Gary Warner posted a sample of email recently used in a phishing attack against the American Banking Association. The email lures visitors to a malware drop site that hosts the Zeus/Zbot trojan. The email itself presents a great "teaching opportunity" to explain how phishers will frequently use information that is credible, alarming, and phony to convince recipients that the email is legitimate and that acting on the request in the email is safe.
What sort of information is both credible and phony? Let's start with key words in a Subject line. Subject lines in phish email associated with the ABA attack include "unauthorized transaction" and "billed to your account". "Transaction" is a word we associate with correspondence from banks and emerchants and so it's credible. "Unauthorized" and "billed to your account" set off alarms in our heads. The ABA phishers use these lures to make the recipient read the message, where they set the hook with the bait: a dollar amount and a transaction ID:, i.e.,
Amount of transaction: $1781.30
Transaction ID: 7980-9779263
The amount is typically set to a value that would raise suspicion. The Transaction ID is entirely random, but it passes the "looks like a duck, swims like a duck, must be a duck" test. Phishers include this information to lend credibility to the message. They exploit the fact that statistically few us have didactic memories or keep records of our transactions close at hand. They expect that victims will falsely conclude, "only my bank or merchant would know these details, so it's safe for me to do whatever this email asks of me". They visit the phish site and thus fall for the phish, hook, line, sinker.