Malicious Hackers Target the Safety-Minded, Curious in Phishing Schemes

Hackers are playing into users’ commitment to security with password checks, as well as their curiosity with a new voicemail or order on its way.

That’s according to KnowBe4‘s “Top 10 Global Phishing Email Subject Lines for Q3 2018.” The messages, compiled from analyzing KnowBe4 user data, are based on simulated phishing tests users received or real-world emails sent to users who then reported them to their IT departments.

KnowBe4’s Erich Kron

Erich Kron, KnowBe4’s security awareness advocate, tells Channel Partners that credential phishing is on the rise and many of these attacks focus on getting users to give up those usernames and passwords.

“Once an attacker has access to the victim’s email account, they can reset other account passwords as well as using these legitimate accounts to attack others,” he said. “In organizations, this often leads to fake invoices being sent or to a redirection of payments to the attackers’ accounts.”

One of the most surprising findings was the increase in password-change requests, Kron said.

“This is substantially higher than last quarter and a definite change in trend,” he said. “When there are a series of high-profile data breaches or scams like the recent ‘sextortion‘ email going around that uses an exposed password in the subject line, people get nervous, and in this state of alarm, they are more likely to make mistakes. The addition of a cryptocurrency-related email is also a bit surprising, however, given the growth of cryptocurrency popularity and value, partners can expect to see more like this in the future.”

The Top 10 most-clicked general email subject lines globally for the third quarter include:

When investigating “in the wild” email subject lines, KnowBe4 found the most common for the third quarter included:

“The channel can use the heightened phishing risk to a) engage customers and accounts to prepare for a heavier onslaught on credential phishing, just in time for the holidays and b) train and phish users now to mitigate risk,” Kron said. “Organization employees tend to get stressed and overlook red flags, so the more they are aware of suspicious behavior, the better off the organization is.”

Eighty-seven percent of global executives view untrained staff as …

… the greatest cyber risk to their business, according to a recent report by Willis Towers Watson and ESI ThoughtLab.

Compounding this finding is the fact that staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cybersecurity framework. The research also identified the most common types of attacks include malware/spyware (81 percent) and phishing (64 percent).

“Hackers are leveraging an individual’s desire to remain security minded or well informed by playing into his/her psyche,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “They do this by making someone believe they are at risk or that something needs immediate attention. These types of attacks are effective because they cause a person to simply react before thinking logically about the legitimacy of the email. Managing the ongoing problem of social engineering is becoming more and more difficult as hackers play into human emotions by causing feelings of alarm or curiosity.”