Phishing messages are the most effective way to attack a company or organization. Hackers and cybercriminals go to great lengths to convince recipients to click on a malicious URL. Half of all messages sent are about topics supposedly from the human resources or human resource (HR) department.
This is according to research by cybersecurity company KnownBe4. The researchers looked at the most commonly used attack vectors in the second quarter of 2023.
Phishing messages about HR-related topics are most effective
Emails about dress code and registration times for training or holidays: these are some topics that hackers and scammers use to encourage recipients to take action, for example, by clicking on an untrustworthy link in the email, logging in to a counterfeit login page, or completing a fake questionnaire or online form.
Researchers say that phishing messages on such topics are very effective in practice. They deal with an employee’s private life or business requests. Recipients then feel more inclined to respond to this. Only then can they consider the legitimacy of the email. But the damage has already been done: usernames, passwords or other confidential data are already in the hands of malicious parties.
Half of all phishing messages sent in the second quarter of this year concern HR-related topics. Nearly one in three users click on a suspicious link or respond to a fraudulent request, researchers from KnownBe4 conclude.
Hackers follow market trends to outsmart organizations
Topics such as holiday work schedules and national holidays are the most commonly used by cybercriminals. In the US, many companies and organizations are affected by fake emails about Independence Day or Juneteenth, commemorating the abolition and liberation of enslaved people. Signing up for the company barbecue is also a popular topic that scammers use to make victims.
“Cybercriminals are constantly refining their strategies to keep up with market trends and outwit end users and organizations by creating phishing email subjects that are realistic and credible. They prey on emotions and try to get anxiety, confusion, panic or even excitement to trick someone into clicking on a phishing link or malicious attachment. These disguised emails abuse employee trust and incite actions that can have disastrous consequences for the entire organization,” said Stu Sjouwerman, CEO of KnownBe4.
According to the general manager, there is only one effective way to win the fight against phishing: offering awareness training to the staff. “Well-trained personnel are an organization’s best defence and are essential to fostering and maintaining a strong security culture,” said Sjouwerman.
Other popular attack vectors
Phishing is not the only way hackers try to initiate cyber attacks. Spoofing or counterfeiting a domain name was also commonly used to attack companies and organizations in the second quarter. Other popular attack vectors during this period included PDF and HTML attachments and manipulated company names and logos that redirected recipients to a rogue page.