KnowBe4’s latest quarterly report on top-clicked phishing email subjects is here. We analyze ‘in the wild’ attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, and top attack vector types.
Top Phishing Emails Seen “In the Wild” are Mostly Business-Related
Business phishing emails are the most clicked subject category globally. These are particularly effective because, left unanswered, they could potentially affect the user’s daily work, enticing employees to react quickly before thinking logically about the email’s legitimacy. The email source may be hidden by a spoofed domain, making it even easier to miss, and may even have the company name and logo (sometimes even the employee’s name) in the email body.
Last quarter, half of the phishing tests that were clicked on had subject lines related to Human Resources, including vacation policy updates, upcoming performance reviews, and a notice of an expense reimbursement.
By now most people know that if they receive a text message confirming an $1800 order they never placed, or telling them they’ve just won a new grill, they shouldn’t click on it. But what if it’s from their HR Department about an upcoming performance review? Or, what if the attachment is a draft of a Strategic Plan that mentions their name?
“We already know that more than 80% of company data breaches globally come from human error,” said Stu Sjouwerman, KnowBe4’s CEO. “New-school security awareness training your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognize a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”
almost every email subject we examined contained a phishing link. When these links are clicked they often lead to disastrous cyberattacks such as ransomware and business email compromise. Spoofed domains look like they are coming from within the users’ organization, adding an illusion of legitimacy and a sense of urgency to the email.
Read more and download infographic in our blog post!