Security

Here are the 'most clicked' phishing email templates that trick victims

Wombat's state of phishing report shows that attack rates remain steady, but there is some good news: User Click rates have dropped.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The most successful phishing attacks are now consumer focused, instead of business focused. The merging of business and personal email accounts is a major threat to corporate security.—Wombat Security
  • IT professionals need to enforce segregation of personal and business email. Doing so can greatly reduce the risk of a successful phishing attack.—TechRepublic

Wombat Security has released its fourth annual State of the Phish report (registration required).

Wombat revealed that phishing rates in 2017 remained steady—76% of infosec professionals surveyed said that their companies experienced phishing attacks, roughly the same as 2016. Click rates have dropped to an average of nine percent, down from 15% in 2016, which is encouraging—users seem to be getting the message about the dangers of phishing.

SEE: How good (or bad) are your company's cybersecurity practices? Tell us in this quick survey. (Tech Pro Research)

The most important part of the report for infosec professionals is its breakdown of which kinds of phishing messages are the most successful.

The kinds of bait to watch out for

Wombat breaks phishing messages into four categories:

  • Consumer: The types of phishing messages the average person gets. E.g., fake social network notifications, account compromise spoofs, frequent flyer miles, photo tagging, etc.
  • Corporate: These try to mimic official communications, such as invoices, HR messages, email quarantine messages, benefit enrollment messages, etc.
  • Commercial: Business-related phishing that is not organization specific. These include shipment notifications, wire transfer requests, etc.
  • Cloud: Fake notifications tricking users into downloading files from a public cloud site, edit a cloud-hosted document, etc.

Of the four, consumer and corporate messages were the overwhelming favorite of phishing campaigners in 2017—they were used in 45% and 44% of attacks, respectively.

SEE: Infographic: Almost half of companies say cybersecurity readiness has improved in the past year (Tech Pro Research)

Consumer and corporate attacks weren't the most successful, though—to find out what was the most clicked, the report digs down a bit deeper into specifics. The rates at which the most successful phishing email templates were clicked is alarming—as opposed to the nine percent average across the board, each highly successful template saw click rates in the mid to high 80-percent range:

  • 86% clicked on online shopping security update messages
  • 86% clicked on corporate voicemail from unknown caller messages
  • 89% clicked on corporate email improvements messages

Those high rates were only bested by two message templates, which had near 100% click rates: database password reset alerts and messages reported to contain new building evacuation plans.

Wombat attacks are simulated, but others won't be

The statistics gathered by Wombat are alarming, but it's important to understand that they're all from simulated attacks using Wombat's Security Education Platform, one module of which is for conducting phishing attack simulations.

Those tests are what gives the success statistics, but the numbers in the report about prevalence of attacks, namely that consumer and corporate phishing leads, comes from real-world data.

SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)

In 2016, corporate attacks were the leader, but those have been overtaken by consumer attacks, which Wombat attributes to the growing merging of personal and business email. "As employees begin to blend their personal email accounts into their work accounts, this creates a risk with regards to consumer-themed email attacks," said Amy Baker, VP of Marketing at Wombat Security.

Baker said the blending of personal and work accounts increases infection risk because both consumer and commercial messages are now potential attack vectors on corporate networks.

Looking forward into 2018, it's important for infosec professionals and IT teams to ensure users aren't being casual in their use of business email accounts. Managed email should only be used for business purposes, and personal accounts and messages should be strictly separated. IT teams should also encourage users to access personal email only on personal devices, such as smartphones, to reduce the risk of consumer phishing to business networks.

To read Wombat's full State of the Phish 2018 report, click on the link at the beginning of this article.

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox