The phishing bait that hooks most victims
Phishing emails referencing corporate issues and delivery problem notifications are the ones most likely to induce people to click links according to new research.
Data on simulated phishing attacks from Kaspersky's Security Awareness Platform shows emails with these subjects were successful in getting people to click 16 to 18 percent of the time.
The five most effective emails were:
- Failed delivery attempt -- Unfortunately, our courier was unable to deliver your item. Sender: Mail delivery service. Click conversion: 18.5 percent
- Emails not delivered due to overloaded mail servers. Sender: The Google support team. Click conversion: 18 percent
- Online employee survey: What would you improve about working at the company. Sender: HR Department. Click conversion: 18 percent
- Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5 percent
- Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16 percent
Other emails that gained a significant number of clicks included reservation confirmations from a booking service (11 percent), a notification about an order placement (11 percent), and an IKEA contest announcement (10 percent).
Interestingly those that made threats or offered some form of instant reward proved least successful. A template with the subject, 'I hacked your computer and know your search history' gained only two percent of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just one percent of employees.
"Phishing simulation is one of the simplest ways to track employees' cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful,2 says Elena Molchanova, head of security awareness business development at Kaspersky. "Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training – so users will develop a strong vigilance skill that will allow them avoid falling for targeted attacks or so-called spear phishing."
Tips on how to protect yourself from phishing are available on the Kaspersky blog.