?
Sign up below.

FREE CHECKLIST

The Security Checklist for Busy Lawyers

The Security Checklist for Busy Lawyers