SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Gone phishing: Business emails remain top threat strategy
Wed, 25th Jan 2023
FYI, this story is more than a year old

 Security awareness training and simulated phishing platform KnowBe4 has announced the results of its 2022 and Q4 2022 top-clicked phishing report. 

The results include the top email subjects clicked in phishing tests, top attack vector types, holiday phishing email subjects and more insightful information that reveal the most popular phishing email tactics.  

Phishing emails continue to be one of the most common and effective methods to maliciously impact a variety of organisations around the world – everyone is a potential victim. 

According to the report, cybercriminals constantly refine their strategies to outsmart end users and organisations by changing phishing email subjects to be more believable and attention grabbing. This shift in phishing tactics over time is evident in the increasing trend of cybercriminals using business-related email subjects.

Business phishing emails are lucrative and successful because of their potential to affect a users workday and routine. These include emails from HR, IT, managers and web services such as Google and Amazon. 

KnowBe4's 2022 phishing test results reveal that for the year, nearly 50% of email subjects were HR related, while the other half were related to career development, IT and work project notifications. These types of emails bait recipients into opening them and are likely successful because they create a sense of urgency in users to act quickly, sometimes without thinking and taking the time to question the emails legitimacy. 

Additionally, this years phishing tests revealed the top vector for the year to be phishing links in the body of an email, which has stayed consistent for the last three consecutive quarters. The combination of these phishing tactics is clearly a working strategy for cybercriminals but detrimental to users and organisations as they can lead to cyber attacks such as business email compromise and ransomware.

Along with an increased utilisation of more business-related emails and links within emails, the Q4 2022 phishing test also shares the top holiday phishing email subjects. The holiday season is one of the busiest times of year for online activities and cybercriminals count on end users having their guards down when it comes to staying alert and spotting phishing emails. Like general phishing email subjects, holiday phishing email subjects consist of emails from HR and IT, however, they are also tailored to the holiday season and the festivities that typically happen during that time of the year by mentioning holiday parties, gifts, food and more. 

"Cybercriminals are smart and pay attention to what works and what does not when it comes to effective phishing emails," says Stu Sjouwerman, CEO, KnowBe4. 

"This is why we see email subjects evolve and upgrade over time to keep up with end users and what they may be susceptible to. 

"Phishing emails are a year-round threat and remain a challenge during the holiday season as well holiday phishing emails are the one gift that no one wants to receive in their inbox," he says. 

"KnowBe4's phishing test reports emphasise the importance of new-school security awareness training that educate users on the latest and most common cyber attacks and threats. 

"A strong security culture and an educated workforce is an organisations best defense to remain vigilant and stay safe online from cybercriminals and their attempted threats."