Kaspersky investigates ways in which hackers can confuse users with apparently legitimate email templates.
While good cybersecurity training is imperative to keep organizations safe, users can still be confused when it comes to different types of phishing attack attempts, leading to potential data breaches. Found Kaspersky as part of the Security Awareness Platform and phishing simulator data, the emails users find most difficult to understand when it comes to phishing attack attempts.
Nearly all (91%) cyber attacks start with an attempted phishing email, it is critical that organizations and their employees are able to identify and detect a potential breach before it occurs.
“Phishing simulation is one of the easiest ways to track employees’ cyber resilience and evaluate the efficiency of their cybersecurity training,” said Elena Molchanova, Head of Business Development Security Awareness at Kaspersky. “However, there are important aspects to consider when conducting this assessment to make it truly impactful.”
The Most Confusing Phishing Methods for Employees
According to Kaspersky, 16% to 18% of employees will click on an email template sent by an adversary that appears to surface delivery issues or technical errors. This is when a cyber criminal can take advantage of a user’s lack of awareness of the subject to access their sensitive information. According to the cybersecurity company, the five most clicked emails according to the phishing simulator were:
- Subject: Failed delivery attempt (18.5%)
- Subject: Emails not delivered by overloaded mail servers (18%)
- Subject: Online employee survey (18%)
- Subject: Reminder: New Company Wide Dress Code (17.5%)
- Subject: Attention all employees: evacuation plan for new construction (16%)
In most of these cases, the employees read these topics superficially because they appeared to come from reliable sources such as the company’s HR department or Google, but these were carefully crafted email templates that tried to pass as legitimate.
“Because the methods used by cybercriminals are constantly changing, the simulation should reflect current social engineering trends in addition to common cybercrime scenarios,” Molchanova said. “It is critical that simulated attacks are performed regularly and supplemented with appropriate training so that users develop a strong vigilance skill to avoid falling for targeted attacks or so-called attacks. spearfishing†
Other phishing topics that Kaspersky said generated clicks were: reservation confirmations from a booking service (11%), an order notification (11%) and an IKEA contest announcement (10%).
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Ways to avoid becoming a victim
Kaspersky encourages organizations to enforce best email practices wherever possible by reminding employees of the most common signs of phishing emails, such as a prominent subject line, typos or grammar errors, suspicious links, and inconsistent sender addresses. In addition, users should be well versed in zero trust security principles and should not accept any face-to-face communication until verified to be legitimate. One way users can do this is by ensuring that the address the email was sent from is authentic and float to see if sent files are in executable format.
The cybersecurity firm also advocates that employees report any email suspected of phishing to their respective IT department, and that organizations provide their staff with basic cybersecurity knowledge. Finally, it is recommended that all devices are equipped with the appropriate antivirus software in the event of an accidental click. By selecting a type of preventative software with anti-spam capabilities, the ability to detect suspicious behavior, and back up your files in the event of ransomware attacks, enterprises can ensure that their sensitive data, even in the event of an occasional click, are preserved. secure.
