Users fall for these Email Phishing subjects the most
Is phishing still a thing? KnowBe4, a security training company, released details on the top clicked phishing email subjects of the fourth quarter of 2018; in other words: the subject lines that get unsuspecting users to interact with phishing emails the most.
The data comes from two sources: simulated phishing emails used by KnowBe4 customers and Phish Alert Button interactions.
Phishing is quite the problem on today's Internet. While additional security features such as two-factor authentication may block some attacks dead in their track, it all comes down to users in the end.
Attackers invent new ways to trick users. In 2017, they used Punycode domains to make domain names look like the real deal, or Google phishing emails that gave the attacker access to emails and contacts.
The following email subjects top the list:
- Password Check Required Immediately/Change of Password Required Immediately 19%
- Your Order with Amazon.com/Your Amazon Order Receipt 16%
- Announcement: Change in Holiday Schedule 11%
- Happy Holidays! Have a drink on us. 10%
- Problem with the Bank Account 8%
- De-activation of [[email]] in Process 8%
- Wire Department 8%
- Revised Vacation & Sick Time Policy 7%
- Last reminder: please respond immediately 6%
- UPS Label Delivery 1ZBE312TNY00015011 6%
Several of these subjects are Holiday themed; these will change in the coming quarters. Common themes include shipping and delivery emails, security related emails, company policy emails, and seasonal emails.
Passwords and security, as well as email subjects that demand action or are of concern to the user, are commonly used in phishing emails.
The company tracks social media email subjects separately.
The top list looks like this:
- LinkedIn email subjects, e.g. Add Me, Join My Network, New Endorsements, Profile Views 39%
- Facebook email subjects, e.g. Password change or Primary email change.
- Pizza, e.g. free pizza or anniversary, 10%
- Motorola login alerts, 9%
- New Voice Message, 6%
- Your friend tagged a photo, 6%
- Your password was successfully reset, 6%
- Secure your account, 4%
- You have a new unread message, 3%
It is surprising that LinkedIn tops the list and not Facebook. Several security related messages are in the top ten, but most social media email subjects used to phish data focuses on interaction on the service.
Closing Words
Phishing attacks have evolved over the years; it is no longer enough to push millions of emails with phishing links to users. Attackers create emails that spark user interest or concern, and put effort in creating email subjects that catch a user's attention as these determine whether a user opens the email to read the body content (and interact with it) or not.
Most phishing attacks would fall short if users would never click on links in emails.
Now You: What is your take on phishing in 2018? Still as much a threat as in 2010?
One good thing I can say about Gmail (the US alphabet agencies’ best friend) is that it has *superb* spam and phishing filters. In the more than ten years that I have had a Gmail account, I could probably count the number of English-language spam and phishing emails that have made it through to my Inbox on the fingers of both hands. There *was* a period of around six months when I suddenly started getting French-language phishing emails, maybe one every two or three days. I duly marked each one as a phishing attempt in Gmail’s interface, and they abruptly stopped coming at the end of that six-month-ish period. Anyway, when I compare the *tiny* volume of spam and phishing I get in Gmail with the *avalanche* a relative gets in his public-university email account, the difference is nothing short of astounding.
I don’t know about the rest of you, but I find it *extremely* difficult to teach older people who are latecomers to computers and the Internet to recognize phishing attempts. It’s frustrating and worrisome.
That’s the paradox. Everybody loves to hate Google (and Amazon, and others, for very good reasons), but they are doing a superb job on many levels. That’s how they reached monopolistic level.
Yeah, we’re spied upon in a way nobody has been during history, but we also have access to free resources whose quantity and quality really boggle the mind.
As for noobs being unteachable on digital security, let’s admit it’s horribly complex and discouraging if you don’t have a knack for tech. Imagine if you were forced to drive, and you couldn’t get safely to your destination, unless you were able to solve multiple high-level mathematical and physical problems on the way, in order to keep the car on the road.
I use pi-hole with “”https://www.dshield.org””
“”https://openphish.com”” blacklists as well as many many others…
am blocking as many google e100 and amazonawl addresses as possible on my personal network
I know this is not on topic but you’d be surprised how many smaller networks will step up to the plate when Googler, Beelzebub/Amazon connections are blocked.
Ya just don’t need em for personal use…
Ya know it?
And remember : those stats are partly based on people who were really fooled. In a controlled environment.
Know Be 4 is getting paid by businesses which are security-aware, and which give it money to run fake phishing campaigns against their employees. In order to test whether their mental defenses are strong enough — on top of the company’s technical defenses, of course.
So those results are likely biased in an optimistic sort of way. It’s only the most security-aware business which will pay actual money to run a trial hack against its networks and personnel, after it has spent a good chunk of money strengthening its defenses and educating its users.
@Clairvaux:
A well-known security software company I used to work for regularly sent phishing emails to the employees to keep everyone aware of the issues.
They would also post printouts of real phishing emails alongside the legitimate emails they were spoofing in the hallways, as a puzzle: figure out which one is real and which one is fake and get a prize!
That was a real eye-opener, because 90% of the time nobody could tell the difference even when the fake one was revealed. Often, the difference between the two amounted to a single character.
Those emails were selected for the contests because they were particularly well-crafted, but it really did show that in practice, you don’t have much of a chance of spotting the good ones.
The takeaway:
Treat all unsolicited emails as phishing attempts by default and never respond to them directly, even when they seem very important. If an email is coming from an entity that you have no established relationship with, just delete it.
If it’s coming from an entity that you do have a relationship with, don’t reply to it or do anything that it asks you to do. If it seems really important, call up whoever purportedly sent it (look up the number yourself, don’t use one in the email) and ask them about it. If it was really from them and was really important, then they’ll let you know.
Here are one other article and one how-to on the false sense of security that non-hardware-based 2FA might give you :
Journalists being phished despite 2FA :
https://cpj.org/2019/01/cpj-safety-advisory-sophisticated-phishing-attacks.php
How to prevent this with hardware keys :
https://cpj.org/2019/01/digital-safety-using-security-keys-to-secure-accou.php
Note this piece of advice relative to hardware 2FA :
“Do not use backup codes with your security key. 2FA allows you to use backup codes in certain cases, for example when you are travelling and may not have access to internet or mobile signal. However, backup codes can be phished through hackers creating a spoof site mimicking those of your service provider, so they should not be used with a key.”
Completely counter-intuitive, and yet…
One of the soundest recommendations to avoid phishing scams is to check the URL of a suspected fake site. However, this is very difficult. Some of the alterations to the genuine address are almost impossible to spot.
Very informative. Thank you
Phising is much more of a threat today due to the sophistication of some of it.
Some of those attempts are quite smart. No one should overestimate his own resistance. I consider myself very security-aware, and even paranoid. And though, I almost fell for one phishing attempt recently.
Fake safety warnings are especially vicious. Never mind the false LinkdedIn endorsement if you don’t have a LinkedIn account. The point is, many people have one, and even need to have one, professionally speaking.
2FA does not protect against phishing. Here is an actual phishing campaign that worked, being designed to bypass 2FA :
https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/
The only 2FA variety that protects against phishing is hardware security keys. Regular 2FA only protects with certainty against password reuse, which can be prevented with the much lesser binding use of a password manager.
I’m rather wary of 2FA, actually. I’m dancing around it and have not yet taken the plunge. The received wisdom is “use 2FA”, the way they say “don’t drive and drink”. However, the reality is much trickier than that.
First of all, it’s not a surefire protection against phishing, which is one of the biggest dangers. Unless you go Yubikey or such, and few sites are equipped for that, yet.
Second, 2FA is a huge complexity step beyond username + password + password manager. It’s quite difficult to understand and enforce the extra backup requirements that are mandated. I run regularly into people who’ve lost access to their accounts because of 2FA.
A password is a password, and a password manager is a secure box where you put your passwords. Simple enough. 2FA is a much more complex beast. It has varieties and nuances and requirements, and all of them move all the time. And few people warn you about them.
Indeed, if you do it wrong, you might be worse off with 2FA than with it.
I read through that link you provided. I’m curious about one detail, if anyone knows the answer: how did the attackers have access to the user’s phone number in the Google attack? In the Yahoo attack the user is specifically asked to “confirm” the phone number, which of course is how the attacker gets to know it. But the description of the Google attack makes it sound like the attackers already had the phone number before the user had done anything.
Generally I think 2FA is a good idea, but like you I am reluctant to use it routinely. I just don’t think it’s worth the inconvenience (having to pull out a phone) or the loss of privacy (having to provide a real-world phone number to the service provider) for most types of online accounts. I have noticed, however, that my bank and cellular provider both now *require* 2FA, and this worries me that soon we will see more forced use of 2FA by such things as car rental websites, retail shopping websites, etc., which would instantly turn me off from using their services.
@Clairvaux: “Some of those attempts are quite smart. No one should overestimate his own resistance.”
A million times this. Not just about phishing, but about all social engineering scams. Anyone who thinks they’re too smart to be fooled is wrong. In fact, scammers will often confide that people who think they’re too smart to fall for scams tend to be easier marks.
I have no idea about the course of phishing with the last decade because I’m very seldom confronted to it.
As i see it, factors which may incline to falling in a phishing trap are :
– Do we have any relation with the email’s object? I have no ‘Bank of Scotland’ account, i.e.
– Do we receive a substantial amount of emails? Finding the intruder among 10 is easier than among 100 of course.
Of course when the email’s object is plausible the risk is higher; I almost failed once for an email sourced (in plain origin, not in raw) as my ISP saying I had won a video-recorder : well crafted, plausible. I had an intuition nevertheless, like a cop with no evidence who nevertheless “feels”, “smells” hidden factors :=)
I keep receiving once in a while a phishing attempt. Sometimes 3 in a row (I guess the rascals went to the market) then nothing for 6 months or so. here in France I immediately send the raw email to a dedicated site called signal-spam.fr
Beyond what is or should be obvious to all given a minimum of good sense, I guess the tougher tricks are often defeated by experience. Twenty years ago when I discovered the Web I’d give my email address to everyone, to all sites and receive accordingly the best and the worst : it’s not that I was naive it’s only that I hadn’t understood that the Web is half underground and not really the image of true life. If I don’t get caught anymore it doesn’t mean I’m happier but only that i’m no longer bothered by intruders. But there’s more happiness in credulity.
I always fall for the free Pizza :( *dangit*
@ Malte
+1 :)
I always found it funny how people keep falling for those…why would you get invoices and tracking numbers if you didn’t order anything? Why would an irl friend message you in broken English instead of his native language? How can someone add you on LinkedIn or another social network you aren’t a member of? And the most important – free stuff doesn’t exist. No one will ever give you anything for free, doesn’t matter if it’s a 50 cent chocolate bar or a 50k car.
Those “i’ve recorded you masturbating, send bitcoins or we’ll show your family and friends” emails are also funny…i wonder if people are falling for them too.
Google has a phishing quiz :
https://phishingquiz.withgoogle.com/
Good website!
Thanks ;)
Very interesting Jigsaw incubator by Google. Go and have a look, independently from phishing issues. Thanks for pointing this out.
https://jigsaw.google.com
The phishing test is also illuminating. Good job.
LinkedIn users must be braindead. First for using a completely useless platform. Second for being phished, lol.
Agreed 100%. Braindead.
I don’t think that kind of insulting and generalization helps the discussion in any way. The lack of knowledge about how phishing looks like coupled with the lack of paying attention to small details that help one to identify a fraud email are the main reasons for the success of phishing. IT security has more to do with a certain mindset, and not that much with IQ.