Phishing is the single most important risk for employees to introduce malware within organizations. Effective training to spot this risk in incoming emails is table stakes for all organizations, no matter the size. This article synthesis the latest research on what phishing email look like and tips on improving your company’s risk posture.
According to research from Proofpoint, 75 percent of phishing attacks facing US businesses in 2020 were successful, which is 30 percent higher than the global average. And, this is despite 95 percent of organizations claiming to sensitize their employees about phishing.
96 percent of all phishing attacks occur via email. According to Sonic Wall’s 2020 Cyber Threat report, cybercriminals prefer Microsoft Office files and PDFs to deliver social engineering attacks, including phishing. And, the reason is simple … these files are universally trusted in the modern workplace.
Even more disturbing, 97 percent of users are unable to identify a sophisticated phishing email correctly.
With such stats, it makes perfect sense to know the common traits of phishing emails. That way, you can pinpoint and flag phishing baits before they wreak havoc on your organization’s systems.
How employees get hooked
As per Terranova’s 2020 Gone Phishing Tournament, nearly 20 percent of all employees are likely to open emails containing phishing links. Of those, a whopping 67.5 percent proceed to share their details/credentials on a phishing site.
Essentially, that implies 13.4 percent of all employees are likely to share their passwords and other sensitive information on malicious phishing. The question is – what’s convincing so many people to click on fraudulent links?
Subject lines
A survey done by KnowB4 found that most phishing emails carry the following subject lines:
- Changes to your health benefits
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Twitter: Security alert: new or unusual Twitter login
- Google Pay: Payment sent
- Zoom: Scheduled Meeting Error
- Stimulus Cancellation Request Approved
- RingCentral is coming!
- Workday: Reminder: Important Security Upgrade Required
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
- Workday: Reminder: Important Security Upgrade Required
A closer look at these subject lines can tell you that cyber criminals capitalize other following three areas:
- The desires of people to live a healthy lifestyle.
- The rise of remote work. While more people embrace working remotely, few are aware of the security threats they’re likely to encounter.
- The popularity of virtual communication platforms such as Zoom and digital entertainment.
Attachments
According to the ESET Threat Report, the following are the most common types of malicious attachment in phishing emails:
- Windows executables – 74 percent
- Script files – 11 percent
- Office documents – 5 percent
- Compressed archives – 4 percent
- PDF documents -2 percent
- Java files -2 percent
- Batch files -2 percent
- Shortcuts – 2 percent
- Android executables – less than 1 percent
Brand impression
A Check Point research says that Microsoft is the most imitated brand in phishing attempts, with many cybercriminals trying to impersonate the brand’s login screen to steal a user’s credentials.
This trend is due to an increase in the number of organizations using Microsoft’s cloud application suite.
INKY’s recent study supports these findings, noting that Microsoft-related emails account for 70 percent of brand impersonations, followed by Zoom, Amazon, Chase Bank, and RingCentral.
The same report states that brand imitation incidents are common with IT brands (71.8 percent), followed by telecoms, retail, finance, and logistics.
Internal threats
Organizations in the United States recorded a staggering 2,500 internal security breaches every day, with 66 percent of organizations saying insider attacks are more likely to happen than external attacks.
In a survey conducted by accountancy firm BDO, 34 percent of business owners said they experienced fraudulent activities involving conspiracy between their employees and bad actors. Even more surprising, 21 percent said their employees initiated the fraud.
The impact of phishing attacks
Phishing is bad for business. Here are some implications of falling for a phishing email.
- Data loss
- Ransomware infections
- Compromised accounts or credentials
- Malware infections
- User downtime
- Loss of income and clients
- Compliance fines
- Loss of intellectual property
- Damage to reputation
- Direct monetary loss
How can you safeguard your organization against phishing email attacks?
While there’s no single foolproof solution to email security, you can leverage a multi-layered approach to keep off attackers. Start with security awareness training for your employees through simulated phishing campaigns.
The idea is to transform your employees from potential targets into a solid line of defense against phishing email attacks.
On top of that, invest in a phishing incident response tool to monitor your employees’ outbound and inbound emails, scanning them for fraudulent and malicious content. The software picks up spam or phishing threats and blocks the email, protecting users at an individual level.