Typical Business-Connected Phishing Frauds Encompass Bogus HR and IT Topic Lines
Received what seems like an essential HR document? Exercise caution.
Based on KnowBe4’s latest phishing examination data, cybercriminals in the second quarter frequently achieved success through forged emails imitating HR departments. After an unfortunate click, hyperlinks in email bodies and PDF files were often used as avenues for attacks.
In a conversation with TechRepublic, Erich Kron, a Security Awareness Advocate at KnowBe4, discussed the outcomes of the phishing assessments and strategies to safeguard businesses against continuously changing, creative AI-driven phishing threats.
Lists of Social Engineering Scams Lead with False HR Emails
Some perpetrators utilize fabricated notifications from HR to persuade employees that clicking a link or examining a document is urgent. As per the report:
- 42% of the scrutinized business-related email subjects were connected to HR.
- Another 30% were IT-related.
- Several of these subjects played on employees’ workplace emotions, like “You’ve Received a Comment on Your Time Off Request” or “Potential Typo.”
“When faced with a strong emotional reaction to a message, phone call, or email, it’s crucial to pause and assess it critically,” mentioned Kron. “These are manipulative attacks that thrive on inducing an emotional response leading to errors.”
Recent attacks have also originated from emails forging communications from Microsoft or Amazon.
Deceptive QR code-containing phishing emails have also deceived employees. Similar to malicious links, these QR codes typically appear in emails posing as reputable companies, HR departments, or IT.
“The consistent rise in HR-themed phishing emails is particularly concerning as they undermine the fundamental aspect of organizational trust,” remarked Stu Sjouwerman, CEO of KnowBe4, in a press release on Aug. 7. “Furthermore, the surge in QR codes in phishing schemes adds another layer of complexity to these dangers.”
The healthcare and pharmaceutical sectors showed the highest susceptibility to phishing assaults, according to KnowBe4, followed by hospitality, education, and insurance — with some variations based on organization size.
Operational Methods of KnowBe4’s Phishing Phrases Research
KnowBe4 assembles data for its quarterly Industry Benchmarking Report from customer inputs and its phishing report portal, accessible to any enterprise.
KnowBe4, a provider of simulated phishing services, conducts sham phishing assaults on businesses to evaluate their resistance. The study specifically examined the types of tactics that are deceiving individuals and how training similar to theirs enhances business protection against cyber threats.
The dataset was drawn from 54 million simulated phishing evaluations affecting over 11.9 million users across 55,675 firms globally.
“Often we take actual phishing attempts and convert them into simulated ones,” Kron stated. “We neutralize the threats, as that closely mirrors real-world scenarios.”
The report gauged the “Phish-prone Percentage,” an exclusive evaluation of the proportion of “workers inclined to fall for social manipulation or phishing scams.” The mean PPP declined from 34.3% to a mere 4.6% after a year of continual training and phishing exercises.
SEE: The distinction between phishing and spear phishing lies in the attack’s scope — widespread or targeted at a specific individual.
Enhancing Resistance of Businesses to Phishing Strikes
Organizations should emphasize to employees that phishing emails no longer exhibit numerous typos or overt money requests as before.
“The evolution of Generative AI has improved the articulation and refinement of content,” noted Kron, “enabling offenders to scale their operations without common error signs.”
Workers should be diligent in scrutinizing URLs and email addresses. They should question whether an email labeled “urgent” genuinely warrants immediate attention.
For instance, Kron pondered, “Was it genuinely sent by my manager, or does it merely bear their name?”
Anti-spam or anti-virus filters can detect some social manipulation and phishing activities, while multi-factor authentication can curtail attackers’ success even in cases of link clicks or QR code scanning. Apart from KnowBe4, firms like Sophos, Proofpoint, Ninjio Hoxhunt, Cofense, and others provide security training through simulated incidents.
In conclusion, maintaining vigilance is crucial for employees, regardless of whether it’s evaluated through regular phishing tests.
“Always exercise caution,” advised Kron.
About Author
