What Phishing Bait Works? Citibank Cyberattack Underway

What does it take to convince an employee to click on a phishing scam link/? A new report revealed security-connected or giveaway emails harvest the most clicks.

The Tampa Bay, Fla.-based security awareness training firm KnowBe4, issued its fourth quarter 2019 top-clicked phishing report, based on user responses to the subject lines of tens of thousands of emails from simulated phishing tests.

The results found that simulated phishing tests with an urgent message to check a password immediately were most effective, with 39% of users falling for it. Social media messages are another area of concern when it comes to phishing. Within the same report, KnowBe4’s top-clicked social media email subjects reveal that LinkedIn messages are the most popular at 55%, followed by Facebook at 28%.

“With more end users becoming security-minded, it’s easy to see how they fall for phishing scams related to changing or checking their passwords,” Stu Sjouwerman, CEO of KnowBe4 said. “They should be especially cautious if an email seems too good to be true, such as a giveaway. As identifying phishing attacks from legitimate emails becomes trickier, it’s more important than ever for end users to look for the red flags and think before they click.”

Among the key findings were:

• Security-related and giveaway phishing emails garner the most clicks.
• Simulated phishing tests with an urgent message to check a password immediately were the most effective “lures” with 39% of users falling for the ruse.
• Rounding out the top 10 most-clicked general email subjects were Microsoft/Office 365: deactivation of email in process (14%), password check required immediately (13%), human resources/employees Raises (8%), Dropbox/document shared with you (8%), IT/scheduled server maintenance – no internet access (7%), and with 6% each: Office 365: change your password immediately, Avertissement des RH au sujet de l’usage des ordinateurs personnels, Airbnb/New device login, and Slack/Password Reset for Account. (Capitalization and spelling are as they were in the phishing test subject line.)

The organization also reviewed “in-the-wild” email subject lines that show actual emails users received and reported to their IT departments as suspicious – the top 10 “in-the-wild” phishing email subjects were:

• SharePoint: approaching SharePoint site storage limit.
• Microsoft: Anderson Hauck has shared a whiteboard with you
• Office 365: medium-severity alert, unusual volume of file deletion
• FedEx: correct address needed for your package delivery on [current_date_0]
• USPS: your digital receipt is ready
• Twitter: your twitter account has been locked
• Google: please complete the required steps
• Cash App: your account has been closed
• Coinbase: important please resolve error now
• Would you mind taking a look at this invoice?

(In-the-wild email subject lines represent actual emails users received and reported to their IT departments as suspicious. They are not simulated phishing test emails.)

Meanwhile, Lawrence Abrams of Bleeping Computer reported a new Citibank phishing scam found by MalwareHunterTeam is underway that exploits a convincing domain name, transport layer security certificates and requests for one-time password codes that could easily cause people to believe they are submitting their personal information on a legitimate page.

Jing Xie, senior threat intelligence researcher at the Salt Lake City-based cybersecurity firm Venafi, said: “Malicious lookalike domains may look sophisticated and authentic, however, a quick web search with a trusted browser can help identify and filter incorrect information. Remember: Cyberattackers want your personal information and sensitive data, so it’s good to be particularly careful when accessing sites that touch financial data.”

Xie offered some suggestions for web users: Be very careful if provided a link that claims to be the business from an external source, such as an email or a redirect from another web page. Instead, search for the business using a search engine in a web browser to determine their official site first; If you are using your personal computer, make sure your browser is up to date. This is especially relevant if you are using public Wi-Fi; always be extra cautious when using a public, or shared, computer. Be sure to take a step back and ask yourself if you trust the site/hyperlink and why; when using a mobile device, make sure to check out the URL of the site you are visiting in the browser. Better yet, type in the site’s URL yourself as opposed to clicking on a given link.

“There isn’t a silver bullet for consumers looking to avoid malicious lookalike domains. But, a healthy dose of skepticism and a basic internet hygiene regime can go a long way toward protecting your sensitive data,” Xie maintained.