Phishing is not a new concept. Cybersecurity experts have warned the public for decades, alerting them of the costly consequences should the victim click on malicious links or enter private, personal information. In 2021, CISCO reported that over 90% of data breaches occurred because of phishing attacks. As a result, phishing remains one of the most popular methods to reel in your employees and gain access to your systems.
Due to the popularity of phishing campaigns, staying updated on evolving tactics hackers use to catch your employee’s attention is essential. Earlier this year, KnowBe4 reported new subject lines and vector types hackers use as bait. These are used to make their phishing message more believable to your employees. Before we cover those, let’s recap what phishing is and why avoiding falling victim to phishing scams is important to your business’ security.
What is phishing?
Phishing is an email scam hackers use for financial gain. There are a variety of schemes that ultimately are used to trick victims into downloading malware or unknowingly offer up compromising or sensitive information. Hackers will take login credentials, social security numbers, bank account numbers, or access to the employee’s device to make a profit.
Why does your business need to avoid getting hooked?
Three reasons why you need to avoid the phisher’s hook:
- Phishers will take your identity (identity theft). They will use your line of credit or will impersonate you to your customers or coworkers, using your email or social media accounts.
- Hackers will steal your data. You risk losing customers and employees if their information is not completely secure in your database.
- Phishers cause a loss of productivity, reputation, and revenue. Your small business will have a difficult time bouncing back from a successful attack.
What bait are the phishers using?
Phishing attempts continue to evolve and adapt to hook and reel victims in. KnowBe4 released an infographic listing the most clicked-on phishing categories and subject lines from Q2 of 2022.
Some of the most clicked phishing email subject lines included:
- HR: Your performance evaluation is due
- IT: Internet Report
- HR: Please Update for W$ file
- Acknowledge Your Appraisal
- Employee Expense Reimbursement for [[email]]
- HR: Vacation Policy Update
- HR: Important: Dress Code Changes
- Password Check Required Immediately
- LinkedIn: Who’s searching for you online
- Weekly Performance Report
Receiving an unexpected email from what looks like your company's HR department may cause panic and a sense of urgency to respond. Employees interested in other positions might be intrigued to know who’s looking at their LinkedIn profile. Even a vague subject such as a "performance report" can pique an employee’s curiosity, and they might download the attachment or click the link to ensure all their performance ducks are in a row.
Once the employee is on the hook, the phisher starts reeling them in with these three tactics:
- Link- Insecure hyperlink in the email
- Spoof Domain- Fraudulent link that appears to come from the user’s domain
- Copied Brands- Using company name, logo, and colors
Hackers will disguise the link by using the innocent phrase “click here,” to make it seem like any other link the employee has clicked on. Spoofing a domain can be difficult to spot because hackers use the full email address to make it look like it came from someone within the company. The red herring is the address that will often have a missing or incorrect letter.
The format of the email will also look more authentic when hackers use the employee’s branded logo, and name, as well as a similar header and footer. If the targeted employee doesn’t know what to look for they could be easily phished into a scam, giving the hacker access to private information, data or business systems.
You can find more information on KnowBe4’s infographic here.
How can you stay off the phisher’s wall of shame?
Here are five tried and true tips to help you identify email threats:
- Double-check the sender’s email address for spelling errors, and exercise extra caution if you do not have direct contact with them.
- Watch for grammar and spelling mistakes throughout the entire email, including the header and footer.
- Hover your mouse over a hyperlink to see if the link is secure (HTTPS) or unsecure (HTTP).
- Beware of any attachments, especially if you weren’t expecting documentation from that contact.
- Scare tactics, meaning the tone of the email conveys a high degree of urgency, are used to rush the victim into action without thinking through what they’re clicking on or revealing.
We’ve provided another sheet to further explain phishing characteristics to help you discern good emails from malicious ones.
Interested in more training for your employees?
We don’t see the flow of phishing emails stopping anytime soon. As your technology partner, we work to help you avoid the bait and keep swimming. If you are interested in additional resources, please read our other blog articles, or download our eBook on Trophy Phishing.