Fishing competitions take place all over the world. Anglers attempt all kinds of strategies in their attempts to land the big one. Phishing plays a similar game. Cybercriminals devise and constantly revise their strategies to land their big fish of their own – access to financial data, the ability to lock users out and hold them to ransom, or disrupt societal infrastructure.
The latest ploys are laid out in the Q1 2021 top-clicked phishing report by KnowBe4. Here are the winners of the phishing competition based on email subject lines:
|General Email Subject Line|
|Password Check Required Immediately||31%|
|Revised Vacation & Sick Time Policy||15%|
|COVID-19 Remote Work Policy Update||13%|
|COVID-19 Vaccine Interest Survey||10%|
|Important: Dress Code Changes||7%|
|Scheduled Server Maintenance -- No Internet Access||6%|
|De-activation of [[email]] in Process||5%|
|Test of the [[company name]] Emergency Notification System||5%|
|Scanned image from MX2310U[[domain]]||4%|
|Recent Activity Report||4%|
As you can see, businesses are very much in the crosshairs as they are likely to bear the most fruit in the form of data and personally identifiable information. Predictably, password scams top the list. This makes sense given the insanity of endless passwords for a litany of sites. Once users get comfortable with current rules, it is not uncommon for users to receive a rash of emails from different sites expressing changes to password and security policies. That, in turn, leads to passwords being changed more often, and of course, more characters of growing complexity being added. No wonder this is a big area of user annoyance, disagreement, and frailty. The bad guys are latching onto it.
Think about it for a moment. Your average techie may be enamored by the idea of unbreakable passwords that are impossible to guess. But the average user would rather use a simple password that is easy to remember and is never changed. Regular prodding to change passwords or add more obscure characters has some users up in arms, and others in a state of despair. In such a state of mind, they may lower their guard and click on something malicious, thinking it to be just the latest meddlesome interference from IT. It is up to IT to ensure their actions and password enforcements don’t antagonize users and force them into that frame of mind. Otherwise, IT will continue to be overworked by phishing flaps.
“The bad guys go with what works and in Q1, nearly a third of the users who fell for a phishing email clicked on one related to a password check,” said Stu Sjouwerman, CEO, KnowBe4. “Always check with your IT department through a known good phone number, email address or internal system before clicking on an email related to checking or changing a password because it only takes one wrong click to cause monumental damage.”
Further targets for cybercriminals include HR traffic. HR departments have been busy during the pandemic. Many attempted to make up for lack of onsite presence by sending far more email traffic than before. Hackers have realized this and have achieved phishing success with subject lines about vacation and sick time, remote work policy changes, vaccine information, and dress codes. If HR traffic is high, a phishing attempt posing as an email from HR may strike gold.
IT department traffic is another area of phishing success. With so much remote work being done, IT departments have been forced to be more vocal than before. The bad guys are tapping into this area with subject areas about server downtime, email account deactivation, and various tests being conducted. Scanned images and package delivery notifications are further sources of phishing success, as are social media messages – LinkedIn phishing messages dominate in social media email subjects.
The motto is clear: Think Before You Click.