Most Common Phishing Email Themes of 2023
January 2024 by Cofense
Each phishing campaign that Cofense Intelligence analyzes is given a title which includes a theme. This theme is important because it characterizes the campaign and provides insight into the threat actor’s intentions. Knowing that a phishing email targeting the hospitality industry is themed after Travel Assistance rather than a generic Finance theme is significant as it enables a more focused response. It also assists companies in better selecting relevant phishing simulations to use on their employees. We are going to cover some of the more common themes, what they are composed of, and what trends we can observe with them.
Themes are based off of the email content including the subject, email body, attachments, etc.
Highest variation of themes was in Q3 and Q4 of 2023.
Benefits themed emails were most common in Q1 and Q4 of 2023.
Fax and Document themed emails were most common in Q1 of 2023.
Legal themed emails were most common in Q3 and Q4 of 2023.
Tax and Notification themed emails were most common in Q3 of 2023.
Closing (as in closing on a property) themed emails were most common in Q1 and Q3 of 2023.
Of the Major themes, Finance made up 54%, Notification made up 35%, Shipping made up 7%, and Response made up 3%.
Of the Moderate themes, Document made up 38%, Voicemail made up 25%, Travel Assistance made up 24%, Fax made up 8%, and Legal made up 6%.
Of the Minor themes, Benefits made up 37%, Taxes made up 32%, Job Application made up 21%, and Closing made up 10%.
What Phishing Email Themes Mean
The themes observed in this report are specifically the overall theme of the email, not just the subject or the credentials targeted. This includes the brand spoofed, the attachment names, rendered attachments in the case of documents or HTM(L) files, and the email body content. That said, a big part of the theme of an email is tied to its subject as that is, after all, the first part of an email that a victim sees, so it is often designed to draw in their attention.
Themes Over Time
Observing trends in the phishing email themes of campaigns across 2023 helps give us insight into what threat actors think is most likely to get interaction from victims at that point in time. We will look at several changes in theme volume based on time of year, for example Benefits themed emails spiking during relevant time periods. Overall, we saw highest volume of consistently themed campaigns in Q3, the lowest volume in Q2 and the highest variation in themes in Q3 and Q4.
The “Major” phishing email themes here are the themes with the highest volume that are also typically the most relevant as employees are more likely to see them. The themes in this category are Finance, Notification, Shipping, and Response.
Finance-themed emails typically have subjects relating to invoices, payments, pay slips, statements, orders, remittances, or receipts. Finance themes were relatively consistent for 2023, seeing an overall slight decrease from Q1 to Q4 with no major declines or increases. This is likely due to Finance being the most common theme overall and seeing the same decline in volume that most campaigns saw towards the end of the year.
Notification-themed emails typically have subjects relating to password expiration, reminders, messages, required actions, recent activities, or appointments. Notification themes slowly increased until Q3 and then dropped off in Q4. This is part of an overall trend in phishing as Q4 saw an overall decrease in campaigns.
Shipping-themed emails typically have subjects relating to shipments, port information, arrival notices, cargo, or anything to do with DHL, FedEx, UPS, and USPS. Shipping themes were highest in Q1, specifically in February, and continued to decline until Q4. According to our Strategic Analysis “Shipping-Themed Emails: Not Just for The Holidays” that covered data from 2021-2023, the volume of shipping themed emails typically increases only slightly in Q4 which we saw only towards the end of Q4 in 2023.
Response-themed emails typically have subjects relating to any sort of response or sometimes forwarded messages as well as hijacked and spoofed email threads. While many threat actors spoof reply chain threads, the most advanced threat actors hijack pre-existing email threads. Response themes peaked in Q2, specifically in May which was 25% higher than every other month. This makes sense as May saw a surge in QakBot campaigns utilizing response themes or even injecting into pre-existing reply chains.
The “Moderate” phishing email themes here are the themes that are not most commonly seen but are still seen with regularity and are often used in more targeted or complex campaigns. The themes in this category are Document, Voicemail, Travel Assistance, Fax, and Legal.
Document-themed emails typically have subjects relating to approved documents, document signatures, completed documents, shared documents, or they spoof DocuShared and DocuSign. Document themed emails were the only moderate theme that did not decline in Q2.
Voicemail-themed emails typically have subjects relating to voicemail, voice messages, call audio, voice calls, caller details, caller notes, missed calls, recordings, or call transcripts. Voicemail themes peaked at the start of Q1 and the end of Q3 before leveling out in Q4.
Travel Assistance-themed emails typically have subjects relating to responses to reconnaissance emails about booking, reservations, help with travel, booking, medical accommodations, room requirements. Travel Assistance themed emails targeting hospitality from Q3 to Q4 but died off towards the end of Q4. Specifically in December there was a 66% drop in Travel Assistance themed ATR volume.
Fax-themed emails typically have subjects relating to fax messages, faxed documents, confidential faxes, or they are spoofing eFax or MyFax. Fax themes peaked in Q3, hit rock bottom in Q2, and slowly increased for the rest of the year.
Legal-themed emails have some of the widest spreads of related subjects and typically have subjects relating to arrests, guardianship challenges, summons, court cases, sanctions, vehicle fines, accusations, criminal suits, or lawsuits. Legal themes increased across 2023 from Q1 to Q4. The vast majority of these were in Spanish. Q1 to Q3 were mostly Remcos but Q4 saw a diversification into XWorm RAT, njRAT, and Async RAT.
The “Minor” phishing email themes here are the least often seen but most likely to be related to a certain time of year. The themes in this category are Closing (typically on a house), Benefits, Taxes, and Job Application.
Closing-themed emails (typically on a house) typically have subjects relating to closing documents, closing packages, payoff statements, closing payments, or closing disclosures. Closing themes decreased over time and didn’t show up at all in Q2 which is surprising as Q2-Q3 is often the biggest time for real estate sales.
Benefits-themed emails typically have subjects relating to insurance coverage, wage adjustments, payroll policy, benefits packages, yearly benefits, salary amendments, enrollment, medical coverage, employee benefits, health insurance, open enrollment, W2s, or vacation approval. Benefits themes were highest in Q1 and Q4 which makes sense as it is around this time that most companies do benefits.
Taxes-themed emails typically have subjects relating to taxes invoices, VAT, tax receipts, tax clearances, tax reviews, sales tax, tax credits, e-filling, or the IRS. Tax themed emails peaked in Q3 and Q4, likely using the past due date of taxes to make people panic (Taxes for United States based companies are typically due in April at the start of Q2).
Job-Application-themed emails typically have subjects relating to resumes, CVs (curriculum vitaes), job offers, applications, job vacancies, job searches, or a position name like “financial advisor”. Job application themes were consistent for Q1 and Q2 but declined for the second half of the year.