Stu Sjouwerman, CEO at KnowBe4
Hackers do what works – and what works is manipulating a human’s psyche to make them feel curious, important or, sadly, scared. As technical controls continue to improve at thwarting automated attacks, hackers are upping their sophistication at bypassing technical controls through the use of social engineering. Phishing and ransomware attacks are a serious problem to businesses the world over and have become the logical evolution of cybercrime. Criminals can steal or disable access to corporate or personal finances, sensitive employee data, patient data, intellectual property, employee files and other valuable content.
Results from a quarterly report analysing KnowBe4 user data to find the Top 10 Global Phishing Email Subject Lines for Q1 2018 emphasised that human error continues to be an organisaton’s weakest link and showed that users, when delivered a simulated phishing test, still continue to open messages with a mix of subject lines related to personal and company notifications.
The Top 10 Most-Clicked General Email Subject Lines Globally for Q1 2018 include:
- A Delivery Attempt Was Made – 21%
- Change of Password Required Immediately – 20%
- W-2 – 13%
- Company Policy Update for Fraternisation – 10%
- UPS Label Delivery 1ZBE3112TNY00015011 – 10%
- Revised Vacation and Time Policy – 8%
- Staff Review 2017 – 7%
- Urgent Press Release to All Staff – 5%
- Deactivation of (email) in Process – 4%
- Please Read: Important from HR – 2%
*Capitalisation and spelling are as they were in the phishing test subject line
*Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers
It appears that many users are suffering from “information overload” in email, making them less likely to carefully scrutinise phishing emails as they should. According to Osterman Research, email has been the number one network infection vector since 2014. Crafting and distributing enticing material using both random and targeted means gives the cybercriminals greater control in targeting potential victims, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle. So how can organisations fight back?
Key decision makers within organisations must be proactive in the following steps to be better prepared and deal more effectively with phishing and ransomware attacks including:
- Take time to better understand the risks you face
- Develop and implement adequate policies
- Ensure that systems are kept up-to-date
- Ensure there good and recent back-ups in place
- Deploy anti-phishing and anti-ransomware solutions
- Implement best practices for user behaviour, including simulated phishing tests
- Use robust threat intelligence
Again, as the addition of Facebook-Cambridge Analytica shows, we see news stories influencing the social engineering emails that hackers send. Cybercriminals expect that users will always be eager to correct a wrong address or to ensure that their bank accounts aren’t being breached. What’s not expected is a user population that has been properly trained to identify suspicious emails, no matter how well-disguised or emotionally charged they are. People are the last line of defence and it continues to be more and more important that organisations take this position seriously by, first and foremost, ensuring their users are properly trained.