To learn more about trends in the phishing and spam email landscape, our analysts created accounts for fake email addresses that were posted on the darknet. These addresses were mainly sourced from combolists, which are large batches of credentials that typically came from a variety of different breaches or otherwise illicitly obtained methods.
Over the course of the year, 1,407 emails were sent to these email addresses. Given the context they were found in, these emails likely only exist to be used by threat actors much like other combolists that are posted on the dark web. That is, to be run through a credential stuffing tool to find successful email/password combos and commit account takeover, or to target the addresses with malicious phishing emails.
To demonstrate examples of the kinds of dubious emails our analysts received, we ranked them by most popular to least popular and assigned them with the following categories: Personally Identifiable Information (PII) Stealers, Fraud, Malware, and Spam.
Read on to see what type of scam and spam emails were the most popular amongst threat actors over the past year, and to see what key trends our analysts observed in the world of phishing.
Of the 1,407 emails, a whopping 365 of them were generic sales spam with no clear motive. This suggests the reason for sending them was unlikely to be to commit fraud.
Most of these emails invited the recipient to take a survey to win a gift card to popular stores like Walmart, Ace Hardware, and so on. This can be used to gather personal information from the target to execute more refined spearphishing in the future, or leveraged for account takeover.
“I hacked you” scams typically contained some sort of variation of threat such as “I caught you on webcam” – with the sender threatening to release “footage” or encrypt the recipients computer unless they pay a Bitcoin ransom. There were a significant higher number of emails in this category than observed in previous years.
97 of the emails claimed that the recipient had won some type of reward, including reward points, commercial goods, rebates, and so on. Once the target clicks the link or opens the attachment to claim their “free stuff”, they end up installing ransomware instead.
Designed to get around endpoint security, fake invoice for software subscriptions with a real toll-free “customer assistance” number. Once the victim calls, the operator usually attempts to social engineer them into revealing PII, or trick them into installing ransomware. Overall, we saw a big uptick in these compared to previous years – with many leveraging big names such as Geek Squad, McAfee, and Norton.
A significant portion of the email data set fell into the category of “generic” – including scams and “advanced fee” schemes. These are mainly weaponized to steal personal information and commit financial fraud or identity theft.
These emails advertise below-market rates for high-end brands that are ultimately for counterfeit goods. Of the 58 sent to our analysts, most advertised for well-known luxury brands such as Louis Vuitton and Ray-Ban.
“We’ll buy your car” scams continue to be pretty consistent in popularity – though they may not be reported about as often as some of the other categories on this list. For further reading on this topic, our analysts suggest this resource that outlines 5 common scams for prospective call sellers.
“You could be eligible for compensation” – these types of infostealers usually falsely claim the victim could be eligible for compensation if they participate in a phony lawsuit.
Our analysts identified 28 emails that were directly targeting seniors. Most of these could be identified by keywords such as “senior”, “55+”, “timeshare”, “retirement”, and “over 60”. This suggests that not only is this attack vector still as popular as ever, but that actors are being quite blatant in their marketing towards this demographic.
Many of these emails touted a tool that claimed it could enable the recipient could see or verify the (likely) phony claim that their spouse or partner is cheating on them by installing spyware on their computer.
The 23 emails that fell in this category included phony alert emails claiming that the recipient had unread notifications from popular services such as Tinder, Reddit, Whatsapp, and LinkedIn. Popular subject lines contained some variation of “12 unread messages” or “You’ve matched with someone”, etc.
Seeing as how romance scams have tripled in popularity in the past few years, our analyst expected to see more of this type of phishing scheme.
These emails were consistent with the typical invoice scams that have been popular in past years. They are typically blasted out to businesses or email addresses that look like the might be accounts payable, office managers, or other administrative invoice and include a “real” invoice for nonexistent goods or services.
This type of scam is not one that our analysts have observed very often, if at all, before this analyses. These phishing emails mainly offered assistance in obtaining concealed carry permits. Most likely, this is a PII stealer scheme.
Many of the unclaimed asset scam emails claimed that the recipient was entitled to property from either inheritances, or from unallocated government holdings. In the example below the sender broadens the asset to “unidentified property” – making the chances that a target might think it could apply to them more likely.
Only four emails consisted of fake job postings. Given the overall uptick in scams of this nature, this was fewer than our analysts expected.
Given that this data set included two tax seasons, it was surprising to see how few IRS scams there were. Specifically, our analysts found the lack of specific “IRS” and “tax/taxes” keywords in emails’ subject lines to be significant.
These emails contained malicious links that were likely ransomware. Their phishing pretexts didn’t fit into any of the other categories.
After categorizing and ranking these emails, our analysts made note of several key observations:
IRS Scams are down – Tax fraud phishing campaigns that specifically mention taxes or the IRS are way down from previous years. This is likely due to IRS messaging and warnings, which seem to have done their job in at least deterring actors from using this method so heavily.
Phone Scams are are more popular – Phone number malware campaigns, designed to get around endpoint security, are becoming more prevalent.
Less emails marked as “High Priority” – Of all the emails, only 4 were marked as “High Priority,” which is a shift since previous years. In the past, this was a common tactic to create a sense of urgency and improve open rates.
“I hacked you scams” proving to be lucrative – We saw a huge uptick in this type of email over the past year. In this type of scam, the sender usually blasts emails out to massive list and might only get money back from one or two people. Their uptick in popularity indicates that the financial reward from even just a handful of victims is lucrative enough to incentivize more threat actors to use this method.
Never ever open email attachments – While only 7.53% of analyzed emails had an attachment, every single one of those contained malware. The takeaway? Assume that all attachments are malicious unless you are able to verify otherwise in a safe sandboxed environment.