Top ten phishing results show human error is still the weakest link

Phishing and ransomware attacks are a serious problem to businesses the world over and have become the logical evolution of cybercrime. Criminals can steal or disable access to corporate or personal finances, sensitive employee data, patient data, intellectual property, employee files and other valuable content.   

Last week Knowbe4 released its top 10 Global Phishing Email Subject Lines for Q2 2017 and results emphasised that human error continues to be an organisaton’s weakest link. Users most frequently click on business-related subject lines (“Security Alert” is the highest ranked at 21 per cent) but they continue to click with alarming frequency on subject lines not related to work topics and showing red flags. It appears that many users are suffering from “information overload” in email, making them less likely to carefully scrutinise phishing emails as they should.   

According to Osterman Research, email has been the number one network infection vector since 2014. The attackers see it as an effective method because it gives them more control than simply placing traps on the web in the hope that people might stumble across them. Attackers will instead craft and distribute enticing material using both random and targeted means. Using this approach gives the cybercriminals greater control in targeting potential victims, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle.  

The Top 10 Global Most-Clicked Global Phishing Email Subject Lines for Q2 2017 include: 

  1. Security Alert – 21% 
  2. Revised Vacation & Sick Time Policy – 14%
  3. UPS Label Delivery 1ZBE312TNY00015011 – 10% 
  4. BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO – 10% 
  5. A Delivery Attempt was made – 10% 
  6. All Employees: Update your Healthcare Info – 9% 
  7. Change of Password Required Immediately – 8% 
  8. Password Check Required Immediately – 7% 
  9. Unusual sign-in activity – 6% 
  10. Urgent Action Required – 6% 

*Capitalisation is as it was in the phishing test subject line and Q2 represents April 1 – June 30, 2017 

Multi-layered defence 

The subject lines in the top ten actually made their way through all of the corporate filters and into the inbox of an employee, which points to an acute need for a multi-layered defence due to the fact that each layer has different points of effectiveness and ineffectiveness. The reality is that if an email is written correctly it will sail through all of the defences by finding the least effective point of each and playing into the human psyche of wanting to receive something you didn’t know about or needing to intervene before something is taken away. Quite simply, people are the last line of defence so they are an essential element of organisational security and need to be trained as such.    

Businesses also need to be savvy about the social media messages sent to their users as they are potential landmines to their corporate networks. In KnowBe4’s Top 10 Global Social Networking Subject Lines four of the top 10 spots (equal to 44 per cent) were related to LinkedIn messages, which users often have tied to their work email addresses. 

How do phishing attacks occur?

An organisation’s email addresses are usually pretty easy for cybercriminals to find and with these they can launch (spear-) phishing attacks on an organization which are very difficult to defend against unless users have undergone effective ‘security awareness’ training. Here is what usually happens – criminals sent phishing emails, an innocent employee clicks on an email and infects their PC with malware. The malware records the victim’s keystrokes, which allows the network to be hacked leading to breach credentials to highly sensitive information. 

Spoofing 

My company, KnowBe4, recently conducted a domain spoof test of more than 10,000 email servers and identified that eighty-two percent of them were misconfigured, meaning that spoofed emails are able to enter an organisation disguised as coming from a company’s own domain. Spoofing is one of the most common security issues and is often set-up incorrectly allowing a cybercriminal to impersonate an employee, or key executive consequently allowing phishing attacks in and making them an easy target. A typical scenario is a spoofed email that appears to come from “IT” and requests an employee to update their email account credentials. The uneducated employee duly obliges thinking they are merely complying to a request. Little do they know of the disastrous consequences that might ensue including a ransomware attack where all computers on the company network are hijacked. 

Instilling a security conscious culture

Ransomware is on the increase, just think of the hefty casualty list from the likes of Wannacry and Petya. It is slowly starting to dawn on IT Managers and executives that traditional, old school security techniques just won’t cut it with today’s sophisticated cybercriminal. A comprehensive in-depth defence strategy with new school security training (that is, training that tests users by sending simulated phishing and other social-engineering attacks) is what’s needed for all employees from the mail room to the board room. Training employees to make better security decisions helps mitigate the risk of social engineering and should be part of the outer layer, along with all other corporate policies and procedures.   

Key decision makers with organisations must be proactive in the following steps to be better prepared and deal more effectively with phishing and ransomware attacks including: 

  1. Take time to better understand the risks you face  
  2. Develop and implement adequate policies  
  3. Ensure that systems are kept up-to-date  
  4. Ensure there good and recent back-ups in place  
  5. Deploy anti-phishing and anti-ransomware solutions  
  6. Implement best practices for user behaviour, including simulated phishing tests 
  7. Use robust threat intelligence 

There is no doubting the very real threat and the enormous damage potential that phishing and ransomware pose to an organisation’s finances, data assets and reputation. From disruption to employees and the IT department to the ability to make a company run afoul of industry and governmental regulations resulting in lawsuits that, in extreme cases, could put an organisation out of business, these attacks can cause considerable harm. There are steps that can be taken to address phishing and ransomware in order to reduce the chances of a breach and the consequences that arise from it and there is no better time to start than now.   

Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4 

Image Credit: wk1003mike / Shutterstock