The most probable links/files to be clicked on in phishing emails are those that appear to be from the HR or IT departments, according to KnowBe4, a security awareness training and a simulated phishing platform. The results came after the cybersecurity firm ran tests to identify the most common phishing email subjects.Â
KnowBe4 has published the new 2022 Phishing by Industry Benchmarking Report. The research aimed to determine an organization’s Phish-prone Percentage (PPP), which indicates how many of its workers are susceptible to phishing scams.
The cybersecurity awareness company tested employees to ascertain the likelihood of clicking a phishing link. The study revealed that emails from HR/IT are most likely to be clicked by employees, with half of those that were clicked on having HR-related subject lines such as vacation policy updates, dress code changes, and upcoming performance reviews.
The most common subject lines clicked by employees are illustrated below:
Top Email Subjects Globally | Source: KnowBe4Opens a new window
See More: Over 10,000 Organizations Targeted in AiTM Phishing Campaign That Circumvents MFA
“Business phishing emails are particularly effective because, left unanswered, they could potentially affect the user’s daily work, enticing employees to react quickly before thinking logically about the email’s legitimacy,†KnowBe4 explained.
“The email source may be hidden by a spoofed domain, making it even easier to miss, and may even have the company name and logo (sometimes even the employee’s name) in the email body. Most include a phishing hyperlink in the email or a supposed PDF attachment.â€
Additionally, KnowBe4 also provided the most common pretexts used in attacks in the wild:
- HR: Your performance evaluation is due
- Google: You were mentioned in a document: “Strategic Plan Draftâ€
- IT: Inventory Form
- Microsoft 365: Microsoft 365 has new password requirements
- Amazon: Balance paid on your seller account
- Xerox: New document was processed for [[email]]
- Zoom: [[manager_name]] has sent you a message via Zoom Message Portal
- Facebook: Your recent Facebook login
- Your fax is pending for preview
- Money has been successfully withdrawn from your bank account
The report also studied 9.5 million users across 30,173 organizations across 19 industries with over 23.4 million simulated phishing security tests. The company found that one in three or 32.4% of untrained users is likely to click on a fraudulent phishing link.
So it’s not surprising that 80% of company data breaches result from human errorOpens a new window . KnowBe4 CEO Stu Sjouwerman said, “New-school security awareness training your staff is one of the least costly and most effective methods to thwart social engineering attacks.â€
“Training gives employees the ability to rapidly recognize a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface,†he added.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON PHISHING AND CYBERSECURITY TRAINING
- Google Chrome Trounced by Mozilla, Safari and Microsoft Edge in Blocking Phishing Sites
- Looking Beyond Phishing: The Deeper Issue within Security that Needs Addressing
- How Companies Can Move from Cybersecurity Training to LearningOpens a new window
- (ISC)² To Train a Million People in Cybersecurity for Free to Bridge the Widening Skills Gap