The Lure of Subject Lines in Phishing Emails
August 2023 by Cofense
The use of misleading dates in subject lines has long been a preferred tactic of threat actors for influencing the emotions of recipients and creating a false sense of urgency. In this report we have uncovered some interesting trends in subject lines with dates in them and targeted subsectors. We will cover the trends that Cofense Intelligence discovered during the month of July 2023.
The subject lines seen were intentionally deceptive, and the dates used in the subjects covered a range from a few days before the email was sent to several days afterwards. Subject lines such as these are specially designed to create a false sense of urgency requiring the victim’s immediate interaction, and not allowing them time to consider how suspicious the email is. The dates in the subjects of emails sent to 18 different subsectors were compared to the actual date the email was accessed leading to some surprising trends. The key results are divided into the ratios of subjects with dates to those without, late emails (emails with subject times before the date they were accessed), early emails (emails with subject times after the date they were accessed), and on time emails (subjects that had dates in them which matched to the date they were accessed).
Ratios of Subjects with Dates Compared to Those Without
When we looked at the data, the most important first step was to look at subjects that had dates in them. This included dates in all different kinds of formats. It also included subject themes covering late faxes, missed voicemails, overdue invoices, payroll, and other themes generally involving the need for immediate interaction. There was up to a 35% difference in how many subjects had dates based on the subsector. The subsector with the highest percentage of dated subjects was Rail Transportation at 48%. As can be seen in Figure 1, the next closest was Oil and Gas extraction at 45%, then Management/Scientific/Technical Consulting at 42%, and all the rest were below 40%. The sectors with the lowest percentage of dated subjects were Real Estate and Wholesale Trade at 13% each. On average, each subsector had a date in 31% of its subjects. Surprisingly, one trend that was not observed was a consistent theme across any of the top 3. It seems likely that Rail Transportation would be more likely to have themes around shipping or that Management/Scientific/Technical Consulting would be more likely to have overdue invoice themes. However, each of the top 3 had inconsistent themes with no one theme being significantly more common than any other.
After drilling down into emails with dates in their subjects we further separated the emails based on said dates. The categories were based on the date in relation to when the email was accessed. The first category was emails where the date in the subject was after the day the email was accessed (or “early” emails), the date matching the day the email was accessed (or “on time” emails), and the date being before the day the email was accessed (or “late” emails). It is important to note that “accessed” does not mean the same as “received.” This is because if an email is received at 10PM, it is likely not going to actually be accessed until the next day.
Early Emails
When looking at emails that were early, it was particularly obvious that few threat actors were interested in sending emails with subject dates later than the day they were accessed. In fact, early subjects only made up 2% of all subjects with dates in them. The lack of early subjects can easily be seen in Figure 2 where all 13 subsectors, other than the top 5, are at 3% or lower. Broadcasting had the highest percentage of early subject lines at 10% which is 5 times the average of 2% but still only makes up a miniscule number of emails. Looking at the early subjects, it in fact appears that accidents and misconfigurations on the threat actor’s part are likely responsible for most if not all early emails.
Emails that were “on time” were the second most common with subsectors having on average 31% of their subjects with dates being the same date the emails were accessed on. These emails were also the most customized, with 58% of their subjects having some sort of customized content or Personally Identifiable Information requiring redaction. There was also the most drastic difference between the highest percent subsector and the second highest. As can be seen in Figure 3, Credit Intermediation had the highest percentage of on time subjects at 60% whereas the second place, Securities/Commodity Contracts/Financial Investments, was at only 39%. It would seem likely that with Credit Intermediation being the highest by a fair margin it would have some subject themes unique to it that were responsible for the difference in values. Unlike the top 3 subsectors for subjects with dates in them, Credit Intermediation subjects did in fact have a slight trend towards signature requesting themes that were not present in the second place Securities/Commodity Contracts/Financial Investments subsector. Across the on time emails the most popular theme was “action” orientated subjects like the one in row 5 of Table 1. This makes sense as the on time emails would be the ones most focused on requiring immediate action rather than conveying a sense of urgency through the lateness of a notification.
The last and most common category of emails is those that have time stamps in their subject line which are late; times that are before when the message is accessed. These are typically done to create a false sense of urgency, warning victims that they have to perform some action immediately as the deadline has already passed. As can be seen in Figure 4, Admin and General Management had the highest percentage of late subjects at 81% and the next closest were Insurance Carriers and Utilities at 77%. The average was 67%, meaning that although there is a difference between the average and the top subsector, the difference is not as significant as in other types of emails. When general themes such as “action required”, “signature”, “document”, and “notification” are examined for late emails there is actually little difference as compared to early or on time emails. In fact, the themes are so inconsistent that no one theme had higher representation among the late emails than it did in any other category, including the overall category of emails with dates in their subjects.
When it comes to recognizing suspicious emails, the best strategy is of course training employees. But, more than just the general “training” there are several specific things about emails that employees should recognize as being suspicious. As we have listed in other Strategic Analysis reports:
Items such as the from address should be carefully examined because even if an address initially appears legitimate, close inspection can often reveal its spoofed nature.
In the body of the email, recipients should check for grammatical or spelling errors since legitimate modern email clients identify and correct most errors.
They should also pay close attention to the destination of any embedded links and ensure that the URL points to the expected location.
One of the key lessons learned from this report is that in over 2/3rds of the emails with dates in their subject line, the listed dates are before the email is accessed. This is not surprising as it has long been assumed that threat actors are doing this to create a false sense of urgency. The dates in email subjects can now be added as a suspicious indicator. If the date in a subject line is before the date the email is accessed, then the email should be examined with additional scrutiny and time should be taken rather than allowing the threat actor to take the initiative and pressure victims into quickly interacting.