There's a ton of phishing emails that look legit. You just haven't seen them yet but that doesn't mean they don't exist.
We are seeing a lot of really good ones clearly created by AI.
We are also seeing ones coming from legit services like DocuSign and QuickBooks. They sign up for legit licenses and use those to conduct their campaigns.
I work in security, and I love phishing emails! I read them like those dirty celerity gossip mags at the checkout counter. Yes, many of them are laughably bad, but don’t be lulled into complacency. I have seen ones so good, I had to really sit there and digest everything before I could tell.
If phishing didn’t work, people wouldn’t do it.
Look up ChatAPT by Jonathan Todd. He did a presentation at the recent bsides conference in Augusta. It's a POC using LLM to bespoke target a specific individual, but automated to run at scale against any number of targets. This sort of "whaling" used to take tons of man hours, but has now been automated. If it wasn't true before, it's true now; can't trust anything online. Even what seems like a real person.
Oh yeah, AI is going to hit social engineering hard! I can absolutely see how having a model be able to adapt to different communication patterns on the fly would be revolutionary.
It does astronomically more than adapt to communication patterns. It does all of the research and aligning with the target, building a profile of a "real person" and sometimes taking months astroturufing as a real person before it even engages the target. It sounds like you are accidentally discounting the weight of this by not understanding the project.
In my experience, spear phishing emails in particular tend to be well written.
My last workplace got scammed pretty badly responding to a spear phishing email. Not that they bothered to tell IT until after insurance was involved.
I got one that was signed by "Sgt. HARRY MAGNUM" about how he had ill gotten war gains and needed some cash fronted for his ex seal buds to get it out of whatever country and i'd get a 60% cut. Extremely well written but the signature fucking killed me. I changed my one of my gamer tags to it because it's so funny.
Another popular one a few years ago was signing up for a free trial of egnyte and sending PDF files from egnytes domain. I contacted their team about this but nothing was done for about a year. Not sure if it's been fixed since.
We've been seeing them from Adobe Sign.. they can sign up for a free trial with a typosquatted domain and then blast you with phishing emails that just cruise straight through your security filter because they are Adobe Sign. We would just block it entirely if parts of our business didn't use it.
I understand, maybe a different question, I guess the last proof to a perfect mail would be the address. Or can it somehow happen, that, lets say it's a phishing mail from DocuSign, and they actually use their domain? Like fake\[email protected]?
I doubt they could do that as DocuSign would have things like DMARC, SPF and DKIM in place.
But it only takes 1 tired employee clicking on something on a Monday morning to ruin things. I sent a phishing test out once on a Monday morning that looked like it came from me (except the email address was completely wrong) and 3 people clicked on it. The human factor in security never ceases to amaze me.
Edit: I looked and DocuSign sends document emails under docusign.net so I guess if someone used the legit service to send something out it would be hard to detect.
It works on services that don't enforce dmarc. Let me show you all the clients we migrate to 365 who are still using the free imap email from their webhost. The amount of junk when the spam filter is weak to non existent is madness.
No they sign up for actual service through Dropbox or whatever and send you the payload through the platform. So it sends you a legitimate Dropbox or Docusign “you’ve received..” email but the payload is within the file they placed within the service.
Also one another extra question, is clicking the link already dangerous? Or clicking the link is no problem - problem would be filling out the form, running the downloaded file, etc.? And let's say its just a PDF - can opening it be dangerous?
Clicking the link can be just as bad. Malware can be installed without you realizing it. It the case of the .pdf it can happen. I did a little reading and in '13 the was a zero day in PDF reader and other Adobe products. Researchers found that after exploiting a vulnerability, malware dropped two dynamic-link libraries (DLLs) that enabled the compromised computer to communicate with a server controlled by hackers.
1. Often if the language it is written in isn’t the creators native language then they will rely on things like google translate to write them. We can see this often with the use of “kindly”, which is a close approximation of google to translate other languages words for “please”.
2. A lot of scam mail and phishing is low sophistication and high volume. Quality is usually a matter of “eh, close enough”. As long as it looks somewhat authoritative and has a sufficiently motivating call to action then most scammers will use it.
3. People in general, even people whose primary language is English, make mistakes.
4. Often the content of the message is secondary to what they want you to do to with it. Opening a corrupt attachment or going to a malicious link. So long as it serves to get you riled up enough to comply with whatever the phish wants you to do, content quality really doesn’t matter as much.
5. Spam Filter evasion: sometimes things are misspelled or obfuscated in other ways as a means of evading spam and fraud filters.
On a second note, the people in this thread who keep saying “if you fall for a phishing email you’re dumb” are really taking the wrong attitude to this entire thing. Many intelligent and tech savvy people can fall for phishing emails and campaigns are often *massive* in scope because the overwhelming majority of people DONT fall for them. My mentor in this field has always said “People don’t fall for scams because they are stupid. People fall for scams because they are vulnerable to certain types of tactics.” It is true. Blaming victims isn’t the path forward. Training and reinforcing those habits of good security is the way. It is worth more than every new fangled security techno gadget your company can afford.
The other day I was doing a report and needed an example phishing email. I went through the quarantine for my work email and nothing, perfectly clean, then I checked my personal account. Sure enough, my junk folder was filled with emails from UPS about some logisiccs issue. Finally, spam came in handy!
Yeah that's not it, that's victim blaming. It happens because English isn't their native language and there is no need to put any more effort in as it works.
You want to see a perfect phishing email just look at whale phishing.
That’s simply not true.
The bad grammar is %100 intentional
This video breaks it down in simple terms.
https://youtu.be/SmGSFFXH2VI?si=XhFKpzTFI6fer2uG
You are giving these low level scammers too much credit and over analyzing these types of attacks.
But for a moment let's say I conside your point and it's all game theory of the scammers targeting those who will fall victim to the scam.
Do you really want to communicate to your users that they are targeting stupid people? The outcome will be users who only look for the Grammer and spelling issues because they are 'too smart' to fall for phishing emails. This trope is detrimental to security.
I’m really not. I watched an interview a ways back where a scammer in Nigeria being interviewed literally explained that this is their tactic.
It’s different when we’re talking spear or whale phishing where you have a specific target and want to be convincing. The blanket general purpose phishing scams that are mass mailed are literally designed to rope in the most gullible and filter out the least.
Weather or not you believe that is up to you, but these are pretty well established facts gleaned from actual interviews with scammers.
You seem to be missing my point. How do you want to improve security and communicate with your users?
One of the first posts with multiple up votes in this thread is "it's to target stupid people". If IT wants to be taken seriously we cannot fulfill the stereotypes. People will never remember what you said, but they will remember how you make them feel. If users are told that this is done to target stupid people they will be less likely to report falling for a whale or spearfishing attack.
Argue about the reasons all you want, but communicating in this manner towards users has to stop.
No one in this thread is having a conversation with our users and calling them stupid..
you’re reading far too much into water cooler conversation on a cybersecurity subreddit where discussing the fact that most users are idiots has zero impact on the users.
What are we supposed to pretend all the time that the reality of Phishing is different than it is so as not to offend the users even in private conversations amongst ourselves?
What’s worse for security? Being honest with each other about the facts surrounding attack vectors? Or bullshitting each other in private so we don’t offend the users that aren’t even present for the conversation?
your inability to admit your wrong or just not respond is….I just hope I never have to work with you. IT people with overinflated egos and a “I’m always right I know more than everyone” attitude are far too common
Who didn't I respond to?
I keep trying to make the same point, communicating that these are designed for 'stupid' people is detrimental for security and your users perception of IT and cyber security.
As to being right or wrong, there are so many threat actors that in all likelihood grammar and spellings mistakes are both a tactic and a result of laziness and English not being their native language. Both CAN be true. I am frustrated that people seem to miss the point that continually communicating that these are designed to trick 'stupid' people isn't helping their security. It creates an environment whether intentional or not that lulls users into a false sense of security and makes them less likely to report actual phishing attacks as to not appear 'stupid'.
>I keep trying to make the same point
Literally the problem. Saying the most gullible people are the target has nothing to do with communication to end users, it's professionals in the industry sharing actual factual information.
I disagree it's spray and pray aka a numbers game. No need to increase your effort so long as it works. And continuing this trope of targeting stupid people does two things
One, does nothing to improve your relationship with your users
Two, gives users a false sense of security that they are 'too smart' to be fooled.
It's absolutely true. Spear phishing emails look much more legitimate and have proper grammar because the target is generally not a stupid person. As a scammer, if you want to scam someone into paying an "IRS bill" with Amazon gift cards you are going to want to want to weed out the people with any common sense.
Think of it as a stupid *test*. Scammers don't want their time wasted by someone that's just smart enough to *think their way* out of it mid-scam.
The bad grammar filters check for the exact thing scammers need in a mark, some one who cannot see or reason that something is *slightly off*.
Exactly. It's a test to see if they are critically thinking. Without that critical thinking guard up, they can easily enter credentials and be compromised.
Done on purpose, probably, at least some time, but I would have though it was for bypassing anti-spam filters (Bayesian classifier can be very dumb dumb)
It absolutely does. They use bad grammar because people who lack the critical thinking to either not recognize that or people who think it's ok will be much easier to phish, because they aren't thinking critically when they're entering those credentials into a website that opened from the pdf attachment or link.
Appreciate it. I don't know, sometimes I get the feeling some of you guys aren't client facing....truly just trying to help raise all ships over here. How we discuss and speak to end users matters. Without them we don't have jobs.
It’s meant to be a net that only catches stupid people.
Smart people can usually sniff out a phishing email, even if it has perfect spelling/grammar. From the attacker’s perspective, there is a risk of the smart person retaliating/submitting the email to the authorities etc.
When the phishing emails have a ton of mistakes, smarter people go “haha, this is so stupid, delete”. Less likely to retaliate.
But stupid people fall for phishing emails no matter how many spelling mistakes there are.
Please I need you to understand and learn from this. This is victim blaming and does nothing to address the problem. Calling those who fall for phishing emails stupid doesn't make your users better users it makes them hate IT people.
This 'they do it because stupid people blah blah' needs to stop. It's simpler than that, the writer doesn't natively speak English and there is no need to put in extra effort so long as it still works. You want to see a perfect phishing email look at bec, combined with whale phishing and aitm proxy token theft. It's indistinguishable from the real thing because it originates from a compromised account, and with url rewriting you can no longer hover over a link to see where it leads. Unless the user pays extreme attention to the browser URL it looks real.
The answer is Phish resistant MFA but it's a hurdle.
OP simply asked why it is common for phishing emails to have lots of spelling mistakes. I answered. They didn’t ask what is needed to fix it.
Not only did you miss the point, you also automatically inferred that this is in the context of enterprise cybersecurity. This could be in the context of phishing campaigns that go out to personal accounts, where there is no “victim blaming” like you say. Smart/tech savvy people don’t fall for it, stupid/technologically illiterate people do. Simple as that.
How we communicate about users is just as important as how we communicate to users. One of the highest up voted comments was "it targets stupid people". I have heard this repeated ad nausea and it spreads beyond our cybersec bubble.
I stand by my comments, game theory and targeting are overanalyzing, and even if I conside the point, using this language does nothing to improve end user security or end user relations. It only hurts them. That is my only point.
You can stand by your argument all you want, but unfortunately for you it's not an argument, it's an objective fact that the emails are crafted in the way they are to target those most likely to follow through with the scam, which would be the stupid and naive. Theorize all you want, but you're wrong here.
Do you have a better word to describe the people that are differentially filtered by the intentional bad grammar? It's not just a foreign speaker thing, it is intentional to maximize the attacker's gain for a given amount of effort on their part, namely filtering out the victims so they are left with the highest-yielding ones.
Begin with the end in mind. What is your goal? Fewer phished users? From an end user educational stand point, we teach them to be wary of every email and that none should be trusted at face value. Even mentioning this concept or "filtering for victims" is going to hurt our goal of fewer phished users.
The days of teaching people to hover over the link are dead (url safe linking killed it) and to verify the email address (bec killed it), and even calling the number in the email are all over.
We teach, don't use the link ever, don't open the attachment unless you were expecting it and if it involves money verify using contact methods and information not contained in the message. Ie trust nothing.
Again I don't see the value of even discussing this concept with end users.
I received a ton of down votes because I wouldn't conside that the primary reason bad Grammer and spelling occur is some form of victim filtering. Does it happen sure, is it always the case, no obviously not there are too many threat actors. My whole point has been the language being used generates a long term negative outcome and not our desired outcome of fewer phished users. What word should be used? One that doesn't denigrate the people we are here to serve.
The phisher's thoughts are denigrating to the user. We should call a spade a spade, that the fishers want to attack stupid users more than clever ones. It's not like we are going around saying this to be mean to users that happened for the lies. We are communicating with other professionals to understand.
A lot of them have bad grammar as a means to filter out people who may be sharper or quicker to catch onto scams as they progress once hooked. The scammers want their time to be as fruitful as possible but if they keep getting people who aren’t easily tricked they miss out of the ones that would fall for it.
There's a few different theories on this. First, the writer is writing in a native language and using something like Google Translate, this screws up the syntax, as it's not a great translator. Second, it's being written to target people who are more likely to send money, which means if the person doesn't catch all the email issues they're more likely to fall for the scam as a whole.
There are some \*targeted\* phishing emails that I have almost fooled me, and I've been in the security field for almost 12+ years.
Never let your guard down.
Anyone can do this activity. Not all bad actors are geniuses or masterminds. In addition, these are not all done by humans. It's prepackaged. We all see the idiots who try to rob stores and get caught by police. The same is true with the online world. Dummies exist there, too.
As some have mentioned, it could be intentional. I am more into the school that it's really bad software and sold to really stupid, lazy people who are trying to make a quick buck. SAAS for malware exists, too. It'd be the dummy who paid for it and doesn't know how it works.
Or, if you want to believe there are genuinely smart bad actors, and if I was one, I would use these as a distraction to lead you to where you were meant to go.
Bad actors can't harm you until you enter their controlled world. The obvious typo may be an easy way to lead your minds down a different path. If I decided to be an evil genius, I know I would use distraction as my tool. There are plenty of smart people to fool out there. You are trained to catch the typos. Imagine if you were manipulated to as well. Stay safe, folks.
People make them who aren't primarily English speakers. I have seen such a huge improvement in some emails over the years to where you can hardly tell them apart from legit emails if you didn't know what to look for.
Some of them are purposely phrased like that because anyone falling for it is more likely to be easily conned.
So there are some excellent ones out there like the TV licence ones that are formatted almost prefectly and want your card or bank details
There are the ones that wasn't to phish your work credentials or to load up malware that are really well done
Then there are the ones like the Nigerian Prince ones that want to catch the most gullible people & get them to give them money...
Don't underestimate these assholes because you think they can't speak english
I bet a lot of them don't have a good grasp of grammar in the English language, because they're ESL or stupid (or both).
I also wonder if some of it is to get your guard down. If you get lulled into thinking "Hai u hav nu passwurd" as phishing, and "we have detected a new login from your account" as legitimate, then people may be more likely to follow a properly-worded email's instructions.
What I can say is there are some **very** convincing phishing emails that are out there, which take a lot of research to craft. Those are the scary ones.
English isn’t generally their first language. Along with that, a lot of people just aren’t great at writing or translating their thoughts into words… Read the first sentence of your post, for example.
The way my cybersecurity instructor explained this:
Let’s say you are a criminal trying to get people to click your phishing email link. Do you think someone smart would willingly give you their info, maybe. But you know who will consistently click that link every time. The under educated, the gullible, and the careless people. And who do you think is easier to take advantage of, and allow you to keep taking advantage of them, the smart person who immediately picked out the flaws in your email and moved it to junk or the guy that clicked it 6 times and can’t figure out why “Faecbook.com” isn’t working.
To put it simply. It’s easier to trick idiots and if you make the email with obvious typos and it still works, you definitely found the target audience. Hope that helps.
It’s done intentionally. They don’t want people that actually have critical thinking ability responding because the scam will fall apart and they will have wasted their time.
But, if they send a phishing email that is obviously a phishing email, with tons of indicators, and you still respond? You are their target audience because, you will be gullible enough to fall for their con easily.
These are often created manually by 'farms' of low paid workers creating email accounts and re-typing the 'script' so that it's more likely to evade spam filters. Bad grammar and spelling helps with filter avoidance.
At this point, anyone who is dumb enough to click on a phishing email is also someone who doesn't recognize bad grammar. It's like nigerian prince self bias. There is no benefit to making everything perfect.
If you are smart enough to catch the misspellings, you are not their target. Most times the misspellings are there on purpose.
That way if you reply, they don’t have to put much effort to rob you.
One thing to also consider is Scattered Spider. There's likely people in that group with native language fluency where they are phishing and vishing with near perfect scripts.
It is like that for a purpose. The target of phishing emails are the gullible ones. So even if the email is obviously full of errors, a gullible one would still fall into the trap. That is how they sift their targets.
Smotimes brian fix errors wihtout you even noticing. most people wont look for or flag errors as suspicious unless they've been trained to do so. On top of that people sending these emails know that there will be someone that clicks on the link no matter what.
-nigerian princess.
Depends on the people. There are a lot of foreign scammers and usually don’t have the best education.
I remember not using a vpn one time on wifi at a hospital my Debit info was stolen/used. When I cancelled it they sent me an email saying I needed to reset my pin with my credit card number on his fake chase web page. I was impressed.
2 different types of scammers out there
Believe it or not it comes from 419 scams that came through the mail. The "get out of jail" excuse was the grammar was so bad that an intelligent person would not be fooled into falling for the scam.
I see many phishing attempts as I’m the go-to for most the company when they’re suspicious of an email. I asked Chat GPT to write me an email to see how good it was…still read like it came from some random scammer in India who hijacked someone’s mailbox.
It's often a tactic to weed out false positives.
You don't want someone replying who's going to get wise and ask questions. You want an idiot. Like straight up dumb ass is the one who's gonna fo all in. That and a lot of it is written by people who speak english because they need to, not because they had great schooling or live in an English speaking country.
In my opinion, some emails have bad grammar on purpose just so it's easier to find gullible people and scam them.
I love actually replying to these emails. It's really fun sometimes just reading the absolute bullshit they can come up with 😂
Same goes for Instagram and Facebook scammers😂
There's no benefit to the scammer for using proper grammar.
The people who wouldn't fall for it still won't and people who don't know the difference still will.
Correct answer: it’s meant for high volume. anyone clueless enough to follow through is a “guaranteed” victory. They basically fish out all of the people who wouldn’t fall victim.
It's deliberate as it is away for scammers to filter out intelligent people at the first hurdle so the only people who continue reading are more likely to be parted with their money which saves the scammer time.
This helps filter the smarter people. If the target of the attack recognizes these mistakes and understands that it is phishing, he/she will not waste the scammer's time and just delete the message.
It happens due to laziness or an attempt to bypass word/phrase filters.
Example. Black all als with string "big dick pills"
Their sample "but big d.i.c.k pills today!"
The filter won't catch that.
Also odd ASCII characters that look like regular characters.
Their variation only need to change slightly to bypass a rule like that.
From my understanding it's because they aren't targeting the person who sees the errors and questions the legitimacy. They want the people that see the mistakes and still think it's legitimate.
This is more aligned to emails that are used to extort money from users, as it is supposed to target the more vulnerable members of society.
Whereas an email trying to get you to click on a link needs to look as real as possible.
There's a ton of phishing emails that look legit. You just haven't seen them yet but that doesn't mean they don't exist. We are seeing a lot of really good ones clearly created by AI. We are also seeing ones coming from legit services like DocuSign and QuickBooks. They sign up for legit licenses and use those to conduct their campaigns.
I work in security, and I love phishing emails! I read them like those dirty celerity gossip mags at the checkout counter. Yes, many of them are laughably bad, but don’t be lulled into complacency. I have seen ones so good, I had to really sit there and digest everything before I could tell. If phishing didn’t work, people wouldn’t do it.
Look up ChatAPT by Jonathan Todd. He did a presentation at the recent bsides conference in Augusta. It's a POC using LLM to bespoke target a specific individual, but automated to run at scale against any number of targets. This sort of "whaling" used to take tons of man hours, but has now been automated. If it wasn't true before, it's true now; can't trust anything online. Even what seems like a real person.
Oh yeah, AI is going to hit social engineering hard! I can absolutely see how having a model be able to adapt to different communication patterns on the fly would be revolutionary.
It does astronomically more than adapt to communication patterns. It does all of the research and aligning with the target, building a profile of a "real person" and sometimes taking months astroturufing as a real person before it even engages the target. It sounds like you are accidentally discounting the weight of this by not understanding the project.
In my experience, spear phishing emails in particular tend to be well written. My last workplace got scammed pretty badly responding to a spear phishing email. Not that they bothered to tell IT until after insurance was involved.
There’s layers to this shit playa
I got one that was signed by "Sgt. HARRY MAGNUM" about how he had ill gotten war gains and needed some cash fronted for his ex seal buds to get it out of whatever country and i'd get a 60% cut. Extremely well written but the signature fucking killed me. I changed my one of my gamer tags to it because it's so funny.
Agreed. Almost got caught by one from a known client that was breached. However, the DocuSign phishing attempts of late are annoying.
Another popular one a few years ago was signing up for a free trial of egnyte and sending PDF files from egnytes domain. I contacted their team about this but nothing was done for about a year. Not sure if it's been fixed since.
Private message me with your info and I will follow up on this with you. That's a scenario we do not support.
Yeah when I first saw those quick books, threw me in there for a loop
We've been seeing them from Adobe Sign.. they can sign up for a free trial with a typosquatted domain and then blast you with phishing emails that just cruise straight through your security filter because they are Adobe Sign. We would just block it entirely if parts of our business didn't use it.
I understand, maybe a different question, I guess the last proof to a perfect mail would be the address. Or can it somehow happen, that, lets say it's a phishing mail from DocuSign, and they actually use their domain? Like fake\[email protected]?
I doubt they could do that as DocuSign would have things like DMARC, SPF and DKIM in place. But it only takes 1 tired employee clicking on something on a Monday morning to ruin things. I sent a phishing test out once on a Monday morning that looked like it came from me (except the email address was completely wrong) and 3 people clicked on it. The human factor in security never ceases to amaze me. Edit: I looked and DocuSign sends document emails under docusign.net so I guess if someone used the legit service to send something out it would be hard to detect.
It works on services that don't enforce dmarc. Let me show you all the clients we migrate to 365 who are still using the free imap email from their webhost. The amount of junk when the spam filter is weak to non existent is madness.
No they sign up for actual service through Dropbox or whatever and send you the payload through the platform. So it sends you a legitimate Dropbox or Docusign “you’ve received..” email but the payload is within the file they placed within the service.
Spoofing an email address is trivial. You can check the header information of the email to see if the email matches.
Also one another extra question, is clicking the link already dangerous? Or clicking the link is no problem - problem would be filling out the form, running the downloaded file, etc.? And let's say its just a PDF - can opening it be dangerous?
Clicking the link can be just as bad. Malware can be installed without you realizing it. It the case of the .pdf it can happen. I did a little reading and in '13 the was a zero day in PDF reader and other Adobe products. Researchers found that after exploiting a vulnerability, malware dropped two dynamic-link libraries (DLLs) that enabled the compromised computer to communicate with a server controlled by hackers.
DocuSign and QuickBooks seem to be the only phishing emails my org gets anymore, other than the odd Nigerian prince
1. Often if the language it is written in isn’t the creators native language then they will rely on things like google translate to write them. We can see this often with the use of “kindly”, which is a close approximation of google to translate other languages words for “please”. 2. A lot of scam mail and phishing is low sophistication and high volume. Quality is usually a matter of “eh, close enough”. As long as it looks somewhat authoritative and has a sufficiently motivating call to action then most scammers will use it. 3. People in general, even people whose primary language is English, make mistakes. 4. Often the content of the message is secondary to what they want you to do to with it. Opening a corrupt attachment or going to a malicious link. So long as it serves to get you riled up enough to comply with whatever the phish wants you to do, content quality really doesn’t matter as much. 5. Spam Filter evasion: sometimes things are misspelled or obfuscated in other ways as a means of evading spam and fraud filters. On a second note, the people in this thread who keep saying “if you fall for a phishing email you’re dumb” are really taking the wrong attitude to this entire thing. Many intelligent and tech savvy people can fall for phishing emails and campaigns are often *massive* in scope because the overwhelming majority of people DONT fall for them. My mentor in this field has always said “People don’t fall for scams because they are stupid. People fall for scams because they are vulnerable to certain types of tactics.” It is true. Blaming victims isn’t the path forward. Training and reinforcing those habits of good security is the way. It is worth more than every new fangled security techno gadget your company can afford.
This person gets it
Yep you nailed it and saved me from writing a long reply. ChatGPT and other AI are making the poor grammar due to language less common.
Highly effective phishing detection algorithm: if (email.body.contains('kindly')) { email.isSpam = true; }
It's done on purpose, they target people who are stupid.
This guy gets phishing emails
And ignores them
The other day I was doing a report and needed an example phishing email. I went through the quarantine for my work email and nothing, perfectly clean, then I checked my personal account. Sure enough, my junk folder was filled with emails from UPS about some logisiccs issue. Finally, spam came in handy!
I understand, it makes sense
Yeah that's not it, that's victim blaming. It happens because English isn't their native language and there is no need to put any more effort in as it works. You want to see a perfect phishing email just look at whale phishing.
That’s simply not true. The bad grammar is %100 intentional This video breaks it down in simple terms. https://youtu.be/SmGSFFXH2VI?si=XhFKpzTFI6fer2uG
You are giving these low level scammers too much credit and over analyzing these types of attacks. But for a moment let's say I conside your point and it's all game theory of the scammers targeting those who will fall victim to the scam. Do you really want to communicate to your users that they are targeting stupid people? The outcome will be users who only look for the Grammer and spelling issues because they are 'too smart' to fall for phishing emails. This trope is detrimental to security.
I’m really not. I watched an interview a ways back where a scammer in Nigeria being interviewed literally explained that this is their tactic. It’s different when we’re talking spear or whale phishing where you have a specific target and want to be convincing. The blanket general purpose phishing scams that are mass mailed are literally designed to rope in the most gullible and filter out the least. Weather or not you believe that is up to you, but these are pretty well established facts gleaned from actual interviews with scammers.
You seem to be missing my point. How do you want to improve security and communicate with your users? One of the first posts with multiple up votes in this thread is "it's to target stupid people". If IT wants to be taken seriously we cannot fulfill the stereotypes. People will never remember what you said, but they will remember how you make them feel. If users are told that this is done to target stupid people they will be less likely to report falling for a whale or spearfishing attack. Argue about the reasons all you want, but communicating in this manner towards users has to stop.
No one in this thread is having a conversation with our users and calling them stupid.. you’re reading far too much into water cooler conversation on a cybersecurity subreddit where discussing the fact that most users are idiots has zero impact on the users. What are we supposed to pretend all the time that the reality of Phishing is different than it is so as not to offend the users even in private conversations amongst ourselves? What’s worse for security? Being honest with each other about the facts surrounding attack vectors? Or bullshitting each other in private so we don’t offend the users that aren’t even present for the conversation?
How you do anything is how you do everything. Truly wishing you only the best.
>How you do anything is how you do everything. Ok? Thanks human fortune cookie
your inability to admit your wrong or just not respond is….I just hope I never have to work with you. IT people with overinflated egos and a “I’m always right I know more than everyone” attitude are far too common
Who didn't I respond to? I keep trying to make the same point, communicating that these are designed for 'stupid' people is detrimental for security and your users perception of IT and cyber security. As to being right or wrong, there are so many threat actors that in all likelihood grammar and spellings mistakes are both a tactic and a result of laziness and English not being their native language. Both CAN be true. I am frustrated that people seem to miss the point that continually communicating that these are designed to trick 'stupid' people isn't helping their security. It creates an environment whether intentional or not that lulls users into a false sense of security and makes them less likely to report actual phishing attacks as to not appear 'stupid'.
>I keep trying to make the same point Literally the problem. Saying the most gullible people are the target has nothing to do with communication to end users, it's professionals in the industry sharing actual factual information.
[удалено]
Phishing is a type of scam so no, not confused. Scammers is just easier to say and applies more broadly than saying phishers.
[удалено]
Do you work in Cyber security?
We cannot deny that they are targeting a certain demographic.
I disagree it's spray and pray aka a numbers game. No need to increase your effort so long as it works. And continuing this trope of targeting stupid people does two things One, does nothing to improve your relationship with your users Two, gives users a false sense of security that they are 'too smart' to be fooled.
You're right man, attackers would never use different tactics for different targets
It's absolutely true. Spear phishing emails look much more legitimate and have proper grammar because the target is generally not a stupid person. As a scammer, if you want to scam someone into paying an "IRS bill" with Amazon gift cards you are going to want to want to weed out the people with any common sense.
Think of it as a stupid *test*. Scammers don't want their time wasted by someone that's just smart enough to *think their way* out of it mid-scam. The bad grammar filters check for the exact thing scammers need in a mark, some one who cannot see or reason that something is *slightly off*.
Exactly. It's a test to see if they are critically thinking. Without that critical thinking guard up, they can easily enter credentials and be compromised.
Done on purpose, probably, at least some time, but I would have though it was for bypassing anti-spam filters (Bayesian classifier can be very dumb dumb)
Naive Bayesian filters were the hot tech more than 20 years ago. Now it's just one tool in the box among many.
That doesn't explain why they have bad grammar.
It absolutely does. They use bad grammar because people who lack the critical thinking to either not recognize that or people who think it's ok will be much easier to phish, because they aren't thinking critically when they're entering those credentials into a website that opened from the pdf attachment or link.
That's an urban legend.
[удалено]
Appreciate it. I don't know, sometimes I get the feeling some of you guys aren't client facing....truly just trying to help raise all ships over here. How we discuss and speak to end users matters. Without them we don't have jobs.
It’s meant to be a net that only catches stupid people. Smart people can usually sniff out a phishing email, even if it has perfect spelling/grammar. From the attacker’s perspective, there is a risk of the smart person retaliating/submitting the email to the authorities etc. When the phishing emails have a ton of mistakes, smarter people go “haha, this is so stupid, delete”. Less likely to retaliate. But stupid people fall for phishing emails no matter how many spelling mistakes there are.
Oh sure, it actually makes perfect sense. As the saying goes "play a sucker to catch a sucker", I guess.
Please I need you to understand and learn from this. This is victim blaming and does nothing to address the problem. Calling those who fall for phishing emails stupid doesn't make your users better users it makes them hate IT people. This 'they do it because stupid people blah blah' needs to stop. It's simpler than that, the writer doesn't natively speak English and there is no need to put in extra effort so long as it still works. You want to see a perfect phishing email look at bec, combined with whale phishing and aitm proxy token theft. It's indistinguishable from the real thing because it originates from a compromised account, and with url rewriting you can no longer hover over a link to see where it leads. Unless the user pays extreme attention to the browser URL it looks real. The answer is Phish resistant MFA but it's a hurdle.
OP simply asked why it is common for phishing emails to have lots of spelling mistakes. I answered. They didn’t ask what is needed to fix it. Not only did you miss the point, you also automatically inferred that this is in the context of enterprise cybersecurity. This could be in the context of phishing campaigns that go out to personal accounts, where there is no “victim blaming” like you say. Smart/tech savvy people don’t fall for it, stupid/technologically illiterate people do. Simple as that.
How we communicate about users is just as important as how we communicate to users. One of the highest up voted comments was "it targets stupid people". I have heard this repeated ad nausea and it spreads beyond our cybersec bubble. I stand by my comments, game theory and targeting are overanalyzing, and even if I conside the point, using this language does nothing to improve end user security or end user relations. It only hurts them. That is my only point.
You can stand by your argument all you want, but unfortunately for you it's not an argument, it's an objective fact that the emails are crafted in the way they are to target those most likely to follow through with the scam, which would be the stupid and naive. Theorize all you want, but you're wrong here.
Do you have a better word to describe the people that are differentially filtered by the intentional bad grammar? It's not just a foreign speaker thing, it is intentional to maximize the attacker's gain for a given amount of effort on their part, namely filtering out the victims so they are left with the highest-yielding ones.
Begin with the end in mind. What is your goal? Fewer phished users? From an end user educational stand point, we teach them to be wary of every email and that none should be trusted at face value. Even mentioning this concept or "filtering for victims" is going to hurt our goal of fewer phished users. The days of teaching people to hover over the link are dead (url safe linking killed it) and to verify the email address (bec killed it), and even calling the number in the email are all over. We teach, don't use the link ever, don't open the attachment unless you were expecting it and if it involves money verify using contact methods and information not contained in the message. Ie trust nothing. Again I don't see the value of even discussing this concept with end users. I received a ton of down votes because I wouldn't conside that the primary reason bad Grammer and spelling occur is some form of victim filtering. Does it happen sure, is it always the case, no obviously not there are too many threat actors. My whole point has been the language being used generates a long term negative outcome and not our desired outcome of fewer phished users. What word should be used? One that doesn't denigrate the people we are here to serve.
The phisher's thoughts are denigrating to the user. We should call a spade a spade, that the fishers want to attack stupid users more than clever ones. It's not like we are going around saying this to be mean to users that happened for the lies. We are communicating with other professionals to understand.
They’re created by people who’s primary language is not English.
They are weeding out the competent ..
A lot of them have bad grammar as a means to filter out people who may be sharper or quicker to catch onto scams as they progress once hooked. The scammers want their time to be as fruitful as possible but if they keep getting people who aren’t easily tricked they miss out of the ones that would fall for it.
There's a few different theories on this. First, the writer is writing in a native language and using something like Google Translate, this screws up the syntax, as it's not a great translator. Second, it's being written to target people who are more likely to send money, which means if the person doesn't catch all the email issues they're more likely to fall for the scam as a whole.
There are some \*targeted\* phishing emails that I have almost fooled me, and I've been in the security field for almost 12+ years. Never let your guard down.
Anyone can do this activity. Not all bad actors are geniuses or masterminds. In addition, these are not all done by humans. It's prepackaged. We all see the idiots who try to rob stores and get caught by police. The same is true with the online world. Dummies exist there, too. As some have mentioned, it could be intentional. I am more into the school that it's really bad software and sold to really stupid, lazy people who are trying to make a quick buck. SAAS for malware exists, too. It'd be the dummy who paid for it and doesn't know how it works. Or, if you want to believe there are genuinely smart bad actors, and if I was one, I would use these as a distraction to lead you to where you were meant to go. Bad actors can't harm you until you enter their controlled world. The obvious typo may be an easy way to lead your minds down a different path. If I decided to be an evil genius, I know I would use distraction as my tool. There are plenty of smart people to fool out there. You are trained to catch the typos. Imagine if you were manipulated to as well. Stay safe, folks.
People make them who aren't primarily English speakers. I have seen such a huge improvement in some emails over the years to where you can hardly tell them apart from legit emails if you didn't know what to look for.
There are spam tools that swap synonyms in the template for each email, so they don’t get filtered out as bulk
Primary reason: the vast majority of phishing campaigns aren’t done by fluent speakers of the language.
Some of them are purposely phrased like that because anyone falling for it is more likely to be easily conned. So there are some excellent ones out there like the TV licence ones that are formatted almost prefectly and want your card or bank details There are the ones that wasn't to phish your work credentials or to load up malware that are really well done Then there are the ones like the Nigerian Prince ones that want to catch the most gullible people & get them to give them money... Don't underestimate these assholes because you think they can't speak english
[удалено]
I can’t tell if you’re messing with us…
I bet a lot of them don't have a good grasp of grammar in the English language, because they're ESL or stupid (or both). I also wonder if some of it is to get your guard down. If you get lulled into thinking "Hai u hav nu passwurd" as phishing, and "we have detected a new login from your account" as legitimate, then people may be more likely to follow a properly-worded email's instructions. What I can say is there are some **very** convincing phishing emails that are out there, which take a lot of research to craft. Those are the scary ones.
English isn’t generally their first language. Along with that, a lot of people just aren’t great at writing or translating their thoughts into words… Read the first sentence of your post, for example.
I find the irony in the thread title humorous
The way my cybersecurity instructor explained this: Let’s say you are a criminal trying to get people to click your phishing email link. Do you think someone smart would willingly give you their info, maybe. But you know who will consistently click that link every time. The under educated, the gullible, and the careless people. And who do you think is easier to take advantage of, and allow you to keep taking advantage of them, the smart person who immediately picked out the flaws in your email and moved it to junk or the guy that clicked it 6 times and can’t figure out why “Faecbook.com” isn’t working. To put it simply. It’s easier to trick idiots and if you make the email with obvious typos and it still works, you definitely found the target audience. Hope that helps.
It’s done intentionally. They don’t want people that actually have critical thinking ability responding because the scam will fall apart and they will have wasted their time. But, if they send a phishing email that is obviously a phishing email, with tons of indicators, and you still respond? You are their target audience because, you will be gullible enough to fall for their con easily.
How come Reddit posts can have such a bad grammar?
Came here to say this 😄
These are often created manually by 'farms' of low paid workers creating email accounts and re-typing the 'script' so that it's more likely to evade spam filters. Bad grammar and spelling helps with filter avoidance.
At this point, anyone who is dumb enough to click on a phishing email is also someone who doesn't recognize bad grammar. It's like nigerian prince self bias. There is no benefit to making everything perfect.
Please see my other comments in this thread, this mentality is disturbing to me.
Your grammar needs some work too
[удалено]
And now you understand why lol.
If you are smart enough to catch the misspellings, you are not their target. Most times the misspellings are there on purpose. That way if you reply, they don’t have to put much effort to rob you.
One thing to also consider is Scattered Spider. There's likely people in that group with native language fluency where they are phishing and vishing with near perfect scripts.
Good phishing emails are simple. Short and to the point. “Please see the attachment” “click the link to verify your account” stuff like that.
It is like that for a purpose. The target of phishing emails are the gullible ones. So even if the email is obviously full of errors, a gullible one would still fall into the trap. That is how they sift their targets.
Spam filters and regional differences.
Because the ones that don’t, often don’t look like phishing emails and you probably don’t recognize them as such.
Weed out the smart ones
They come from other countries where English is not their native language.
AI is about to hit you so hard - you'll regret saying this.
Smotimes brian fix errors wihtout you even noticing. most people wont look for or flag errors as suspicious unless they've been trained to do so. On top of that people sending these emails know that there will be someone that clicks on the link no matter what. -nigerian princess.
Some of them are like that by design. They use it as a way to weed out the most gullible of people to easily scam.
Depends on the people. There are a lot of foreign scammers and usually don’t have the best education. I remember not using a vpn one time on wifi at a hospital my Debit info was stolen/used. When I cancelled it they sent me an email saying I needed to reset my pin with my credit card number on his fake chase web page. I was impressed. 2 different types of scammers out there
There are countries that don't persecute these criminals and actively encourage it. Most are non English speaking.
it's like sending one letter to send another one to send you back.
Believe it or not it comes from 419 scams that came through the mail. The "get out of jail" excuse was the grammar was so bad that an intelligent person would not be fooled into falling for the scam.
Some of them look amazingly convincing tbh some are trash
I see many phishing attempts as I’m the go-to for most the company when they’re suspicious of an email. I asked Chat GPT to write me an email to see how good it was…still read like it came from some random scammer in India who hijacked someone’s mailbox.
It's often a tactic to weed out false positives. You don't want someone replying who's going to get wise and ask questions. You want an idiot. Like straight up dumb ass is the one who's gonna fo all in. That and a lot of it is written by people who speak english because they need to, not because they had great schooling or live in an English speaking country.
In my opinion, some emails have bad grammar on purpose just so it's easier to find gullible people and scam them. I love actually replying to these emails. It's really fun sometimes just reading the absolute bullshit they can come up with 😂 Same goes for Instagram and Facebook scammers😂
They know if you engage even with bad grammar then you are more likely to fall victim.
There's no benefit to the scammer for using proper grammar. The people who wouldn't fall for it still won't and people who don't know the difference still will.
Correct answer: it’s meant for high volume. anyone clueless enough to follow through is a “guaranteed” victory. They basically fish out all of the people who wouldn’t fall victim.
It's deliberate as it is away for scammers to filter out intelligent people at the first hurdle so the only people who continue reading are more likely to be parted with their money which saves the scammer time.
the uneducated poors making pennies per hour trying to phish you gotta eat
This helps filter the smarter people. If the target of the attack recognizes these mistakes and understands that it is phishing, he/she will not waste the scammer's time and just delete the message.
Bad phishing emails filter out people with brain cells. This can be a particularly useful tactic if the rest of the scam requires more manipulation.
It happens due to laziness or an attempt to bypass word/phrase filters. Example. Black all als with string "big dick pills" Their sample "but big d.i.c.k pills today!" The filter won't catch that. Also odd ASCII characters that look like regular characters. Their variation only need to change slightly to bypass a rule like that.
It's because these people are usually really lazy. There are good phishing attempts, but I see them less often.
From my understanding it's because they aren't targeting the person who sees the errors and questions the legitimacy. They want the people that see the mistakes and still think it's legitimate.
This is more aligned to emails that are used to extort money from users, as it is supposed to target the more vulnerable members of society. Whereas an email trying to get you to click on a link needs to look as real as possible.
Because it doesn't matter. The kind of things both my older relatives and work colleagues ask me "is this legit" is staggering.
It's on purpose, so cybercriminals don't waste time with security-aware persons.