What are the most attractive phishing lures? Security alerts, vacation and sick time policy announcements, and package delivery notifications, according to simulated test findings from Tampa Bay, Fla. cybersecurity firm KnowBe4.
KnowBe4 tracked the most-clicked email subject lines from the simulated phishing tests sent to identify user readiness and awareness over Q2. The Top 10 list represents 22,060 simulated phishing tests failed by either KnowBe4 client users or users that took a free phishing security test from the KnowBe4 website. A number of financial institutions were among those tested.
The list shows there’s still a lot of room to train employees on how to spot a phishing or spoofed email. Here they are:
- Security Alert – 21%
- Revised Vacation and Sick Time Policy – 14%
- UPS Label Delivery 1ZBE312TNY00015011 – 10%
- BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO – 10%
- A Delivery Attempt was made – 10%
- All Employees: Update your Healthcare Info – 9%
- Change of Password Required Immediately – 8%
- Password Check Required Immediately – 7%
- Unusual sign-in activity – 6%
- Urgent Action Required – 6%
*Capitalization is as it was in the phishing test subject line
“The subject lines we are reporting here actually made it through all the corporate filters and into the inbox of an employee. That’s astounding. We are in a security arms race, and a multi-layered defense is critical because each layer has different points of effectiveness and ineffectiveness,” Perry Carpenter, chief evangelist and strategy officer at KnowBe4, said. “If crafted correctly, the right type of message can sail through all of the defenses because it is finding the least effective point of each and playing into the human psyche of wanting to receive something you didn’t know about or needing to intervene before something is taken away. Ultimately this means that a company’s human firewall is an essential element of organizational security because people truly are the last line of defense.”
According to Osterman Research, email has been the number one network infection vector since 2014. KnowBe4 noted It’s an effective method because it gives attackers more control than merely placing traps on the web and hoping that people will stumble over them. Instead, attackers craft and distribute enticing material to both random and targeted means. this method gives the cybercriminals greater control in selecting potential victims, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle.
Businesses must also be aware that social media messages to their users are potential landmines to their corporate networks. The findings looked at social networking phishes and found 44% related to LinkedIn messages, which users often have connected to their work email addresses, bringing added risk to their corporate networks.
As part of its ongoing research efforts, In October 2016 KnowBe4 evaluated more than 10,000 email servers and found that 82% percent of them were misconfigured, allowing spoofed emails to successfully bypass endpoint security systems and enter an organization’s network.
KnowBe4 provides security awareness training and simulated phishing platforms to more than 11,000 organizations worldwide. The cybersecurity firm maintained that businesses not already working with KnowBe4 to effectively train their workforce into a human firewall can utilize a number of free tools on its website.
