The phishing attack your users will fall for next

Phishers are smart. They know what attacks work, and how to press the right buttons that get users to open their messages. 

But one tactic stands out as especially useful, according to PhishMe, a company that offers security training to users. By examining the open rates on fake phishing emails, PhishMe found that one particular message was opened by nearly one-third of its recipients.

That email: A fake message saying that a scanned document was attached. That tactic worked 31.1% of the time.

Other effective tactics: A notification of a package delivery (25.8%) and a message saying a user had unauthorized access (24.8%).

Professional messages get more clicks

Overall, using a business message to entice users to click was an effective approach. The average response rate for phishing messages based on office communications was 19.9%, followed by financial or contract messages (18.6%), retail and shopping (16.5%) and communications purporting to be from the IT department (11.2%).

And what do these attacks look like? The report highlights five main strategies PhishMe used to entice users to click:

  1. Click only. These attacks contain a malicious link in the body of an email that the attacker tries to get the user to click on.
  2. Data entry. This attack requires a user to enter sensitive information into a landing page they’ve been redirected to.
  3. Attachment-based. Rather than links, these emails contain seemingly harmless attachments.
  4. Double barrel. This attack starts off with a conversational email with no indications anything is wrong. The follow-up email is the actual attack.
  5. Highly personalized. Using information from social media or the public-facing web, an attack is crafted that’s likely to entice the user to click.

Reporting is key

Regardless of the strategy used, it’s important to stress to users that if they see an email or message that appears to be malicious, they should speak up right away.

Even if they’re smart enough not to be baited, bringing the message to IT’s attention can help prevent another user from taking the bait and putting sensitive information at risk.