That email from finance with your name in the subject line? It might just be a trap – here’s what researchers found about malware delivery

• Finance-themed phishing uses personalized subjects and file names to deliver malware
• Travel and response phishing also use personalization to push information stealers and RATs
• Cofense urges verification of unexpected emails and updates to security tools

Attackers are increasingly personalizing phishing emails to deliver malware, experts have warned, with criminals reaping in huge gains.

In adding the recipient’s name, company and other details into subject lines, file names, and message content, threat actors seek to make the messages appear more legitimate, increasing the chances that recipients will open malicious attachments or click links, researchers at Cofense have revealed.

Cofense analyzed a year’s worth of data and found that while several campaign themes use this tactic, finance-themed phishing was the most worrying due to both its frequency and impact.

Stay safe

Nearly 22% of subject-redacted emails fell into this category, often posing as invoices, tenders, or payment summaries.

Many of these emails carried jRAT, a cross-platform remote access trojan that can give attackers full control of a system, steal files, and install more malware.

Finance-themed phishing is particularly effective because it blends seamlessly with normal workplace communication, as employees often expect emails about contracts or payment updates.

While finance-themed phishing accounted for 21.9% of personalized subject cases, other themes also made heavy use of this approach.

Travel Assistance was the largest category at 36.78%, often used to deliver Vidar Stealer under the guise of reservation or itinerary updates.

Response-themed emails followed at 30.58%, frequently carrying PikaBot in messages disguised as meeting cancellations or order confirmations.

Tax-themed campaigns made up 3.72%, commonly involving Remcos RAT in password-protected archives, while Notification-themed phishing also represented 3.72%, delivering various malware families including WSH RAT and jRAT.

To counter these threats, Cofense advises verifying unexpected email requests through trusted channels, keeping antivirus and malware removal tools up to date, and limiting public exposure of staff details to make targeting harder.

Summing up, Cofense says, “While customized subject lines are not used in all malware email samples, it is a strong tactic to make the recipient feel a higher sense of urgency that may lead to a successful infection. Particularly targeted emails delivering RATs or Information Stealers can be notable for potentially providing remote access or login credentials that can be brokered to ransomware threat actors.”

You might also like

• Check out these 5 ways to improve email security
• And look at our round up of the best secure email providers
• Fragmented security: the hidden threat undermining your cyber defenses