Malicious Hackers Target the Safety-Minded, Curious in Phishing Schemes

One of the most surprising findings was the increase in password-change requests.

Edward Gately, Senior News Editor

October 23, 2018

4 Min Read
Phishing
Shutterstock

Hackers are playing into users’ commitment to security with password checks, as well as their curiosity with a new voicemail or order on its way.

That’s according to KnowBe4‘s “Top 10 Global Phishing Email Subject Lines for Q3 2018.” The messages, compiled from analyzing KnowBe4 user data, are based on simulated phishing tests users received or real-world emails sent to users who then reported them to their IT departments.

Kron-Erich_KnowBe4-150x150.jpg

KnowBe4’s Erich Kron

Erich Kron, KnowBe4’s security awareness advocate, tells Channel Partners that credential phishing is on the rise and many of these attacks focus on getting users to give up those usernames and passwords.

“Once an attacker has access to the victim’s email account, they can reset other account passwords as well as using these legitimate accounts to attack others,” he said. “In organizations, this often leads to fake invoices being sent or to a redirection of payments to the attackers’ accounts.”

One of the most surprising findings was the increase in password-change requests, Kron said.

“This is substantially higher than last quarter and a definite change in trend,” he said. “When there are a series of high-profile data breaches or scams like the recent ‘sextortion‘ email going around that uses an exposed password in the subject line, people get nervous, and in this state of alarm, they are more likely to make mistakes. The addition of a cryptocurrency-related email is also a bit surprising, however, given the growth of cryptocurrency popularity and value, partners can expect to see more like this in the future.”

The Top 10 most-clicked general email subject lines globally for the third quarter include:

  • Password Check Required Immediately, 34 percent

  • You Have a New Voicemail, 13 percent

  • Your order is on the way, 11 percent

  • Change of Password Required Immediately, 9 percent

  • De-activation of [[email]] in Process, 8 percent

  • UPS Label Delivery 1ZBE312TNY00015011, 6 percent

  • Revised Vacation & Sick Time Policy, 6 percent

  • You’ve received a Document for Signature, 5 percent

  • Spam Notification: 1 New Messages, 4 percent

  • [ACTION REQUIRED] – Potential Acceptable Use Violation, 4 percent

When investigating “in the wild” email subject lines, KnowBe4 found the most common for the third quarter included:

  • You have a new encrypted message

  • IT: Syncing Error – Returned incoming messages

  • HR: Contact information

  • FedEx: Sorry we missed you.

  • Microsoft: Multiple log in attempts

  • IT: IMPORTANT – NEW SERVER BACKUP

  • Wells Fargo: Irregular Activities Detected on Your Credit Card

  • LinkedIn: Your account is at risk!

  • Microsoft/Office 365: [Reminder]: your secured message

  • Coinbase: Your cryptocurrency wallet: Two-factor settings changed

“The channel can use the heightened phishing risk to a) engage customers and accounts to prepare for a heavier onslaught on credential phishing, just in time for the holidays and b) train and phish users now to mitigate risk,” Kron said. “Organization employees tend to get stressed and overlook red flags, so the more they are aware of suspicious behavior, the better off the organization is.”

Eighty-seven percent of global executives view untrained staff as …

… the greatest cyber risk to their business, according to a recent report by Willis Towers Watson and ESI ThoughtLab.

Compounding this finding is the fact that staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cybersecurity framework. The research also identified the most common types of attacks include malware/spyware (81 percent) and phishing (64 percent).

“Hackers are leveraging an individual’s desire to remain security minded or well informed by playing into his/her psyche,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “They do this by making someone believe they are at risk or that something needs immediate attention. These types of attacks are effective because they cause a person to simply react before thinking logically about the legitimacy of the email. Managing the ongoing problem of social engineering is becoming more and more difficult as hackers play into human emotions by causing feelings of alarm or curiosity.”

Read more about:

Agents

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like