The Most Clicked Hooks for Phishing

Fraudsters need a hook, a subject line, to go phishing with to catch unwary victims, especially in the business world. Tampa Bay, Fla.-based KnowBe4 looked at the most clicked subject lines.

KnowBe4, which provides security awareness training and a simulated phishing platform to improve how organizations use their people as part of its security defense, found over the course of the first quarter 2018 (both from simulated phishing tests and in-the-wild emails their customers actually received), subject lines with “LinkedIn” in the subject line were opened 50% of the time.

The examination of simulated phishing tests showed that half of users clicked on spoofed LinkedIn emails (where subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers) including the following subject lines:

• Join my network
• Profile Views
• Add me to your network
• New InMail Message

KnowBe4 noted social media sites are hotbeds for cybercriminal activities and many LinkedIn users, particularly those with business development responsibilities, have their accounts tied to their corporate email addresses, increasing corporate phishing attack risks, ransomware, breaches or other social engineering-related threats. The Florida cybersecurity firm held this is particularly disconcerting for credit union employees and other financial services professionals.

“From the standpoint of a hacker, social media gives an all-access entry point into an organization because some social media accounts are tied to corporate email addresses. I cannot stress enough that employees need to be hyper-vigilant about clicking on emails and links that come to their corporate email addresses,” Stu Sjouwerman, CEO, KnowBe4, said. “Clicking to view a new job posting or to identify who has viewed your LinkedIn profile could easily open the gates to bad actors who want to cause damage to the organization.”

Sjouwerman emphasized People often rely on what they think are trusted sources to protect their information but fall victim to social media scams and end up offering up sensitive information. “To best protect personal information and your organization, you have to have a defense-in-depth security strategy that includes training your users to spot phishing emails.”

In addition to sharing simulated phishing test results to identify social networks that tempt users, KnowBe4 found subject lines – both from simulated tests and in-the-wild emails users receive and report – prey on what matters most to users. Subject lines related to human resources and corporate policies, W-2 forms and Amazon ranked in the top 10 in the first quarter of 2018 for both simulated tests and in-the-wild email subject lines.

KnowBe4 indicated falling victim to a phishing email is avoidable. Organizations need to train their users to be their last line of defense. KnowBe4 has many free tools to test the users in their network, including the Phishing Reply Test, which quizzes organizations’ users to see if they will reply to a highly targeted spoofed email attack and the Password Exposure Test to tackle at-risk employees.

To help organizations that rely on third parties including credit unions and other financial institutions evaluate their governance, risk management, and compliance status, KnowBe4 also announced new functionality for KCM GRC, the company’s GRC management platform, an intuitive platform organizations can customize to measure third-party vendor risk.

Once organizations complete an initial assessment, they can continually monitor against set risk levels. “Third party vendors introduce risk to any organization. With the introduction of vendor risk in the KCM GRC platform, we designed it as a simple, intuitive and scalable platform to easily manage these risks,” Blake Huebner, KnowBe4’s SVP of KCM Strategy, said.