Think Before You Click: Phishing
Help protect yourself against email fraud by learning how new, sophisticated phishing schemes trick users.
In phishing attacks, scam artists try to get your personal information by sending you messages that pretend to be from a legitimate organization that you have an account with. While these attacks can come by way of phone calls or text messages, email phishing scams are the most prevalent.
According to one recent survey1, the average email user receives 16 malicious emails per month. Users must keep their guard up and have a firm understanding of what look out for and what types of messages they should not respond to, especially by providing personal identifying data. Phishing attacks can be used for identity theft or even to directly steal money.
Subjects that appeal to users' curiosity about new voicemails or status updates on online orders are also popular. Some subjects even prey upon users' professional lives, such as fake employer policy changes. Some contain offers that are too good to be true, including notifications of free merchandise or contest winnings, and most come with a sense of urgency.2
Online security company KnowBe4 recently released the results of a study about phishing3, looking at the top-clicked phishing email subjects for Q3 2018. Among its findings is the fact that hackers are going after people's desire to remain secure, such as messages warning them that an account has been compromised, or asking if they authorized a password to be re-set. Ironically, these are the types of subjects that often trick people into providing information to fraudsters.
Perry Carpenter, strategy officer at KnowBe4, commented, “Hackers are leveraging an individual’s desire to remain security minded or well informed by playing into his/her psyche. They do this by making someone believe they are at risk or that something needs immediate attention. These types of attacks are effective because they cause a person to simply react before thinking logically about the legitimacy of the email. Managing the ongoing problem of social engineering is becoming more and more difficult as hackers play into human emotions by causing feelings of alarm or curiosity.”
Out of the tens of thousands of email subjects analyzed by the firm, the top ten most-clicked email subject lines on a global basis were:
● Password check required immediately (29%)
● You have a new voicemail (13%)
● Your order is on the way (11%)
● Change of password required immediately (10%)
● De-activation of [[email]] in process (9%)
● Ups label delivery 1zbe312tny00015011 (6%)
● Revised vacation & sick time policy (6%)
● You’ve received a document for signature (5%)
● Spam notification: 1 new messages (5%)
Other common phishing subjects included:
● You have a new encrypted message
● IT: syncing error – returned incoming messages
● HR: contact information
● FedEx: sorry we missed you.
● Microsoft: multiple log in attempts
● IT: important – new server backup
● Wells Fargo: irregular activities detected on your credit card
● LinkedIn: your account is at risk!
● Microsoft/Office 365: [reminder]: your secured message
● Coinbase: your cryptocurrency wallet: two-factor settings changed
KnowBe4 points to a report by Willis Towers Watson and ESI ThoughtLab4 that found that 87% of global executives view untrained staff as the greatest cyber risk to their business. "Compounding this finding is the fact that staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cybersecurity framework," KnowBe4 says.
According to NIST’s research, phishing is the second most common type of digital attack, just behind malware/spyware. NIST suggests that organizations can discourage employees from unsafe practices by providing education on the subject, implementing more technology solutions, and making it easier for users to report attacks to the IT department.5
Experts agree: Don't be so quick to respond to unexpected messages, even if they appear to be from reputable companies. The important thing is to think before you click and to never give out any account information.
Nevada State Bank has more on phishing and other types of fraud here.
The information provided is presented for general informational purposes only and does not constitute tax, legal or business advice. Any views expressed in this article may not necessarily be those of Nevada State Bank, a division of Zions Bancorporation, N.A. Member FDIC