George is in his office responding to his morning emails when he notices an unusual message. The subject is concise: “Security Alert”. Obviously, he wants to know what’s going on. He opens it, reads the first paragraph to see what the problem is, then clicks the link ostensibly taking him to the company page where he will have to confirm his data to stay protected. Without knowing it, he has just fallen into a trap. He has been directed to a page infected with malware that will steal his identity. George has become a victim of phishing. But he is not the only one — some of his co-workers have also been duped. But George is not alone in this. In fact, 21% of phishing attacks resort to the alarming “Security Alert” subject line in order to deceive its victims.

Share this list with your employees

It is important that employees be wary of any email they receive with any of the following subject lines. According to a study by KnowBe4, these are the ten most common email subjects that have led to a phishing incident:

  1. Security Alert – 21%
  2. Revised Vacation & Sick Time Policy – 14%
  3. UPS Label Delivery 1ZBE312TNY00015011 – 10%
  4. BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO – 10%
  5. A Delivery Attempt was made – 10%
  6. All Employees: Update your Healthcare Info – 9%
  7. Change of Password Required Immediately – 8%
  8. Password Check Required Immediately – 7%
  9. Unusual sign-in activity – 6%
  10. Urgent Action Required – 6%

Although the number of attack vectors is multiplying (through social networks, for example), email is still the channel preferred by cybercriminals to launch this type of attack. The reason is obvious: it is more effective to send a fraudulent email than to try to get the user to fall into the trap on a random website or to dupe them on a social network. The most common method is to impersonate a legitimate company or person requesting certain information and redirecting the recipient to a fake website: a shipping company that wants to confirm shipment of a package, a human resources employee requesting that you update your personal information…

Even employees at large technology companies have been victims of phishing: employees at Google and Facebook were tricked into transferring more than $100 million they thought was intended for Quanta Computer, an electronics manufacturer.

How to prevent phishing

Given that 91% of cyberattacks start with a simple phishing email, it is important to take action to minimize the risk of our company being attacked.

In addition to building basic cybersecurity awareness regarding such practices as never clicking links contained in emails from untrusted senders, or browsing only through secure websites (those starting with ‘https://’), it is crucial to have solutions that protect your business from possible phishing incidents.

Traditional antivirus protection is no longer sufficient. Identity theft is becoming more sophisticated, and cyberattacks aiming to steal valuable data are increasingly able to bypass the barriers of traditional security solutions. With this in mind, the best option is to opt for advanced security solutions that monitor and categorize 100% of processes in execution to anticipate any type of malicious behavior, and thus reduce the possibility of becoming the victim of an attack to zero.