One hazard of being a cybersecurity reporter is that attackers send phishing emails to my inbox on a daily basis.
If you don’t believe me, ask the security team at Time Inc., Fortune’s parent company.
Truth is, anyone online can be a target for hackers, spies, and cybercriminals. You might not think you’re that interesting, but the funny thing about networks is that even if you are boring (surely, you mustn’t be, given that you’re a Fortune reader), hackers may still aim to A) profit from your misfortune, and B) use you as stepping stone to get at someone else.
Given its cheap cost and high success rate, phishing has become a favorite scam of everyone from the lowliest crooks to the mightiest state-sponsored computer crackers. Perhaps the most well-known recent example of a phishing attack occurred when likely Moscow-backed intruders pilfered the email inbox of John Podesta, former chairman of Hillary Clinton’s presidential campaign, eventually leading to their publication online. Last year hackers infiltrated many state and local election databases in the U.S. during the lead-up to last year’s vote. And in recent weeks, another wave of attacks came to light that targeted the business systems of nuclear power plants.
These are just some of the recent high profile instances of phishing. Given the pervasiveness of the threat, it’s wise for people to brush up on the type of lures that attackers use to bait their victims. In a recent survey, KnowBe4, a firm that provides cybersecurity awareness training for employees, compiled data on the phishing attempts it found most successfully duped people.
KnowBe4 measured the number of times clients and participants in its free online free phishing test took the bait of its own trick emails between April 1 and June 30, 2017. During that period, the company sent roughly 6.6 million bogus messages to more than 2 million individuals. Below is data on the top 10 messages; they fooled 22,060 people, each of whom clicked on the links inside the messages. (The number of total victims is much higher, but we’re just focusing on those who fell for the top 10 lures.)
From the data, you can piece together what tends to fool people the most. “Security Alert” leads by a mile, having duped more than 4,600 people. Other lures relating to security had good success too, such as items related to password hygiene and unusual account activity. Other effective tactics involved sending notes purporting to relate to package deliveries, work-related information, and news.
On average, KnowBe4 says it finds that 16% of people who open a phishing email click on the links within it. (With training, that percentage drops, the firm says.) In real attack scenarios, those links or attachments will be malicious, and can lead to a theft of login credentials or the installation of malware onto a device. KnowBe4’s links, on the other hand, were benign.
Stu Sjouwerman, CEO of KnowBe4, told Fortune that attackers often aim for employees because they consider them “the low-hanging fruit that they can manipulate to get into a network.”
“The number one attack vector is email, so all users need to be trained to not click on links in emails, and never open an attachment they did not ask for or did not expect without verification,” he said. (It’s worth noting that 44% of KnowBe4’s attacks were related to LinkedIn messages, which people often connect to their work email addresses.)
The above is by no means an exhaustive list of phishing lures. These are just some subject lines that KnowBe4 devised and tested. Cybercriminals are a crafty bunch, and there are an infinite number of variations they could try to get the best of you.
Knowing what people fall for most can help arm you against the most successful schemes.