Have you ever found phishing emails confusing? You aren’t alone

Kaspersky explores the ways hackers are able to confuse users through seemingly legitimate email templates.

While proper cybersecurity training is imperative to keeping organizations safe, users can still be confused when it comes to different types of attempted phishing attacks, leading to potential data breaches. Kaspersky found as part of its Security Awareness Platform and phishing simulator data the emails that users find the most difficult to understand when it comes to attempted phishing attacks.

With nearly all (91%) of cyberattacks beginning with an attempted phishing email, it is crucial that organizations and their employees are able to spot and snuff out a potential breach before it happens.

“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training,” comments Elena Molchanova, head of security awareness business development at Kaspersky. “However, there are significant aspects that must be considered when conducting this assessment to make it really impactful.”

The most confusing phishing methods to employees

According to Kaspersky, 16% to 18% of employees will click an email template sent by an adversary that appears on the surface to be delivery issues or tech related errors. This is when a cybercriminal is able to take advantage of a user’s lack of awareness around the subject to gain access to their sensitive information. Per the cybersecurity company, the five most clicked on emails per the phishing simulator were:

1. Subject: Failed delivery attempt (18.5%)
2. Subject: Emails not delivered due to overloaded mail servers (18%)
3. Subject: Online employee survey (18%)
4. Subject: Reminder: New company-wide dress code (17.5%)
5. Subject: Attention all employees: new building evacuation plan (16%)

In most of these cases, the employees skimmed these subjects on a surface level, as they appeared to be coming from reliable sources such as the company’s HR department or Google, but these were carefully crafted email templates attempting to pass off as legitimate.

“Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios,” Molchanova said. “It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training—so users will develop a strong vigilance skill that will allow them to avoid falling for targeted attacks or so-called spear phishing.”

Additional phishing subjects that garnered clicks according to Kaspersky were: Reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Ways to avoid falling victim

Kaspersky encourages organizations to enforce best email practices wherever possible by reminding employees of the common signs of phishing emails, such as an eye catching subject line, typos or grammatical errors, suspicious links and inconsistent sender addresses. In addition, users should be well versed in zero trust security principles and should not take any communication on face value until it has been verified to be legitimate. One way users can do this is by ensuring that the address the email was sent from is authentic and hovering to see if any files sent are in an executable format.

The cybersecurity company also advocates that employees report any email suspected of being phishing to their respective IT department, and for organizations to provide their workforce with basic cybersecurity knowledge. Lastly, it is recommended that all devices be equipped with the proper antivirus software in case of an accidental click. By selecting a type of preventative software with anti-spam capabilities, the ability to track suspicious behavior and creating a backup copy of your files in case of ransomware attacks, enterprises can insure that even in the case of an incidental click that their sensitive data remains secure.