Phishing is not a new concept. Cybersecurity experts have warned the public for decades, alerting them of the costly consequences should the victim click on malicious links or enter private, personal information. In 2021, CISCO reported that over 90% of data breaches occurred because of phishing attacks. As a result, phishing remains one of the most popular methods to reel in your employees and gain access to your systems.
Due to the popularity of phishing campaigns, staying updated on evolving tactics hackers use to catch your employee’s attention is essential. Earlier this year, KnowBe4 reported new subject lines and vector types hackers use as bait. These are used to make their phishing message more believable to your employees. Before we cover those, let’s recap what phishing is and why avoiding falling victim to phishing scams is important to your business’ security.
Phishing is an email scam hackers use for financial gain. There are a variety of schemes that ultimately are used to trick victims into downloading malware or unknowingly offer up compromising or sensitive information. Hackers will take login credentials, social security numbers, bank account numbers, or access to the employee’s device to make a profit.
Three reasons why you need to avoid the phisher’s hook:
Phishing attempts continue to evolve and adapt to hook and reel victims in. KnowBe4 released an infographic listing the most clicked-on phishing categories and subject lines from Q2 of 2022.
Some of the most clicked phishing email subject lines included:
Receiving an unexpected email from what looks like your company's HR department may cause panic and a sense of urgency to respond. Employees interested in other positions might be intrigued to know who’s looking at their LinkedIn profile. Even a vague subject such as a "performance report" can pique an employee’s curiosity, and they might download the attachment or click the link to ensure all their performance ducks are in a row.
Once the employee is on the hook, the phisher starts reeling them in with these three tactics:
Hackers will disguise the link by using the innocent phrase “click here,” to make it seem like any other link the employee has clicked on. Spoofing a domain can be difficult to spot because hackers use the full email address to make it look like it came from someone within the company. The red herring is the address that will often have a missing or incorrect letter.
The format of the email will also look more authentic when hackers use the employee’s branded logo, and name, as well as a similar header and footer. If the targeted employee doesn’t know what to look for they could be easily phished into a scam, giving the hacker access to private information, data or business systems.
You can find more information on KnowBe4’s infographic here.
Here are five tried and true tips to help you identify email threats:
We’ve provided another sheet to further explain phishing characteristics to help you discern good emails from malicious ones.
We don’t see the flow of phishing emails stopping anytime soon. As your technology partner, we work to help you avoid the bait and keep swimming. If you are interested in additional resources, please read our other blog articles, or download our eBook on Trophy Phishing.