Beware of These Common Phishing Campaigns

Cybercriminals are not concerned about being creative. They are focused on what works. They have learned that certain types of phishing emails have a higher success rate than others.  “Success” to them means they have duped you into clicking a malicious link, opening a malicious attachment, or scanning a malicious QR code. It means they have been able to steal sensitive information or infect your system with malware.

KnowB4’s quarterly phishing test report for Q2 2024 found that the most successful business-related phishing emails used HR-related topics as the hook. Almost half (42 percent) had subject lines associated with HR. Another 30 percent were related to IT. Oddly, the top subject line was “Possible typo.” Other common phishing email subjects included:

  • Please update W4 for file (12 percent)

  • Important: Dress Code Changes (12 percent

  • Comment was left on your Time Off Request (11 percent)

  • Your training is past due (10 percent)

Ten percent even had the headline, “You have been selected for additional cybersecurity training.”

What all of these have in common is an appeal to our emotions. They refer to things that affect our day-to-day lives and create a sense of urgency that makes us forget to be skeptical. In the past, it was easier to spot phishing emails because they had grammar, spelling and syntax problems. Now, cybercriminals are using AI to increase the accuracy of their text and disseminate phishing campaigns at a much greater scale.

To reduce the risk of becoming a victim, remember these six tips:

  • Stop and think. If an email is asking you to do something urgently, read it carefully and think about it before taking any action.

  • Beware of generic salutations. Phishing emails might address you as “employee” or by simply repeating your email address.

  • Scrutinize senders. Is that email really from HR, IT or a trusted company? Look at the sender to see if it has been spoofed.

  • Be suspicious of links and attachments. Embedded hyperlinks, QR codes and unexpected attachments should be red flags.

  • Question why the email asks for sensitive information. Would the IT department really need you to give them your user credentials?

  • Take phishing attacks seriously.  Security experts say more than 90 percent of security incidents start with a phishing email.

BlogJack CohlmiaBusiness Security, Phishing, Scams