Email users vulnerable to phishing when message ‘comes from’ trusted source

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe.

Credit: Oleksii/Adobe Stock

Nearly one-third of email users are likely to click on a suspicious link or comply with a fraudulent request. Cybercriminals understand that people are even more likely to open a message from a seemingly reliable source, such as the HR department.

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe, according to the latest Phishing by Industry Benchmarking Report form KnowBe4, which provides security awareness training.

“Because of this, cybercriminals remain innovative and refine their strategies to stay up to date with current trends and use tactics to grab the attention of end users to ultimately outsmart them,” the report said. “This results in cybercriminals changing phishing email subjects to be more believable while preying on emotions by inflicting urgency, confusion and distress in order to get employees to click on a malicious phishing link or download an attachment.”

Cybercriminals often use email subjects appearing to come from HR on such topics as dress code changes, training notifications, vacation updates and more. These are effective because they may cause a person to react before thinking logically about the legitimacy of the email and can affect an employee’s personal life and professional workday.

Holiday and seasonal phishing email subjects also are common, with 4 of the 5 top holiday email subjects currently related to Halloween and fall items that are used as bait to incentivize unsuspecting end users. Additionally, the report reflects the consistent trend of utilizing IT and online service notifications, as well as tax-related email subjects.

“The continued trend of disguising emails as coming from an internal department such as HR is especially dangerous to organizations, because they appear to be coming from a trusted, reliable source,” said Stu Sjouwerman, CEO of KnowBe4. “These malicious emails take advantage of employee trust and create vulnerabilities within an organization that could potentially result in its downfall.

Related: Major New England health insurer impacted by cybersecurity attack

“KnowBe4’s phishing test reports emphasize the importance of new-school security awareness training that educates end users on the latest and most common cyber-attacks and threats. An educated workforce is essential to fostering a strong security culture and is an organization’s best defense to stay safe online.”