Phishing e-mails and their risks. A phishing email or SMS (in the case of text messages, this is referred to as SMiShing) is a fraudulent message created to appear authentic, typically requiring you to provide sensitive personal information in various ways. If not examined carefully, however, it is not easy to distinguish phishing emails or text messages from authentic messages. How to recognize this kind of threat and protect ourself?
Fraudsters go to great lengths to make phishing messages look as similar as possible to emails and SMS messages sent by companies that are considered trustworthy, which is why you need to be cautious when opening these messages and clicking on the links they contain.
Through new phishing campaigns, cyber criminals are always working to organize highly evolved scams capable of misleading even the most savvy users.
2022 phishing trends
The 2022 trends for detected phishing campaigns put consumer users and users in the professional sphere in the crosshairs. What were the ways in which phishing attacks proved most effective last year?
The interest in this type of asset has not left malicious attackers indifferent as they exploit it to set traps for those looking for a lucrative opportunity.
With Vishing, the scam starts with contact by voice and not email, trying to steal private information by deception. Remember that they are professionals. Unfortunately, in several cases elderly people or people who are unfamiliar with technology are targeted.
Using the technique of social engineering, the fraudster tries to gain access to confidential information of significant economic and commercial value. The target in these cases are business executives and high profiles in the world of finance or industry.
Spear phishing is an attack targeted at a single individual or a very small group, precise information is employed by the attacker that relates exclusively to the potential victim and therefore has a greater chance of success.
One of the favorite channel of attack for Phishing e-mails and their risks
Overall, employees often tend to ignore hidden pitfalls in emails dedicated to business issues or notifications about delivery problems. Nearly one in five employees (16% to 18%), in fact, have clicked on links contained in email templates simulating phishing attacks.
An estimated 91% of all cyberattacks begin with a phishing email, the techniques of which are implicated in 32% of all successful data breaches.
According to the most recent phishing scenario studies, the five most effective phishing emails are:
- Subject: Delivery attempt failed – Unfortunately, our courier failed to deliver your item. Sender: Mail delivery service. Click conversion: 18.5%.
- Subject: Undelivered emails due to mail server overload. Sender: Google support team. Click conversion: 18%.
- Subject: Online employee survey: What would you improve about working at the company. Sender: Human Resources Department. Click conversion: 18%.
- Subject: Reminder: New corporate dress code. Sender: Human Resources. Conversion of clicks: 17.5%.
- Subject: Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16%.
In addition, other phishing emails that garnered a significant number of clicks included: booking confirmations from a reservation service (11%), notifications of an order (11%), and an announcement of an IKEA contest (10%).
Phishing e-mails and their risks, when Immediate benefits are suspicious
In contrast, emails that threaten the recipient or offer immediate benefits seem to be less “successful.” For example, a template with the subject line “I hacked your computer and I know your search history” garnered 2 percent of clicks, while offers such as those of a free Netflix subscription or a $1,000 win only fooled 1 percent of employees.
Phishing e-mails how to prevent risks
To prevent data breaches and related financial and reputational losses caused by phishing attacks, companies are recommended to take the following measures:
- Remind employees of the basic signs of phishing emails: a dramatic subject line, errors and typos, inconsistent sender addresses and suspicious links;
- When in doubt about the email received, it is important to check the format of attachments before opening them and the accuracy of the link before clicking. To do this, it is important to ensure that the address is authentic and that the attached files are not in executable format;
- Always report phishing attacks. In the case of an attack, it is important to report it to the cybersecurity department and, if possible, avoid opening the malicious email. This will enable the cybersecurity team to reconfigure anti-spam policies and prevent an incident;
- Provide employees with basic cybersecurity knowledge. Training should be aimed at changing employees’ behavior and teaching them how to deal with threats;
- Because phishing attempts can be confusing and there is no guarantee of avoiding all accidental clicks, it is important to protect work devices with a reliable security solution that offers anti-spam capabilities, tracks suspicious behavior, and creates a backup copy of files in case of ransomware attacks. Anti-phishing protection is included in some security solutions, even for small businesses.