Phishing: What Users Fall for and the Mistakes Crooks Make
Quite a few experts continue to profess that when it comes to cybersecurity, 'humans are the weakest link'. You could argue that there's a bit more to it than that, but to a large extent, the statement is true. Often, even sophisticated, well-prepared phishing attacks fail miserably because users manage to keep their fingers away from the mouse button.
The thing is, training people to avoid opening links and files that arrive by email is more difficult than it sounds. In fact, there are companies like KnowBe4 that specialize in doing just that. To improve their training programs, KnowBe4 have been trying to find out which phishing email subjects fool the greatest number of victims, and they have been keeping tabs on the data for a while now. Last week, they published the statistics for the third quarter of 2018.
Phishers' tactics and users' weaknesses
KnowBe4 put together two lists: one for the most commonly clicked email subjects during phishing simulations, and one for the most commonly reported in-the-wild phishing email subjects.
Here's what users fell for the most during the phishing training programs:
- Password Check Required Immediately
- You Have a New Voicemail
- Your order is on the way
- Change of Password Required Immediately
- De-activation of [[email]] in Process
- UPS Label Delivery 1ZBE312TNY00015011
- Revised Vacation & Sick Time Policy
- You’ve received a Document for Signature
- Spam Notification: 1 New Messages
Here are the subjects of the emails that were reported as phishing by KnowBe4 clients:
- You have a new encrypted message
- IT: Syncing Error – Returned incoming messages
- HR: Contact information
- FedEx: Sorry we missed you.
- Microsoft: Multiple log in attempts
- IT: IMPORTANT – NEW SERVER BACKUP
- Wells Fargo: Irregular Activities Detected on Your Credit Card
- LinkedIn: Your account is at risk!
- Microsoft/Office 365: [Reminder]: your secured message
- Coinbase: Your cryptocurrency wallet: Two-factor settings changed
Having these two separate lists gives us a much better insight into the gravity of the situation. The first collection of subjects tells us precisely what sort of social engineering tends to be effective during a potential attack. The second list gives us the other side of the proverbial coin. It shows real-life attacks that were caught by the users.
Urgency and threats to security still work
During Q3, users seemed most willing to click on "Password Check Required Immediately" messages. Looking at the older reports, we can see that this particular subject has been in the Top 10 for a while, and its ranking has steadily improved which probably has something to do with the fact that we're seeing more and more incidents revolving around compromised passwords.
Further down, you have a similar "Change of Password Required Immediately" subject which goes to show that if you fool users into thinking that they are protecting their data, they are more likely to expose it. Irony aside, by combining a sense of urgency and a promise for serious security problems if you don't act, the crooks can create a rather powerful social engineering weapon. The effects are amplified by the fact that when an organization gets compromised, it has little other choice than to ask its users to change their passwords.
The thing is, responsible organizations who follow the best security practices don't send emails with links to login forms. Some do it, but just because you have the link in your inbox doesn't mean that you need to click it. If you think that the email is genuine, it's best to open a new tab, go to the affected website, log in, and navigate to the password reset section manually. And if you're not sure about anything, try to use the communication channels listed on the official website to get in touch with the vendor. If the email is indeed a scam, your vigilance might end up saving other people.
The rest of the subjects in the first list don't have the same element of impending doom, but they are still either encouraging users to do something in a hurry or are teasing their curiosity. Obviously, this doesn't always work.
Crooks make mistakes too
In theory, the entries in the second list sport more or less the same characteristics when compared to the ones in the first one, yet, the users actually managed to spot that something's amiss and reported them to their employers' IT departments. In some cases, it's not difficult to see why.
If your credit card was issued by Chase, for example, you're unlikely to receive a message saying "Wells Fargo: Irregular Activities Detected on Your Credit Card". In other cases, we can only assume that the phishing attacks weren't very well executed.
Regardless of this, the fact that more and more users seem to be able to sort at least some of the chaff from the wheat is good news. Nevertheless, we are still a long way away from being prepared to fend off all phishing attacks. In fact, chances are, we'll never be, so it's important to take everything you see on the Internet, including the contents of your inbox, with a large pinch of salt.