The most successful phishing emails – don’t fall victim

Phishing and other email-centred scamming hacks are still conning countless people, with some methods considerably more effective than others. New research has highlighted the scam emails most likely to get clicks and extort credentials from users.

When it comes to email content, fake social media friend or connection requests were the most likely to get clicks, with almost a quarter of users – roughly 24% – clicking the link in the email. Following that, 54% of those users would go on to enter their credentials. These emails, perhaps surprisingly, were just as effective when sent to business email addresses.

Following fake social requests, emails purporting to be from an employee’s HR department regarding appraisals was the second most successful email to get clicks. These emails, however, were the most likely to extort login credentials from users, with almost three quarters of those who clicked providing their details.

The study by MWR Infosecurity used 5 different types of phishing emails:

• Financial, including invoice downloads
• Technology, including ‘secure’ emails
• Human resources, focusing on appraisal systems
• Promotional, including discount vouchers
• Social media, focusing on connection requests

The study included around a million users and was part of 100 simulated targeted attacks on MWR Infosecurity’s clients through its phishd service. The table below shows the effectiveness of each type of email. Troublingly, the success rate increased with each step the user took. Once a user’s details were ‘authenticated’ the final step presented a potentially malicious downloadable file, which was successful across the board (excluding the financial emails):

The table shows how the success rate of the attack increases, the further the user goes. Although it’s widely recognised that malicious file attachments are the most common way to distribute malicious malware, including Ransomware, users were still willing to download a file after entering their credentials. Excluding the financial emails, between 72% and 87% of users downloaded a potentially dangerous file. The report argues that once the user clicks a link an element of trust is established, which accounts for the increased success at each following stage.

It’s encouraging to see that that finance-related emails were the least successful. I, and many of my colleagues, have received a spate of fake invoice emails purporting to be from reputable companies including Apple and PayPal, and they were so legitimate looking it was unsettling. These emails contained supposed purchases made by the recipient, and were intended to scare the user into claiming a ‘refund’. This scare tactic has historically been successful, so it’s reassuring to see that fewer people are falling for it.

But that doesn’t mean we should rest on our laurels.

This study was based on simulated phishing attacks on users at their business email addresses, and not only highlights that phishing is still a major threat, but that humans are the ultimate weak link. Had these phishing emails been real rather than simulated, around 990,000 users could have been compromised according to MWR and phishd’s James Moore. IBM’s 2014 Cyber Security Intelligence Index shows 95% of all cyber security incidents involve human error. In total, more than 10% of all users fell victim to the first two stages of these phishing attacks.

As the new generation of digital natives enters the workplace, one could argue that future generations will be more savvy when it comes to cyber threats. But as people and security protocols get more intelligent, so do hackers. In fact, the report argues that as our lives become more intrinsically linked to the internet, we’re more open to this threat than ever, and more apathetic when it comes to clicking links or opening attachments. The study also highlighted the fact that only 3% of employees reported the phishing emails.

It’s clear that attitudes towards cyber security and potential breaches need to change. Often users can become lax as they assume technology will prevent the attack even if they click a link, or identify the email and report it for them. As MWR and phishd’s Jason Kerner argues: “A quick glance isn’t enough. You have to train (your staff) to go through the steps and double check if it looks a bit suspicious.” While traditional spam emails are easier than ever to spot, with their plain text formatting and misspelt messages, hackers are getting cleverer. These phishing tactics largely rely on email spoofing – find out how to prevent that in our blog.

According to phishd, simulated phishing attacks are particularly effective in educating staff because it leaves a lasting impression; if an employee is told they clicked a link that, if it were real, could have taken down their whole business, they’re unlikely to forget it. Our security partner Sophos endorses phishing simulations and has its own tool, Phish Threat. We’ll be offering this as part of our Sophos partner services soon, and include useful training resources, so watch this space.

Have you ever fallen victim to these successful phishing attacks?