What Phishing Bait Works? Citibank Cyberattack Underway

Phishing emails disguised as urgent password resets, account closures or giveaways are some of the most successful for hackers.

New phishing study looks at what kinds of scam emails work. (Source: Shutterstock)

What does it take to convince an employee to click on a phishing scam link/? A new report revealed security-connected or giveaway emails harvest the most clicks.

The Tampa Bay, Fla.-based security awareness training firm KnowBe4, issued its fourth quarter 2019 top-clicked phishing report, based on user responses to the subject lines of tens of thousands of emails from simulated phishing tests.

The results found that simulated phishing tests with an urgent message to check a password immediately were most effective, with 39% of users falling for it. Social media messages are another area of concern when it comes to phishing. Within the same report, KnowBe4’s top-clicked social media email subjects reveal that LinkedIn messages are the most popular at 55%, followed by Facebook at 28%.

“With more end users becoming security-minded, it’s easy to see how they fall for phishing scams related to changing or checking their passwords,” Stu Sjouwerman, CEO of KnowBe4 said. “They should be especially cautious if an email seems too good to be true, such as a giveaway. As identifying phishing attacks from legitimate emails becomes trickier, it’s more important than ever for end users to look for the red flags and think before they click.”

Among the key findings were:

The organization also reviewed “in-the-wild” email subject lines that show actual emails users received and reported to their IT departments as suspicious – the top 10 “in-the-wild” phishing email subjects were:

(In-the-wild email subject lines represent actual emails users received and reported to their IT departments as suspicious. They are not simulated phishing test emails.)

Meanwhile, Lawrence Abrams of Bleeping Computer reported a new Citibank phishing scam found by MalwareHunterTeam is underway that exploits a convincing domain name, transport layer security certificates and requests for one-time password codes that could easily cause people to believe they are submitting their personal information on a legitimate page.

Jing Xie, senior threat intelligence researcher at the Salt Lake City-based cybersecurity firm Venafi, said: “Malicious lookalike domains may look sophisticated and authentic, however, a quick web search with a trusted browser can help identify and filter incorrect information. Remember: Cyberattackers want your personal information and sensitive data, so it’s good to be particularly careful when accessing sites that touch financial data.”

Xie offered some suggestions for web users: Be very careful if provided a link that claims to be the business from an external source, such as an email or a redirect from another web page. Instead, search for the business using a search engine in a web browser to determine their official site first; If you are using your personal computer, make sure your browser is up to date. This is especially relevant if you are using public Wi-Fi; always be extra cautious when using a public, or shared, computer. Be sure to take a step back and ask yourself if you trust the site/hyperlink and why; when using a mobile device, make sure to check out the URL of the site you are visiting in the browser. Better yet, type in the site’s URL yourself as opposed to clicking on a given link.

“There isn’t a silver bullet for consumers looking to avoid malicious lookalike domains. But, a healthy dose of skepticism and a basic internet hygiene regime can go a long way toward protecting your sensitive data,” Xie maintained.