A study carried out by one of our software partners KnowBe4 revealed the top reasons we are likely to click on scam/ phishing emails.
What is a phishing email?
A phishing email is an email sent under a fake address attempting to impersonate an individual or organisation.
This is done in order to lure a user into clicking on it and potentially compromising the security of their system. This can happen by opening a bad link or accidentally allowing the phisher to gain confidential information such as password details.
The test which was sent to approximately 6 million users showed that we are more likely to click on emails containing information relating to money or offering free items.
Fake emails which proved most popular and to which users were most susceptible related to promises of money or posed the risk of losing it.
Second to these were emails which aroused the fear of missing out on an offer or opportunity. This includes free food or drinks or curiosity based requests for new contact or photo tags.
Emails emulating security notifications and missed deliveries also proved click friendly with users.
Subject lines pertaining to “Unusual sign-in activity” and other such notifications received attention from users. This is attributed to the ‘knee jerk reaction’ for seeing a familiar company or request contained in an email.
For example, requests that supposedly came via social media networks such as LinkedIn were the most convincing.
LinkedIn connection requests, new messages and password reset emails were able to get 53% of those in the test to click on the bait.
What are the types of phishing emails?
1. Deceptive phishing
This is when hackers imitate a legitimate company in an attempt to access personal information such as login credentials or bank account details.
They will often ask you to click a link to verify an account or make a payment.
When watching out for this kind of attack you should pay close attention to:
- the wording and grammar of emails
- the address the email has come from
- the details of the URL it is trying to send you to
Often small mistakes, such as spelling errors, will give away that this email does not come from a genuine source.
2. Spear phishing
Spear phishing is when emails are tailored to the individual they are targeted at.
The tone and message are personalised to lure the target in. They will use information such as name, position, company and work phone number which they can usually access online.
The goal is the same as with deceptive phishing, to entice the user to click on a link and by doing so unwittingly give up personal information.
Think about what information is visible on your public LinkedIn or Facebook profile. Hackers will be able to access this information and use it to try and dupe you or others around you.
Social media networks such as LinkedIn are popular for businesses. We welcome familiar emails in our inbox from these organisations and mostly trust what they tell us to do.
If an email comes in that is different from the usual style you receive, or the request is different than usual it is best to exercise caution and check carefully if it is genuine.
3. CEO fraud/whaling
This highly targeted form of attack relies on gaining some insight into the contact details of the CEO and their style of writing in emails.
The example below shows the supposed CEO telling his colleague to email him rather than speak with him on the phone. This should raise red flags if it’s not something your CEO would normally say.
Also, if they don’t normally email you about financial matters, but they are now, that should be another red flag.
Often a CEO might not undergo security awareness training with the rest of the staff. However, it is important to make sure that all staff including senior management undergo training to avoid this from happening.
Pharming goes beyond trying to trick users into clicking on bait, and instead involves domain name system (DNS) cache poisoning.
This is where malicious code is installed on a computer or server which directs users to a fraudulent website.
The best way to prevent this occurring is to use anti-virus software.
For further information about how you can protect your network get in touch with us.
5. Dropbox/Google Docs phishing
As with other more targeted forms of attack, Dropbox phishing relies on users’ awareness of Dropbox and the trust individuals place in the service.
Similar attacks have been targeted at Google Docs and Google Drive users in the past.
It relies on the user clicking an “important” link in their inbox. This then sends them to a fake login page hosted (unknowingly to the organisation) on the genuine site.
When using file-sharing in the workplace we recommend you adopt the use of Two-Factor Authentication (2FA). This adds an additional layer of security and is easy for employees to utilise once in place.
“Once more relying on our trust and recognition for certain brands, this highlights the significance of social engineering in all of these attacks.”
The good news
By putting the right technology in place and providing security awareness training for all staff the risk of phishing attacks can decrease successfully.
This was highlighted by the British Government in 2017, when they were able to block 46,000 phishing emails pretending to be from the NHS in just one month.
This resulted from taking simple steps to implement the right defences. Security defences have also been successful in other government bodies such as HMRC.
What should your organisation do?
In order to be vigilant your organisation needs to invest in security awareness training.
Speak to your IT Support Partner or get in touch with us today to see how we integrate this into our IT Support Services.