SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Phishing emails in Q421 focused on everyday tasks - research
Wed, 26th Jan 2022
FYI, this story is more than a year old

Phishing emails in the last quarter of 2021 were primarily focused on users' everyday tasks, new research has found.

The information was revealed in KnowBe4's Q4 2021 top-clicked phishing report, which the company released this week.

KnowBe4 is a provider of a security and awareness training and simulated phishing platform.

“When comparing the results from the United States phishing emails to those in the rest of the world, email subjects in the United States appear to originate from the users' organisations and are focused on security alerts related to passwords and internal company policy changes,” says Stu Sjouwerman, chief executive officer at KnowBe4.

“However, in the rest of the world, the top subjects are related to users' everyday tasks and the subject lines appear to be more personalised to entice the user to click," he says.

"As expected, we did see some phishing email subjects related to the holidays, especially holiday shopping in particular. Employees should remain ever vigilant when it comes to suspicious email messages in their inboxes because just one wrong click can wreak havoc for an organisation.”

According to the report, the top 10 email categories globally are:

Business 
Online Services 
Human Resources 
IT 
Banking and Finance 
Coronavirus/COVID-19 Phishing 
Mail Notifications 
Holiday 
Phishing for Sensitive Information 
Social Networking 
Top phishing email subjects were also broken out, comparing those in the United States to those in the rest of the world. In the fourth quarter of 2021, KnowBe4 examined tens of thousands of email subject lines from simulated phishing tests. The organisation also reviewed ‘in-the-wild' email subject lines that show actual emails users received and reported to their IT departments as suspicious. 
The results are below.

Top phishing email subjects, according to the Q4 2021 top-clicked phishing report:

Rest of the Word:
Accept Invitation - Staff Meeting via Teams 
Employee Portal - Timecard Not Submitted  
Enclosed attachment for your review 
Immediate password verification required  
[[company_name]] Invoice

The United States:
Password Check Required Immediately 
Important: Dress Code Changes 
Vacation Policy Update 
Important Social Media Policy Change  
Employee Discounts on Amazon for your Holiday Shopping

Common “In-the-Wild” attacks, according to the report were:

IT: Cloud Enrolment 
Special Project Information  
You Have Some New Messages 
Teams Events 
Microsoft: Private Shared Document Received

The KnowBe4 platform is used by more than 44,000 organisations around the globe. Founded by IT and data security specialist, Stu Sjouwerman, KnowBe4 helps organisations address the human element of security by raising awareness about ransomware, CEO fraud, and other social engineering tactics through a new-school approach to awareness training on security.

Kevin Mitnick, an internationally recognised cybersecurity specialist and KnowBe4's chief hacking officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organisations rely on KnowBe4 to mobilise their end users as their last line of defense.