Why are phishing attempts so obvious?

Question

I understand that regular e-mail scams are dumb on purpose, to filter out smart people and make the processing of the replies easier.

But phishing is based on tricking people into thinking their bank (for instance) is talking to them. Yet almost every phishing e-mail I've ever seen is always visibly fake and poorly made. Why don't they just copy the bank's existing email/website template?

The accepted answer here mentions that

In phishing, as in scams, sending the initial batch of emails is the easy part. The hard part is coaxing information out of the target (which can require a concerted exchange of emails).

But why? Isn't phishing specifically about obtaining credentials? Why would that require a manual exchange of emails?

possible duplicate: https://security.stackexchange.com/questions/96121/why-do-phishing-emails-have-spelling-and-grammar-mistakes?rq=1 — schroeder, May 02 '17 at 21:02
Added further details, since the possible duplicate's top answer doesn't make it much clearer for me. — Timst, May 02 '17 at 21:15
The "e-mail scams are dumb on purpose" argument is popular but I have never seen solid evidence for it and I don't find it convincing. You have to consider that it's just a lack of skill or effort. — Arminius, May 02 '17 at 22:13
*Yet almost every phishing e-mail I've ever seen is always visibly fake and poorly made.* - While there are many shoddy phishing mails I get also very good phishing mails and their number is growing. Thus I doubt that your basic assumption that most of these mails are shoddy is just wrong. — Steffen Ullrich, May 03 '17 at 04:13
Maybe it's just that nobody's deemed it worth their time to craft a special one for you yet. Imagine one from a relative, coworker you're working on a project with or local reporter asking about your project on GitHub, with each having a very tempting attachment that you click just before realizing what you've done — flerb, Aug 30 '17 at 04:38

score 7 · Answer 1 · edited May 03 '17 at 07:32

7

This may just be a psychological fallacy in which you only notice the phishing attempts that don't trick you. There are certainly phishing attempts that are near exact copies of the site they are impersonating that trained security experts can (and do) fall for when not alert.

Malwarebytes posted this on their blog, which contains some side-by-side images of phishing login pages next to the site they're impersonating.

As you can see they're similar to the point of being indistinguishable unless you're looking at them side-by-side like this. You're right in that many phishing emails/sites are poorly done - this is generally because it is time intensive to make something a near match, and wouldn't result in as significant an increase in successful phishes as you may think. Overall, for many low-lever phishers the cost outweighs the reward.

edited May 03 '17 at 07:32

Anders

64,406
24
178
215

answered May 02 '17 at 21:25

Buffalo5ix

2,636
12
18

1

Good to know that higher effort attempts exist (well, "good to know"...). Myself though, I've never seen any in years, and believe me I've been looking for them. Not sure I agree on the "because it is time intensive to make something a near match". Those are not banknotes we're talking about here: it's much easier to copy the HTML/CSS of an existing mail/website than trying to make your own from scratch. – Timst May 02 '17 at 21:29
We use an outsourced phishing tool that occasionally sends highly realistic phishing messages to our staff (for training purposes). The last one (click here for GDPR (data protection) training) fooled nearly everyone. – Callum Wilson May 03 '17 at 15:27
I agree. Much like people that walk away from a plane crash say things like "I had a feeling.." or "I knew this flight was domed" - they probably think it every time they fly. – SDsolar May 09 '17 at 05:22
https://en.wikipedia.org/wiki/Selection_bias and https://en.wikipedia.org/wiki/Survivorship_bias explain part of OP's observation. The sample set is limited to phish's you've seen, and/or ones you didn't fall for. If you had been successfully phisehd, by definition, you wouldn't have noticed it. – JesseM May 09 '17 at 18:32

score 1 · Answer 2 · answered May 09 '17 at 00:48

1

Because enough people are stupid enough to believe them that making them look more "real" isn't worth the scammers' time and money.

Basic economics, the scammers are thinking at the margin, balancing the incremental increase in revenue against the cost of a higher-quality fake site.

answered May 09 '17 at 00:48

user1258361

420
2
12

Why would a higher quality site cost more? It's just a question of downloading the existing site and replacing the parts you need. Much easier and faster than to make your own thing, which seems to be what most phishers do. – Timst May 10 '17 at 12:43

score 1 · Answer 3 · answered Aug 29 '17 at 17:29

With many of these phishing campaigns, its a numbers game. Send enough messages, some people will respond. It is simply not worth the investment in time for some and many people fail to read messages carefully before responding.

As for the emails being dumb on purpose - possibly, but I'm not so sure - many of these campaigns are run by individuals with a poor grasp of English - English is not their first language, or the text has been run through an online translator.

Why don't they just copy the bank's existing email/website template - There are some scammers that do invest more time and undoubtedly get better returns. Although phishing sites do get shut down quickly and need to be recreated on many different domains. Time and effort required is likely to be a significant factor for many phishers.

Phishing is about obtaining credentials, but the term is also used for spam emails that are sent to spread malware via attachments or links to drive by download sites. Those require no exchange of emails.

score 0 · Answer 4 · edited May 03 '17 at 07:32

I think your understanding of phishing may be a bit limited. Yes, for the reason you mentioned above, your everyday, cast-a-wide-net phishing emails are dumb, for the exact reason you mentioned. Spear phishing and whaling are more specifically targeted, and generally much better crafted. It make sense to spend more time on these targets since the payout per individual target is much higher than your everyday run-of-the-mill scam.

Also, phishing is not limited to obtaining credentials specifically. It can more generalized to include obtaining any type of information, or get the user to perform a specific action, such as view a malicious document which could install malware.

Why are phishing attempts so obvious?

4 Answers4