The Right Phish Bait Still Catches Too Many Potential Victims

By now most people, especially in the business world, should show caution when clicking on anything but that is not always the case when the communication contains the right buzzwords.

Tampa Bay, Fla.-based KnowBe4, which provides security awareness training and simulated phishing, just released the third quarter results of top clicked phishing terms and subject lines.

The results found that simulated phishing tests with an urgent message to check a password immediately were most effective, with 43% of users falling for it. Social media messages are another area of concern when it comes to phishing. Within the same report, KnowBe4’s top-clicked social media email subjects reveal that LinkedIn messages are the most popular at 48%, followed by Facebook at 37%.

“As cybersecurity threats persist, more and more end users are becoming security minded,” Stu Sjouwerman, CEO, KnowBe4, said. “They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so they need to remain vigilant.”

Rounding out its quarterly reviews, in Q3 2019, KnowBe4 examined tens of thousands of email subject lines from simulated phishing tests. The organization also examined ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious.

The top 10 most-clicked general email subject lines globally: (Capitalization and spelling are as they were in the phishing test subject line. Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers.)

• Password Check Required Immediately
• A Delivery Attempt was made
• De-activation of [email] in Process
• New food trucks coming to [company_name]
• Updated Employee Benefits
• Revised Vacation & Sick Time Policy
• You Have A New Voicemail
• New Organizational Changes
• Change of Password Required Immediately
• Staff Review 2018

When investigating ‘in-the-wild’ email subject lines, KnowBe4 found the most common throughout the third quarter 2019 included:

• Skype: New Unread Voicemail Message
• Transaction Refund
• [NAME] shared a document with you
• Microsoft Teams: Please authenticate your account
• Bonus payments for selected employees
• Cisco Webex: Your account is blocked
• Amazon: Billing Address Mismatch
• USPS: High Priority Package: Track it now!
• Verizon: Security Update
• Adobe Cloud: Shared a file with you on Adobe Cloud

KnowBe4, used by more than 28,000 organizations around the globe including financial institutions, also announced it has achieved FedRAMP Authorization. FedRAMP is a government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. KnowBe4 currently has 2,745 U.S. federal, state and local government agencies as customers who utilize the KnowBe4 security awareness training and simulated phishing platform.

“This is a huge milestone for KnowBe4 and security awareness training overall,” Sjouwerman said. “We’re excited to achieve FedRAMP Authorization from the U.S. federal government. This achievement exemplifies our commitment to our federal government customers and the security of the U.S.”

“This new status will bring more cybersecurity training to those in federal government, helping to bolster our national security,” Rosa Smothers, SVP of cyber operations, KnowBe4, said. “It shines a light on the criticality that is being placed on security awareness training to protect organizations against the ongoing problem of social engineering. Security awareness training and simulated phishing brings more opportunity to help protect the U.S. government, especially our critical infrastructure, from ongoing cybersecurity attacks.”