Top-Clicked Phishing Report Shows How Easily Computer Users Are Scammed

Phishing shouldn't be such an effective attack in theory. When you take a closer look and consider a few things, you'll see that in a typical scenario, there are far too many easy-to-notice factors that give the cybercriminals away.

First of all, although it's a relatively easy task, few phishers bother with spoofing the actual sender address. Most crooks think that just putting a fake name is enough to fool victims, and because of the design of most email clients, this tactic works to some extent. You should know by now, however, that Facebook isn't going to be contacting you from a Yahoo! email address, and seeing the discrepancy is not hard.

Furthermore, in most cases, English isn't the phishers' mother tongue, and it sometimes shows. And even if the message is well-written, the email address is spoofed, and the phishing page is an exact copy of the original, the crooks can't host the fake login form at the legitimate URL.

All in all, there are many things that should theoretically render most phishing attacks ineffective. Yet, as we all know, this isn't happening. And that's because there is one factor outweighing the bad grammar, the wonky text alignment of the fake login form, and the fact that it's hosted on the wrong website. This factor is called the human psyche.

Don't underestimate the phishers

While many phishers might struggle to pass their third-grade English tests, some are absolute masters when it comes to something called social engineering. They know how your brain works, and they know how it's going to react to different types of false information.

There are crooks that have brought these skills down to a fine art, and it would be fascinating to take a look into the different techniques they use when they design their schemes. Fortunately, KnowBe4, a company specializing in phishing awareness and training courses, has been doing just that for some time now.

They've monitored their phishing awareness training courses and have also been taking a look at some in-the-wild attacks to see which types of phishing emails the users are most likely to open. Recently, they published their Top-Clicked Phishing Report for Q2 of 2018. The results are rather interesting.

During their anti-phishing training courses, KnowBe4 presented employees with phishing emails with a variety of different email subjects. The Top 10 that were clicked on the most are as follows:

1. Password Check Required Immediately
2. Security Alert
3. Change of Password Required Immediately
4. A Delivery Attempt was made
5. Urgent press release to all employees
6. De-activation of [[email]] in Process
7. Revised Vacation & Sick Time Policy
8. UPS Label Delivery, 1ZBE312TNY00015011
9. Staff Review 2017
10. Company Policies-Updates to our Fraternization Policy

KnowBe4 also monitored the subjects in the most common in-the-wild phishing attacks, and they compiled a list of the most popular ones. Here it is:

• Microsoft: Re: Important Email Backup Failed
• Microsoft/Office 365: Re: Clutter Highlight
• Wells Fargo: Your Wells Fargo contact information has been updated
• Chase: Fraudulent Activity On Your Checking Account - Act Now
• Office 365: Change Your Password Immediately
• Amazon: We tried to deliver your package today
• Amazon: Refund - Valid Billing Information Needed
• IT: Ransomware Scan
• Docusign: Your Docusign account is suspended
• You have a secure message
• Microsoft/Office 365: Re: Clutter Highlight
• Wells Fargo: Your Wells Fargo contact information has been updated
• Chase: Fraudulent Activity On Your Checking Account - Act Now
• Office 365: Change Your Password Immediately
• Amazon: We tried to deliver your package today
• Amazon: Refund - Valid Billing Information Needed
• IT: Ransomware Scan
• Docusign: Your Docusign account is suspended
• You have a secure message

Security concerns make people do unsecure stuff

As you can see, there's a huge variety of organizations whose users are targeted, and there's also a significant number of lures that seem to be incredibly effective. Most of the subjects, however, revolve around security, which is quite ironic.

It shows that people know how dangerous a place the Internet can be sometimes. Users seem to understand that the risks exist, and yet, they don't know what they should and shouldn't do to stay safe.

Scare tactics have long been a part of the crooks' arsenal, and unfortunately, they still seem to work. This can teach us two things. First, we can learn that phishing attacks' enormous success has as much to do with education as it does with basic human nature and knee-jerk reactions. And this, in turn, means that the crooks are unlikely to stop using them any time soon.

What you can do is try to go against your instinct. When you see an email warning you of something related to your online security, try to take a more level-headed approach. Check the sender, read the whole thing carefully, and most importantly, if the message tells you that you need to visit a certain URL, don't click any links and make sure you keep a close eye on the address bar. It's the only way to be sure that when the phishers decide that they want to attack you, they'll go home empty-handed.