A quarter of users will fall for basic phishing attacks

Slightly more than a quarter of people will fall for a phishing scam that claims to be an urgent message prompting them to change a password, according to statistics gathered by cyber security testing and training firm KnowBe4, which specialises in phishing simulations.

While the statistics might be read as a positive indicator that end-users are awake to the importance of password protection and basic cyber security hygiene, KnowBe4 founder and CEO Sty Sjouwerman said it actually showed the need for users to be even more cautious.

“It is easy to see how they fall for phishing scam related to changing or checking their passwords,” said Sjouwerman. “As identifying phishing attacks from legitimate emails becomes trickier, it is more important than ever for end-users to look for the red flags and think before they click.”

KnowBe4 studied tens of thousands of email subject lines both from simulated phishing tests and those found in the wild, and found many of the most-clicked emails related either to security or urgent work-related matters.

It revealed its top 10 most effective simulated subject lines to be: Change of Password Required Immediately (26% opened); Microsoft/Office 365: De-activation of Email in Process (14% opened); Password Check Required Immediately (13% opened); HR: Employees Raises (8% opened); Dropbox: Document Shared With You (8% opened); IT: Scheduled Server Maintenance – No Internet Access (7% opened); Office 365: Change Your Password Immediately (6% opened); Avertissement des RH au sujet de l’usage des ordinateurs personnels (6% opened); Airbnb: New device login (6% opened); and Slack: Password Reset for Account (6% opened).

In the wild, subject lines often tended to relate to Microsoft, with emails about SharePoint and Office 365 particularly likely to be opened, as well as notifications about Google and Twitter accounts. People were also likely to fall for emails pretending to be related to problems with a shipping company, with FedEx the most widely impersonated, as well as the US Postal Service.

KnowBe4 also revealed that social media messages and notifications were a source of significant concern, with emails purporting to be from LinkedIn most likely to be opened, followed by Facebook.

Kayla Gesek, product manager at OneLogin, said KnowBe4’s findings highlighted the importance of so-called zero trust.

“Given that password reuse is one of the biggest security problems companies face today, organisations must build a culture of zero trust when it comes to opening emails with attachments or links, especially those from outside the organisation,” she said.

“This requires a regular cadence of training and awareness that ensures individuals think twice before opening attachments in particular. Organisations and individuals should remember the vital role that MFA [multifactor authentication] can play in protecting against phishing attacks – you are always better off having MFA in place than relying on passwords alone.”

Statistics gathered last year by Spanish mobile operator Telefónica following the launch of a new security service developed alongside McAfee and Allot highlighted the scale of the threat to organisations from phishing attacks, with 89% of threats blocked by it relating to phishing in some way.

During the first two months of the service’s deployment in Spain, Telefónica found that a new threat was created every six seconds, and that small and medium-sized enterprises tended to be the organisations that cyber criminals targeted the most, probably because of generally lower levels of protection.