The Most Challenging Phishing Emails for Employees to Notice

According to estimates, 91% of all cyberattacks begin with a phishing email and phishing techniques are involved in 32% of all successful data breaches.

To provide more insight into this threat, Kaspersky has analyzed data collected by the phishing simulator voluntarily provided by users to check whether its staff can distinguish a phishing email from a real one without putting corporate data at risk. An administrator chooses from the templates, mimicking common phishing scenarios, or creates a custom template. You then send it to the group of employees without warning them and track the results. Many users click on the link, which is a clear indication that additional cybersecurity awareness training is required.

According to recent phishing simulation campaigns, the five types of phishing emails most effective for cybercriminals are:

• Subject: Failed delivery attempt: Unfortunately, our courier could not deliver your item. Sender: Mail delivery service. Click conversion: 18.5%
• Subject: Undelivered emails due to overloaded mail servers: Sender: Google Support Team. Click conversion: 18%
• Subject: Online employee survey: What would you improve about working in the company? Sender: HR Department. Click conversion: 18%
• Subject: Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5%
• Subject: Attention all employees: new building evacuation plan. Sender: Department of Security. Click conversion: 16%

Other phishing emails that garnered a significant number of clicks included reservation confirmations from a booking service (11%), a notification about placing an order (11%), and a contest announcement from IKEA ( 10%).

On the other hand, emails that threaten the recipient or offer instant benefits appear to be less “successful.” A template with the theme “I hacked your computer, and I know your search history” got 2% of clicks, while offers of free Netflix and $1,000 for clicking a link fooled only 1% of employees.

“Phishing simulation is one of the easiest ways to track employees’ cyber resilience and evaluate the efficiency of their cybersecurity training. However, important aspects must be taken into account when carrying out this evaluation so that it is truly impactful,” comments Alfonso Ramírez, general director of Kaspersky Iberia. “As the methods used by cybercriminals are constantly changing, the simulation must reflect up-to-date social engineering trends, along with common cybercrime scenarios. “It is crucial that simulated attacks are carried out regularly and complemented by appropriate training so that users develop a strong vigilance skill to avoid falling into targeted attacks or spear phishing.”

To prevent data breaches and any related financial and reputational loss caused by phishing attacks, Kaspersky makes the following recommendations to businesses:

1. Remind your employees of the primary signs of phishing emails. A dramatic affair, errors and misspellings, meaningless return addresses and suspicious links;
2. If you have any concerns about the email you received, check the format of the attachments before opening them and the accuracy of the link before clicking. This can be achieved by hovering over these elements: Make sure the address looks authentic and the attachments are not in an executable format;
3. Always report phishing attacks. If you detect a phishing attack, inform your IT security department and, if possible, avoid opening the malicious email. This will allow the cybersecurity team to reconfigure anti-spam policies and prevent an incident;
4. Provide your employees with basic cybersecurity knowledge. Education should change students’ behaviour and teach them how to deal with threats.
5. Since phishing attempts can be confusing and there’s no guarantee of preventing all accidental clicks, protect your work devices. Choose a solution that includes anti-spam capabilities, tracks suspicious behaviour, and backs up files in case of ransomware attacks. Anti-phishing protection is included in some security solutions, even for tiny businesses.