Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.
Phishing is the Biggest Security Threat Faced by Businesses
Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.
Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.
Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.
Top Phishing Lures of 2018
Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.
Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.
Top Phishing Lures on the Cofense Platform
Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.
Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.
The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.
| Rank | Phishing Subject/Theme | Number of Reported Emails |
| 1 | Attached Invoice | 4,796 |
| 2 | Payment Notification | 2,267 |
| 3 | New Message in Mailbox | 2,088 |
| 4 | Online Order (Attachment) | 679 |
| 5 | Fax Message | 629 |
| 6 | Secure Message (MS Office Macro) | 408 |
| 7 | Online Order (Hyperlink) | 399 |
| 8 | Confidential Scanned document (Attachment) | 330 |
| 9 | Conversational Wire transfer (BEC Scam) | 278 |
| 10 | Bill Copy | 251 |
Top Phishing Lures on the KnowBe4 Platform
KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.
The most common real-world phishing attacks in Q3 were:
| Rank | Subject |
| 1 | You have a new encrypted message |
| 2 | IT: Syncing Error – Returned incoming messages |
| 3 | HR: Contact information |
| 4 | FedEx: Sorry we missed you. |
| 5 | Microsoft: Multiple log in attempts |
| 6 | IT: IMPORTANT – NEW SERVER BACKUP |
| 7 | Wells Fargo: Irregular Activities Detected on Your Credit Card |
| 8 | LinkedIn: Your account is at risk! |
| 9 | Microsoft/Office 365: [Reminder]: your secured message |
| 10 | Coinbase: Your cryptocurrency wallet: Two-factor settings changed |
The most commonly clicked phishing lures in Q3 were:
| Rank | Subject | % of Emails Clicked |
| 1 | Password Check Required Immediately | 34% |
| 2 | You Have a New Voicemail | 13% |
| 3 | Your order is on the way | 11% |
| 4 | Change of Password Required Immediately | 9% |
| 5 | De-activation of [[email]] in Process | 8% |
| 6 | UPS Label Delivery 1ZBE312TNY00015011 | 6% |
| 7 | Revised Vacation & Sick Time Policy | 6% |
| 8 | You’ve received a Document for Signature | 5% |
| 9 | Spam Notification: 1 New Messages | 4% |
| 10 | [ACTION REQUIRED] – Potential Acceptable Use Violation | 4% |
The Importance of Blocking Phishing Attacks at their Source
If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.
Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.
SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.
SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.
Improve Office 365 Email Security with SpamTitan
There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.
Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.
To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.