According to the FBI’s Internet Crime Complaint Center (IC3), more than 26,000 users fell victim to phishing, vishing, smishing and pharming attacks in 2018, suffering more than $48 million in financial losses. All four types of attack use social engineering to trick users into giving up sensitive information, clicking on a malicious link or attachment, or visiting a malicious website. Phishing attacks are delivered via email, vishing attacks by phone, smishing attacks by SMS text message, and pharming attacks via redirected websites.
Users of cloud-based applications and email services were the targets of nearly 30 percent of all attacks, according to the Anti-Phishing Working Group. KnowBe4, a provider of security awareness training, has found that these attacks are most successful when they ask the recipient to take some action or warn of some urgent matter. As a result, the most-clicked phishing email subject lines include:
- Password Check Required Immediately — 35 percent
- De-activation of [[email]] in Process — 11 percent
- Urgent press release to all employees — 9 percent
- You Have a New Voicemail — 8 percent
- Back Up Your Emails — 8 percent
KnowBe4 also found that social media phishing attacks are growing at a rate of 75 percent this year. The company analyzed tens of thousands of simulated phishing attacks sent via its complimentary Social Media Phishing Test tool during Q2 2019, and found that more than half of these attacks have “LinkedIn” in the subject line.
The most-clicked social media phishing tests that KnowBe4 identified are:
- LinkedIn: 56 percent
- Login alert for Chrome on Motorola Moto X: 9 percent
- 55th Anniversay and Pizza Party: 8 percent
- Your Friend Tagged a Photo of You: 8 percent
- Facebook Password Reset Verification: 8 percent
(Capitalization and spelling are as they were in the phishing test subject line.)
Social media phishing attacks are successful because users tend to trust people they connect with on those platforms. Also, users tend not to scrutinize requests to “join my LinkedIn network,” assuming that the email is legitimate. Problem is, when users fall for phishing attacks at work, they expose the entire organization to malware and fraud.
That’s why users are an organization’s last line of defense against cyberattacks. It’s impossible to detect and block every phishing email, and IT teams can’t monitor and manage the “shadow IT” apps and services that users bring into the corporate environment. Every employee — including the most sophisticated, techie users — need to be educated about how to recognize and avoid a phishing or social engineering attack.
Verteks is proud to partner with KnowBe4 to deliver security awareness training to our customers. This highly rated training program includes modules on common threats, social engineering red flags, safe web browsing, handling sensitive information and more. KnowBe4’s content library includes more than 900 items, with a motivational user experience that encourages employees to complete their training.
We can also help you take advantage of KnowBe4’s Social Media Phishing Test to further improve security. Introduced in Summer 2019, this free test is designed to help organizations of all sizes identify users who are likely to fall for a phishing email that looks like it originated from a credible social media site such as Facebook, LinkedIn or Twitter.
Cybersecurity is most successful when users are consistently trained and tested on the latest threats. Let Verteks help you train your users to recognize and manage phishing emails.