What Phishing Attacks do We Fall For?

Travis Good
September 21, 2020

Phishing is a massively common form of attack and, due to the scale of it, accounts for 80% or more of all security incidents. Software packages, sold and distributed on the dark web, are used by malicious groups to automate and scale these attacks. Email blasts of millions of phishing messages can be sent at once.

Statistics show that roughly 1/4 of recipients will open a phishing email and roughly 1/10 will open a phishing attachment. Those numbers, combined with the millions of phishing attacks being launched all the time, mean that phishing should be taken very seriously.

phishing

Sophos recently analyzed its phishing simulator software to identify the top 10 phishing template messages that succeeded in getting a recipient to click on a bogus link in the email. The high-level results are interesting in that none of the messages are a high priority, there aren’t any fires, and there were not any threatening emails in the top 10 list. All of the email templates asked the recipients to take some relatively simple action.

Below is the list of successful phishing emails.

  1. Rules of conduct
  2. Delayed year-end tax summaries
  3. Scheduled server maintenance
  4. Task assigned to you
  5. New email systems test
  6. Vacation policy update
  7. Car lights on
  8. Courier service failed delivery
  9. Secure document
  10. Social media message

This matches our experience at Haekka. Phishing emails can come at any time - day or not, head down or on a break, commuting or in the office, while focused or distracted (especially if working from home with kids doing school from home), on your phone or on your computer, having just completed security awareness training or having not done training for 11 months.

The true risk of a phishing attack is the combination of the content of the fake email and the context and timing in which it was opened by the recipient. If there is a match between message content and recipient context, the likelihood of the phishing attack being successful is higher. If there is not a match between message content and recipient context, the likelihood of a successful attack is lower.

Let’s assume an employee, call her Clair, attempts to clear her inbox each morning before diving into her tasks for the day. She typically does this on her iPhone while enjoying her morning coffee. She skims most emails to get the inbox cleared faster. As she attempts to clear her inbox and get to inbox zero, she sees a note asking for something very mundane - HR needs her to verify her address before sending her tax documents. She clicks the link in the email and fills out her information so she can delete the email (and get to inbox zero). And she’s done and off to her tasks for the day. And the phishing attack has been successful.

Scarily, you can program assumed recipient context into phishing applications. As this type of malicious software gets more sophisticated, it will get better at knowing when to deliver what types of messages to maximize the chance of a successful attack.

You can run phishing simulations, you can provide security awareness training, and you can use software to identify phishing attacks and prevent many of them from getting to employee inboxes; but, employees will inevitably get phishing emails in their inbox. In our new connected, work from home or on your phone world, the one thing you can’t control is employee context when they check their email.

At Haekka, we deliver security training on a continual basis using short-form content to keep security hygiene top of mind and to maximize the time employees spend being vigilant about security.