The most effective subject lines for phishing attacks are focused on things that employees tend to be scared to ignore, such as “HR”, “IT”, and “DropBox file shared”, based on a Q2 2024 top-clicked phishing report issued Wednesday from KnowBe4.
“HR is the scariest phishing tool in the attackers’ arsenal,” said Erich Kron, security awareness advocate at KnowBe4. “That is because it’s unusual and HR holds a lot of power. When users see HR, they snap to attention.”
Other top attention-getters that IT needs to be watching and scanning for include: “possible typo”; “dress code changes”; “Microsoft Teams: (name of user’s manager) is trying to reach you”; “Please update W4”; “Amazon Prime: Unable to complete your membership renewal”; and “Backup process for (user’s email address) has failed”.
The report also found that, for enterprises, the most-often attacked vertical was healthcare/pharmaceuticals, displacing the insurance vertical which had held the top spot for the last two years. Energy/utilities came in third, a slot it has held for the last three years, the KnowBe4 report said. Other often-attacked verticals were banking, consulting, financial services, and retail/wholesale.
The report noted that little has changed in the key phishing strategies of claiming a false urgency and trying to manipulate user emotions. “Their strategies often exploit human emotions, aiming to elicit feelings of urgency, confusion, anxiety, or even excitement, all in an attempt to lure recipients into clicking on malicious links or opening harmful attachments,” a statement from KnowBe4 said. “These are effective because they may provoke a person to react before thinking logically about the legitimacy of the email, and have the potential to impact an employee’s personal life and professional workday.”
Although the time-honored phishing mechanism of including malware-delivering URLs to click or attachments to open still dominates, the vendor said QR codes are increasingly being used.
QR codes are problematic for many reasons. First, unlike attachments and URLs, there is no option to right-click to try and figure out if the site it leads to is legitimate or not. Secondly, Kron noted, users are being trained by consumer marketers at sporting events and other venues to click blindly on QR codes.
That makes them an inexpensive and very effective mechanism for tricking end-users into downloading malware.
