Please read this; it’s urgent. Or important. By preying on human nature, humans are the attack surface of choice for cybercriminals, according to a security awareness training and simulated phishing platform.
While hackers have always used topical news stories to color their phish attempts, the rise in ‘in-the-wild’ emails related to campus security incidents highlights the emotional depths to which these bad actors will go to breach an organisation, says KnowBe4.
Perry Carpenter, chief evangelist and strategy officer at Florida-based KnowBe4, says: “Hackers do what works – and what works is manipulating a human’s psyche to make them feel curious, important or, sadly, scared. As technical controls continue to improve at thwarting automated attacks, hackers are upping their sophistication at bypassing technical controls through the use of social engineering.”
The cyber firm examined tens of thousands of email subject lines from simulated phishing tests to uncover just what makes a user want to click. They also examined ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT department as suspicious.
Top ten Most-Clicked General Email Subject Lines Globally for the first three months of 2018:
1.A Delivery Attempt Was Made – 21pc
2.Change of Password Required Immediately – 20pc
3.W-2 – 13pc
4.Company Policy Update for Fraternisation – 10pc
5.UPS Label Delivery 1ZBE3112TNY00015011 – 10pc
6.Revised Vacation and Time Policy – 8pc
7.Staff Review 2017 – 7pc
8.Urgent Press Release to All Staff – 5pc
9.Deactivation of (email) in Process – 4pc
10. Please Read: Important from HR – 2pc
Carpenter pointed to the Facebook-Cambridge Analytica affair, also used by hackers for phsing attempts; news stories influence the social engineering emails that hackers send, he said. “Cybercriminals expect that users will always be eager to correct a wrong address or to ensure that their bank accounts aren’t being breached. What’s not expected is a user population that has been properly trained to identify suspicious emails, no matter how well-disguised or emotionally charged they are. People are the last line of defence and it continues to be more and more important that organisations take this position seriously by, first and foremost, ensuring their users are properly trained.”
A number of free tools at www.knowbe4.com are for testing users and their network.
