The messages are typically varied by IP address of origination, subject line and body content.
The body content also includes multiple mutations of an embedded destination URL, which typically leads to a site with a positive reputation that's been successfully compromised prior to the attack. The compromised Web destinations are loaded with hidden malware either before, during or sometimes after the attack wave has begun.
"Each 'hook' looks individual to each phish; they don't see the large campaign," Kevin Epstein, product vice president for Proofpoint in Sunnyvale, Calif. said. Because the emails look so credible, people are clicking on the links in them at an astounding rate -- on average 10%.
"That's staggering," he said. "Any legitimate marketer would be thrilled to have a 10% click-through rate on a marketing campaign."
Security experts continue to urge people online to be highly skeptical of links that appear to be from trusted sources, co-workers and even friends and family members.
Sign up for CIO Asia eNewsletters.