[Column] Anna Collard: The great phishing fail
In 2021, phishing attacks increased by 7.3% according to the ESET Threat Report and the Cisco 2021 Cybersecurity threat trends report revealed that around 86% of organisations had at least one person click a phishing link.
This echoes the findings of recent KnowBe4 Security Awareness Research that found people keep clicking – on fake emails from HR, the business and IT. The majority of top email categories that people fall for are those that fit in to everyday life – invoices, purchase orders, shared files, and COVID-19 related topics.
"As our quarterly report on the top-clicked phishing tests shows, the emails that catch people are those that they are most used to seeing and that they expect to receive," she adds. "They fall into the categories of HR, business, entertainment, IT and online services. They are fake reminders of bill payments, shopping offers, password changes and pandemic messages, and they're often so well designed that they're hard to tell apart from the real thing."
It's easy to see why people fall for the phish, and why training is hit and miss. People are busy, they've got lives and bosses and deadlines. If they receive an email with HR in the title that asks them to complete a new form for COVID-19 regulations, it's simple to think this is a standard office email, especially after two years of being programmed to fill in forms for this very reason.
"Using our KnowBe4's AIDA, our Artificial Intelligence Driven Agent Phishing feature we now leverage machine learning to recommend and deliver personalized phishing (http://KnowBe4.com/phishing) campaigns based on users' training and phishing history. Think of it as your own AI phishing assistant that automatically chooses the best phishing test for each user, at that moment personalized to their individual level. The average success rate of AIDA driven phishing simulations is at 8% which is about double as effective as the average randomized phishing campaign. It shows how AI and algorithms can make phishing smarter. The only thing is – the other side has it too," says Collard.
In the US, HR and password change emails are the most successful while in Africa, the most common form of phishing email is 'Authorize pending transaction on your wallet', closely followed by Registration for COVID-19 study and IT end of year password policy.
"It's interesting to note that HR emails are the most dominant form of phishing email in the US and tend to cover not just the pandemic, but holiday time, dress code changes and performance appraisals," says Collard. "Globally, phishing focuses on eWallets, benefit accounts and password changes."
Holidays, however, tend to present the biggest risk to users. Christmas, Valentine's Day, Mother's Day – these occasions spark a flurry of phishing emails that entice people to click with special offers, cards, reminders and fake promotions. These are very easy to mistake for the real thing – Someone special sent you a Valentine's Day eCard! – and can cause untold damage to the business and to individuals when users mistakenly enter their credentials to access their free gift or card.
"This is why it's increasingly important for organisations to invest into phishing training simulations," says Collard. "Using smart algorithms and recent phishing scams as a starting point, these simulations send out fake emails that are designed specifically to woo users into making that fateful click. It's an excellent way of detecting the areas where people need more training and who tends to fall for these emails the most often. When done frequently, it also allows for the business to gamify its training so people become inoculated with the necessary awareness to detect phishing emails."
While it's easy to understand why an email from HR is likely to be the most successful at scamming people, it's also important to put the risks in front of people as often as possible. The fallout from a successful phishing attempt can be catastrophic, losing the business data, reputation, and money as well as putting it at risk of compliance violations.
The impact on a personal account is equally severe, and often people don't have the resources to mitigate the damage. Ultimately, consistent training and awareness are key to giving people the insights and expertise they need to recognise a phishing email and not click on that fateful link.