Phishing simulator data from Kaspersky shows that workers tend to not notice phishing attempts that are hidden in emails about corporate issues and delivery problem notifications. One in five (16% to 18%) employees click the link in the phishing simulation emails that imitate these phishing attacks. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.
According to recent phishing simulation campaigns, the five most effective types of phishing email are:
- Subject**:** Failed delivery attempt - Unfortunately, our courier was unable to deliver your item. Sender: Mail delivery service. Click conversion: 18.5%
- Subject: Emails not delivered due to overloaded mail servers. Sender: The Google support team. Click conversion: 18%
- Subject: Online employee survey: What would you improve about working at the company. Sender: HR Department. Click conversion: 18%
- Subject: Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5%
- Subject: Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16%
Other phishing emails that gained a significant number of clicks include reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).
Alternatively, emails that threaten the recipient or offer instant benefits appeared to be less “successful.” A template with the subject “I hacked your computer and know your search history” gained 2% of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just 1% of employees.
To prevent data breaches (and any related financial and reputational losses caused by phishing attacks), businesses should remind employees about the basic signs of phishing email. Employees should:
- Keep an eye out for a dramatic subject line, mistakes and typos, inconsistent sender addresses and suspicious links.
- Check the format of attachments before opening them and the link accuracy before clicking. This can be achieved by hovering over these elements.
- Always report phishing attacks. If you spot a phishing attack, report it to your IT security department and, if possible, avoid opening the malicious email.
- Educate employees with basic cybersecurity knowledge. Your employees are your first line of defense, and teaching them how to deal with threats is of utmost importance.
- Learn how ThreatAdvice can help. Reach out today!