phishandchips.io

Email Crafting: Designing Deceptive Messages That Mimic Trusted Sources

Email crafting is the core skill in phishing attacks. It’s where reconnaissance data transforms into action, where psychological understanding meets technical execution, and where the success or failure of an entire campaign is determined. A well-crafted phishing email can bypass sophisticated technical controls by exploiting the one vulnerability present in every organization: human trust.

This phase combines social engineering principles, technical knowledge of email systems, and creative deception to create messages that recipients believe are legitimate. Understanding how attackers craft these messages is essential for recognizing and defending against them.

The Anatomy of a Phishing Email

  1. The Sender

    Display Name Manipulation: The “From” field is often the first thing recipients check, making it the most critical element to manipulate convincingly.

    Techniques:

    • Exact impersonation: “IT Department” using lookalike domains
    • Authority spoofing: “CEO John Smith”
    • Trusted brand abuse: “PayPal Security” (note the “1” instead of “l”)
    • Internal spoofing: Exploiting misconfigured SPF/DMARC to appear internal

    Example:

    Instead of the real “support@microsoft.com”, attackers use:

    • “support@micros0ft.com” (zero instead of ‘o’)
    • “support@microsoft-security.com” (legitimate-looking subdomain)
    • “Microsoft Support”
  1. The Subject Line

    Subject lines must balance urgency with believability. Too alarming raises suspicion; too mundane gets ignored.

    2. Effective Subject Line Formulas:

    Urgency-based:

    • “URGENT: Your account will be suspended in 24 hours”
    • “Action Required: Unusual sign-in activity detected”
    • “Final Notice: Invoice #4851 overdue”

    Curiosity-based:

    • “You’ve been mentioned in a document”
    • “Someone shared a file with you”
    • “Your package delivery failed”

    Authority-based:

    • “IT Security Update Required – Mandatory”
    • “HR: Complete your annual compliance training”
    • “CEO: Q4 Performance Review Meeting”

    Familiarity-based:

    • “RE: Meeting follow-up” (implies ongoing conversation)
    • “FW: Budget proposal for your review”
    • “Quick question about the project”
  1. The Body Content

    Opening/Greeting:

    2. Generic (bulk phishing):

    • “Dear Customer,”
    • “Dear User,”
    • “Hello,”

    Personalized (spear phishing):

    • “Hi Sarah,” (using researched first name)
    • “Good afternoon, Ms. Johnson,” (formal, using title and surname)
    • “Hey Mike,” (casual, matching organizational culture)

    The Hook:

    The body must quickly establish credibility and motivation for action:

    Problem/Threat Framework:

    “We’ve detected suspicious activity on your account from an IP address in Romania. For your security, we’ve temporarily limited your account access. Please verify your identity immediately to restore full functionality.”

    Opportunity Framework:

    “As a valued customer, you’ve been selected for our exclusive early access program. Click below to claim your benefits before they expire on Friday.”

    Authority Framework:

    “Per the directive from the CFO, all department heads must complete the attached expense reconciliation form by end of business today. Failure to comply may result in budget allocation delays.”

    Urgency Elements:

    • “Your account will be closed within 24 hours unless…”
    • “This offer expires at midnight tonight…”
    • “Immediate action required to avoid penalties…”
    • “Limited spots available – first come, first served…”

    Trust Indicators:

    • Official-looking logos and branding
    • Legal disclaimers and privacy notices
    • Professional formatting and corporate templates
    • Security badges and verification symbols
    • Accurate company information (researched via OSINT)
  1. The Call to Action (CTA)

    The CTA directs the victim toward the attacker’s objective:

    2. Common CTAs:

    Credential Harvesting:

    • “Verify Your Account” → Links to fake login page
    • “Update Your Password” → Credential capture form
    • “Confirm Your Information” → Data collection page

    Malware Delivery:

    • “Download Your Invoice” → Malicious attachment
    • “View Shared Document” → Weaponized file
    • “Install Security Update” → Malware installer

    Information Gathering:

    • “Complete This Survey” → Reconnaissance questionnaire
    • “Update Your Profile” → Social engineering data collection
    • “Confirm Shipping Details” → Personal information theft

    Financial Fraud:

    • “Process This Payment” → Wire transfer scam
    • “Update Payment Method” → Credit card harvesting
    • “Approve This Transaction” → Business email compromise

Example Scenario:

Subject: IT Security: Mandatory Password Update Required

From: IT Security Team

Body:

Dear Employee,

As part of our ongoing security improvements following the recent industry-wide cyberattack, all employees must update their passwords using our new secure password portal. You must complete this update by 5:00 PM today to maintain access to your account. Click here to update your password: Update Password Now

This is a mandatory security measure. Accounts that are not updated will be automatically locked for security purposes.

Thank you for your cooperation in keeping our company secure.

IT Security Team

Internal IT Department

Company Name | Protecting Your Digital Assets

This email combines multiple persuasion techniques:

  • Authority (IT Security Team)
  • Urgency (deadline today)
  • Fear (account will be locked)
  • Social proof (industry-wide cyberattack)
  • Legitimacy (professional formatting, security language)

Email Crafting Techniques

Pretexting

Creating a believable scenario that justifies the request:

Common Pretexts:

  • IT emergencies: System updates, security patches, account verification
  • HR matters: Benefits enrollment, policy updates, training requirements
  • Financial urgency: Vendor payments, invoice disputes, tax forms
  • Executive requests: Urgent tasks from leadership (CEO fraud)
  • External events: Tax season, holidays, industry conferences

Personalization Strategies

Basic Personalization:

  • Using target’s real name
  • Referencing their job title or department
  • Mentioning their company name

Advanced Personalization:

  • Recent company news or events
  • Specific projects or initiatives
  • Known vendors or partners
  • Colleague names and relationships
  • Travel schedules or out-of-office periods
  • Recent purchases or activities

Emotional Manipulation

Fear:

  • Account compromise warnings
  • Legal threats or compliance violations
  • Job security implications
  • Financial loss scenarios

Greed:

  • Exclusive offers or bonuses
  • Unexpected refunds
  • Prize winnings
  • Investment opportunities

Curiosity:

  • Mysterious shared documents
  • Unusual account activity (non-threatening)
  • Personal mentions or references
  • “Someone is trying to contact you”

Obligation:

  • Requests from authority figures
  • Helping a colleague in need
  • Completing required tasks
  • Reciprocating past favors

Technical Crafting Elements

HTML and Formatting:

  • Professional templates matching legitimate emails
  • Proper logo usage and branding
  • Responsive design for mobile devices
  • Hidden text and misleading anchor links

Link Obfuscation:

  • Display text mismatch: Shows “https://paypal.com” but links to “http://paypa1.com”
  • URL shorteners: bit.ly, tinyurl hiding true destination
  • Homograph attacks: Using Unicode characters that look identical (e.g., Cyrillic ‘а’ vs Latin ‘a’)
  • Subdomain tricks: “paypal.com.phishing-site.com” or “secure-paypal.com”

Attachment Tactics:

  • Familiar file types (PDF, DOCX, XLSX)
  • Convincing filenames: “Invoice_2024_Q4.pdf”
  • Double extensions: “report.pdf.exe” (hidden in Windows by default)
  • Macro-enabled documents: “Enable Editing to view this document”
  • ZIP password protection (to bypass email scanners)

Anti-Detection Strategies

Bypassing Email Filters

Content Obfuscation:

  • Replacing letters with numbers or symbols (l33t speak)
  • Using images instead of text
  • Breaking up suspicious keywords
  • Strategic misspellings

Attachment Evasion:

  • Password-protected archives
  • Steganography (hiding malware in images)
  • Using legitimate cloud storage links
  • Delayed execution malware

Domain Reputation:

  • Using newly registered domains
  • Compromising legitimate websites for hosting
  • Using free email providers with good reputation
  • Rotating through multiple sending domains

Avoiding Spam Folders

Technical Compliance:

  • Proper email headers and authentication
  • Valid SPF, DKIM signatures (from compromised accounts)
  • Clean sender reputation
  • Avoiding spam trigger words

Timing and Volume:

  • Sending during business hours
  • Limiting send volume to avoid rate limiting
  • Spacing out attacks over time
  • Targeting specific time zones

Defense and Detection

For Individuals

Verification Practices:

  • Hover before clicking: Check actual URL destination
  • Verify sender: Contact sender through known channels
  • Question urgency: Legitimate requests rarely require instant action
  • Check for personalization: Generic greetings are red flags
  • Look for errors: Typos, grammar issues, formatting problems

Technical Safeguards:

  • Display full email headers

Related Reading

Posted

in

Tags:

, , , ,
Framework
Site Map
Glossary
TackleBox