The stakes for companies who have been hacked are growing with each passing year, and the most common way a business’s database and vital information is exposed is due to employees clicking on malicious e-mail links.
Many attempts to get employees to open and click on dangerous links are crude and easily detectable. But cyber criminals have grown sophisticated and have started employing subject lines and content in the body of their phishing e-mails that looks legitimate enough.
The first line of defense for all organizations is their employees and all it takes is for one of them to click a link in a phishing e-mail that can expose their company to a host of cyber attacks, such as business e-mail compromise and ransomware attacks.
Many of these e-mails recycle the same subject lines again and again, and a recent report by KnowBe4, a cyber security training firm, found that 40% of phishing e-mail subject lines are human resources-related. Also, the body of the e-mail often creates a sense of urgency for the targeted worker to act quickly.
Danger signs
You can train your staff to beware if they receive an e-mail with one of these most common subject lines:
- HR: Vacation Policy Update
- HR: Important: Dress Code Changes
- Password Check Required Immediately
- HR: Your performance evaluation is due
- Weekly Performance Report
- LinkedIn: Who’s searching for you online?
- IT: Internet Report
- HR: Please update W4 for file
- Acknowledge Your Appraisal
- Employee Expense Reimbursement for [[e-mail]]
And the following are the most common bogus e-mail subjects that employees reported to their superiors as suspicious:
- Equipment and Software Update
- Mail Notification: You have 5 Encrypted Messages
- Amazon: Amazon – delayed shipping
- Google: Password Expiration Notice
- Action required: Your payment was declined
- Wells Fargo: Transfer Completed
- DocuSign: Please review and sign your document
- IT: IT Satisfaction Survey
- Zoom: [[manager name]] has sent you a message via Zoom Message Portal
- Microsoft: Microsoft account security code
Phishing e-mails are also growing more difficult to detect. According to KnowBe4, besides real-looking subject lines, cyber criminals will employ different techniques to lend legitimacy to their e-mails, including:
Spoofing the company’s domain — These e-mails appear to come from the user’s domain, either because someone has spoofed the domain or uses one that is almost identical to the company’s domain.
Branded — The e-mail body includes the employer’s logo, name and address.
Credentials landing page — A phishing link directs the employee to a data entry or log-in landing page that mimics their employer’s page by using the company’s logo, colors and images.
Most of these e-mails will launch malicious code if the recipient either clicks on a link or opens an attached file, typically a pdf.
Training is paramount
When criminals target an organization for attack, they will often start by doing a deep search online for employees’ e-mail addresses. Sometimes companies will have nearly everyone one of their employees’ e-mail addresses on their website. The more workers a company has, the more susceptible they are to attack.
According to KnowBe4, once they have those e-mails they can start sending the employees e-mails that “supposedly coming from Human Resources, the CEO or perhaps the mail room, and social engineer your users to click on a link.
Besides firewalls and other safety protocols, you should prioritize training your staff to detect and report any suspicious e-mails. First and foremost, they should avoid clicking on links or opening attachments unless they are sure that the e-mail is from a trusted source.