Emotional trigger phish—Off the hook

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

You and I view the past year through a prism of empathy for the plight of others. But the threat actor? He sees the turmoil and emotional pain of the pandemic as opportunities ripe for exploitation. That's because threat actors work their illicit trade without shame - Bleeping computer recently released an article outlining how attackers are targeting the families of missing persons for extortion scams, creating fake scenarios regarding the missing family member—FBI warns of scammers targeting families of missing persons.

What makes an emotional attack vector so potent?

Emotionally targeted attacks are on the rise in 2021 due largely to the many psychological triggers rubbed raw by COVID-19. Many people are enduring the worst year of their lives between lay-offs, corporate restructuring, and the loss of loved ones; meanwhile, others have stayed healthy and prospered financially. You could say that the previous year has covered the whole emotional spectrum, and attackers have responded with verifiably potent phishing campaigns hooked into emotions.

The emotional spectrum in all its colours

After struggling through so much uncertainty, how horrible would it be to receive a contract termination notice from HR saying, “Due to COVID-19 we have to discontinue your contract?” This exact tactic is used in the message below. The link in the email goes to an online platform that lets a user create a form but is also often used to host malicious content. This could be something that your company might want to flag internally if it's not being used - food for thought.

Emotions are peculiar things. Even without acting on this scam email, it still might rattle you for days afterwards. We’ve all heard the quotes, “Don’t mix business with emotions” and “A decision based on emotion is not a decision, it's a gut-feeling.” So how do we keep our emotions at bay when an email like this lands before us?

A way to shield yourself against attack is to always pause and consider the content of the email. If you don’t already, get to know your company’s termination process and see if it aligns with the steps outlined in the attack email. Knowing your company’s employee termination process, you could then immediately click the Hoxhunt button and vaporize this threat from the system. It’s a much more safe and satisfying action than clicking the email link or worrying over it for days afterward.

Many know the feeling in the pit of your stomach upon seeing a customer’s complaint filed against your company. It somehow feels like a personal attack. Well, in the below example, the attack actually is personal. An attacker is manipulating an employee with a false customer complaint, which plays on people's social insecurities: How did I upset the customer? Was it my tie? Or my greeting in the Zoom meeting?

This kind of attack might have a larger miss-rate than the fake termination notice due to lack of relevance, as not all employees work with customers. But the tactic in this email is sneaky: the first part of the payload is distributed in the form of a link, which we can assume was intended for extracting the user's information. However, we can see that there is already an action being taken in the email: “..I will debit you for 3,582…”. This sentence can create a counter reaction in the form of a reply from the user to the attacker, which would expose the user to more attacks. We can also notice that the link is hosted on Zoho, which was identified as a common Attack Vehicle* for attackers.

This attack attempt happens to scream, “Fake!” with its poorly structured sentences and clumsy spelling and wording. Well-written attacks are harder to spot.

Key takeaways

  • Be aware of your internal termination processes to better identify external attack attempts
  • Watch out for spelling mistakes, out of context words, and unusual content
  • Disarm the attack’s emotional fuse by trying to objectively analyse the email without emotions
  • When in doubt, click the Hoxhunt button!


*Attackers use many legitimate services as hosting platforms for malicious content. Dropbox, for example, is a commonly used platform for attackers. They plant their content in dropbox and then send an invite directly from dropbox to users. The dropbox notification that lands in the user's inbox is therefore a legitimate dropbox notification and thus bypasses security filters. Only by going to the dropbox link provided in the email, can the user see the malicious content. The attacker usually plants a link in dropbox that then takes the user to the malicious site.

Hoxhunt response

The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this