Phishing Attacks: What Do They Look Like?
In 2021, 86% of organizations had at least one employee click on a phishing link. Phishing is not a new type of cybercrime, but it keeps evolving year after year. So what do real phishing attacks look like today?
A Q4 2021 report from KnowBe4 gives a peek into what phishing attacks are actually like and how they can fool even the most vigilant employees. Here is what the report says.
Business, HR, and Online Shopping Emails Get the Most Clicks
A 24% of successful phishing attacks are crafted to look like business communications. These include fake invoices, purchase orders, or shared files that appear to be from a familiar business contact or co-worker. In these attacks, the display name on the email is usually spoofed to appear as though the email was sent from a legitimate source.
Another 16% of successful phishing emails are impersonating HR, often asking for confirmation of personal information like passwords.
In some less focused phishing campaigns, messages are crafted to mimic online shopping websites or online service providers. Whereas 19% of successful phishing attacks are impersonating a popular brand, entertainment service, or application.
Subject Lines Focus on Urgency
In the US, email subject lines used in phishing campaigns tend to create a sense of urgency that encourages the reader to click and act immediately. The stakes could be high, urging the reader to respond to a security breach, or low, informing the reader of relevant policy changes.
Both tactics have seen success, with the most common phishing email subjects being requests for password checks, followed immediately by work policy updates around dress codes and vacation time.
Subject lines differ around the world. In Europe, the Middle East, and Africa, the top phishing email subject lines were fraudulent invitations to online meetings, followed by fake documents or invoices, messages from employee portals, and password verification requests.
Phishing Emails Are Purposely Vague
While some targeted spear phishing emails are meant to mimic the exact messaging of a familiar brand or known person, many phishing emails include vague language encouraging you to click on a link. Whether it is password verification requests, message notifications, invitations, or otherwise, the language is purposely left open so the reader’s mind can fill in the blanks.
Vague language is used regularly when the attacker does not have personal information about who they are sending the message to, such as when they are sending out a phishing message from a template. One good indicator is whether your name is used in the greeting, or whether the message refers to you by a generic title, such as a valued customer.
Phishing Attacks Are Largely Done Over Email
An estimated 96% of all phishing attacks are delivered via email. In 2020 alone, 1 in every 4200 emails was a phishing email. This includes personal and work email addresses, with all accounts being somewhat susceptible to email phishing campaigns.
While some phishing campaigns do include text messages, phone calls, or malicious websites and ads, these are outweighed by the estimated 3.4 billion phishing emails sent out daily.
Although phishing attacks share a lot of common traits, they can still be hard to identify, especially when the recipient is tired or distracted. As phishing emails evolve to reflect changing realities and current events, it’s important to stay up to date on what phishing campaigns look like from month to month.
If you would like information on Security Awareness Training from Optistar, contact us at firstname.lastname@example.org. If you haven’t already, be sure to sign up here for our free cybersecurity tip of the week to stay one step ahead of hackers.
If you missed any of our recent monthly webinars, don’t worry! Visit below to access the recording!