Hackers are constantly throwing in new and clever phishing attacks that threaten email users’ security. KnowBe4, one of the top security attentiveness and simulated phishing platform contributors recently issued the top 10 phishing email subject lines from this year’s second quarter. Please note, the attacks used most often contain email subject lines that relate to a user’s passwords and security warnings.
An estimated 1 out of 3 people will open a phishing email each day. This tricky way of gathering people’s personal and financial information is getting bigger, despite all the warnings from technology experts.
What is Phishing?
Phishing is a technique that hackers practice to steal personal information, like credit card info or login authorizations. The hacker replicates an existing login page from an online service such as Dropbox, Apple, Gmail or your financial institution. This made-up website holds a code that delivers all the personal data you submit directly to the hacker. To lure you to the bogus website, hackers send a believable email to you. Quite often, the email sent to you will ask you to log in to your bank account because your bank has exposed a transaction that you did not authorize.
Hackers can make these emails look and sound real and their exploits have been very successful. They often use fear. The email will make it sound like you need to take action NOW! So without really checking, the victim clicks the bad link and continues to the bogus landing page where they give the cyber thief their log-in and password information.
Why is Phishing a Concern?
It is reported that consumers, businesses, and organizations will lose an estimated $9 billion in 2018 globally. With so much personal information tied to finances now shared online, hackers use phishing in order to illegally steal your money.
The Anti-Phishing Working Group (APWG) latest quarterly release reported:
- Over 11,000 phishing domains were created in the last quarter alone.
- The number of phishing sites rose 46% over the previous quarter.
- The practice of using SSL certificates on phishing sites continues to rise to lure users into believing a site is legitimate.
Is Phishing Just a Risk for Personal Users?
Because they store a lot of files in the cloud, Phishing is also a risk for all kinds of companies: Digital design companies, financial institutions, security companies, etc. According to hackmageddon.com, there were 868 reported company security breaches or cyber-attacks in 2017.
What do Hackers need to be successful?
There are generally three things hackers do to gain access to your information:
- Build an email account to send emails
- Buy a domain and set up a fake website
- Think of a tech company that is used often to mask itself as a legit website (Dropbox, Amazon, eBay, etc.)
What Can I Do to Avoid Phishing?
It has become increasingly difficult to guard yourself against phishing. As hard as Apple, Google, and other tech companies have worked to filter them out, hackers are always devising new ways to phish. However, here are some tips on spotting phishing emails:
- Try to avoid clicking on buttons and/or links in emails.
- Begin using password managers. A password manager aids the user in creating and retrieving complex passwords and storing the passwords in an encrypted database. Therefore, if hackers get one of your passwords, they can’t use it on any of your other accounts.
- Don’t put total faith in the green lock icon in your address bar. This only ensures that it is a private channel but does not inform you about who you’re communicating with.
- Allow 2FA (two-factor authentication). Two-factor verification is an extra layer of safekeeping otherwise known as “multi-factor authentication.” 2FA requires a password and username, and also something that only the user knows (mother’s maiden name) or has (passcode texted to another device, such as a cell phone).
- Be extra cautious if the browser plugin of your password manager doesn’t show your login credentials automatically.
- Be quick to report suspicious emails to your friends and colleagues. Organizations who make it easy for their employees to report attacks will see a significant decrease in cyber-attacks. The quicker an IT department can respond to a threat, it will minimize the threat potential damage inflicted on people.
Ironically, the trend for most of these phishing emails are warnings about security alerts.
Here are the top 10 from Q2:
- Password Check Required Immediately (15 percent).
- Security Alert (12 percent).
- Change of Password Required Immediately (11 percent).
- A Delivery Attempt was made (10 percent).
- Urgent press release to all employees (10 percent).
- De-activation of [email] in Process (10 percent).
- Revised Vacation & Sick Time Policy (9 percent).
- UPS Label Delivery, 1ZBE312TNY00015011 (9 percent).
- Staff Review 2017 (7 percent).
- Company Policies-Updates to our Fraternization Policy (7 percent).