Leveraging a key human trait that machines would not fall for, cybercriminals can easily manipulate or fool humans using social engineering tactics. A new study on the most effective phishing scams shows that, ironically, the subject lines relating to security are most likely to trick users into handling their credentials insecurely.
“By playing into a person’s psyche to either feel wanted or alarmed, hackers continue to use email as a successful entry point for an attack,” according to KnowBe4, which deals with security awareness and simulated phishing.
The firm compiled user data based on simulated phishing tests and real-world emails that savvy users reported to their IT reps. They found that criminals can best hack into a user’s accounts by playing to their commitment to security, using message bodies and subject lines that prompt users to enter their passwords.
After examining tens of thousands of subject lines, including some “in-the-wild” emails, researchers compiled the following “Top 10 Most-Clicked General Email Subject Lines Globally for Q2 2018” (frequency percentage in brackets):
- Password Check Required Immediately (15%)
- Security Alert (12%)
- Change of Password Required Immediately (11%)
- A Delivery Attempt was made (10%)
- Urgent press release to all employees (10%)
- De-activation of [[email]] in Process (10%)
- Revised Vacation & Sick Time Policy (9%)
- UPS Label Delivery, 1ZBE312TNY00015011 (9%)
- Staff Review 2017 (7%)
- Company Policies-Updates to our Fraternization Policy (7%)
The power of some of these subject lines is their close resemblance to legitimate corporate emails that makes it hard for unwary employees to tell the difference between real and fake.
When investigating emails “in-the-wild” exclusively, researchers found the following subject lines as the most common for the second quarter of 2018:
- Microsoft: Re: Important Email Backup Failed
- Microsoft/Office 365: Re: Clutter Highlight
- Wells Fargo: Your Wells Fargo contact information has been updated
- Chase: Fraudulent Activity On Your Checking Account – Act Now
- Office 365: Change Your Password Immediately
- Amazon: We tried to deliver your package today
- Amazon: Refund – Valid Billing Information Needed
- T: Ransomware Scan
- Docusign: Your Docusign account is suspended
- You have a secure message
Employees are often regarded as a company’s first line of defense, and for good reason too: all it takes is one worker’s endpoint to get infected with a wormable piece of malware for hackers to make their way into the company’s infrastructure. This strengthens the notion that staff training is a must-have in today’s corporate environments.
Of course, the same advice applies when you use your home computer or smartphone for personal affairs. Remember: phishing doesn’t discriminate.