Opinion | Phishing for humans – what do the numbers teach us?

Javvad Mailk, Security Awareness Advocate of KnowBe4, gives his insight on phishing attempts over the last quarter

Humans are curious. They also want to inherently “fix” things”. And they’re social beings. These are all traits that cyber attackers prey on – it’s what makes phishing so successful. Every quarter, we look to analyse what types of phishing attacks (simulated and in the wild) are the most clicked, so it gives organisations intelligence that they can use to improve security awareness within their businesses.

This last quarter showed us that, hey, this education does not fall on deaf ears – since those duped by COVID themed phishing emails actually decreased from previous quarters. This is a great sign; however, we also saw an increase in emails purporting to be from HR or even security-related notifications.

What this tells us is that the bad guys are unrelenting and always coming up with new ways to trick humans into clicking their links or downloading files. One only needs to look back a few weeks to see how much devastation ransomware has caused, particularly on critical infrastructure and services. And its route into the organisation? Phishing.

So, what are the most successful phishing attempts? LinkedIn phishing messages have dominated the social media category for the last three years. Users may perceive these emails as legitimate since LinkedIn is a professional network, which could pose significant problems because many LinkedIn users have their accounts tied to their corporate email addresses. Top-clicked subjects in this category also include Facebook and Twitter notifications, message alerts and login alerts.

The Top 10 Most-Clicked General Email Subject Lines Globally for the past quarter Include:

Password Check Required Immediately
Revised Vacation & Sick Time Policy
COVID-19 Remote Work Policy Update
COVID-19 Vaccine Interest Survey
Important: Dress Code Changes
Scheduled Server Maintenance — No Internet Access
De-activation of [[email]] in Process
Test of the [[company_name]] Emergency Notification System
Scanned image from MX2310U@[[domain]]
Recent Activity Report

Most Common ‘In-The-Wild’ Emails for the quarter Included:

Microsoft 365: Scheduled Server Backup
IT: IT-Help Ticket Survey Invitation
Warning: Your E-mail account has just sent 260 E-Mails
Amazon Prime: Action required – Card on file has been declined
License Update
Google: Take action to secure your compromised passwords
Apple: Prize winner! We need your confirmation
Zoom: You missed a Zoom meeting
HR: Your payroll details needs updating
Facebook: Important message regarding your Facebook profile

Studies such as this are important resources for organisations because they can use results to inform employees. In fact, other more general schemes like the NCSC’s suspicious email reporting service are vital to raise awareness. In the first two months of launching this tool, the NCSC received over a million reports of suspicious emails.

It goes to show that people can play an important role in identifying and reporting fraud and phishing emails and organisations should make it easy for employees and customers to report any suspicious activity. When employees feel involved as part of the solution, they are more likely to take security seriously and be vigilant with their emails.