Phishing has been around since email has existed. It is an ever-present cyberthreat, and one of the most dangerous. It is estimated that one in every 99 emails is a phishing attack, and that 30% of phishing emails manage to get around default protections. What’s more, over 92% of the malware in the world arrives via email.
Apart from malware, phishing emails can also be the way in for scams such as BEC—Business Email Compromise—a type of cybercrime that, according to the Financial Crimes Enforcement Network (FinCEN), generates $301 million every month. Last year, the subject “invoice” was used in 60% of the most effective phishing campaigns. However, in 2019, another tactic seems to be more effective.
Cybersecurity knowledge as a force for bad
A security awareness training company, KnowBe4, has carried out a study to discover the most effective phishing email subjects. The most successful subjects were those related to cybersecurity or that made the victims think they had suffered a security breach.
For the study, the company sent out thousands of simulated phishing emails with different subjects, and observed which of them were clicked on. They also observed the subjects of real phishing emails that users had reported to their IT departments.
The results were revealing. Phishing emails that used the subject “Password Check Required Immediately” were the most successful: 43% of users fell into this trap. Ironically, the success of this subject reveals that, to a certain degree, efforts to increase user awareness about cybersecurity are making headway; users are beginning to understand the importance of protecting their passwords.
Other subjects that managed to get recipients to open emails included “A Delivery Attempt was made” and “Deactivation of [[email]] in Process”, which fooled 9% of users.
Taking interest in the company can be dangerous
Another tactic is the use of subjects related to company policies: “New Organizational Changes”, “Updated Employee Benefits”, “Staff Review 2018,” and “Revised Vacation & Sick Time Policy” were among the subjects of emails that were most frequently opened.
Stu Sjouwerman, CEO of KnowBe4 says that, “As cybersecurity threats persist, more and more end users are becoming security minded. “They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so [users] need to remain vigilant.”
Defend yourself against phishing
With the volume of emails that users receive every day, both legitimate and phishing attempts, protecting against threats of this kind is a must. The most important thing is to make employees as aware as possible of the dangers that this kind of attack poses, as well as how to recognize fake messages. Many of them contain the names of real companies that could be providers for the organization, or even adapt the company’s branding. However, they also usually contain a few suspicious elements:
- A domain name used by the sender that doesn’t entirely coincide with the domain of the company that is sending the invoice.
- A different language from that usually used by the organization to communicate with the providers.
- Serious spelling or grammar mistakes, product of the use of machine translation programs when writing the email.
As well as exercising caution when it comes to possible phishing emails, it is vital to have an advanced protection to stop cyberthreats landing in employees’ inboxes. Panda Email Protection provides multilayer protection against all kinds of spam and malware in real time. The advanced scanning technology is carried out from the cloud, simplifying security management, since it can be used from anywhere, at any time, simply by accessing the web console.
Phishing is one of the traditional cyberthreats that is still growing, and it is highly likely that it will continue to grow every year. What’s more, it is the point of entry for a litany of cyberattacks and malware. Protect your systems with Panda Email Protection.