About 100,000 email phishing attacks are reported each month and thousands of people fall for them, compromising sensitive personal and business information in the process, according to The Anti-Phishing Workgroup.
The FBI believes email phishing scams helped cybercriminals breach IT security defenses at Yahoo and the Democratic National Committee. The same goes for the famous Sony Pictures hack of 2014.
Email phishing scams are regularly used by cybercriminals who want to spread ransomware and gain access to sensitive personal and business information—and phishing attacks are on the rise, according to a new report from Wombat Security Technologies, a company that specializes in helping businesses avoid phishing emails.
"The threat of phishing attacks is real. News headlines and numerous studies have proven that phishing attacks are on the rise, and our survey of security professionals showed the same," the report reads. "Not only are more organizations reporting being the victim of phishing attacks, but the number they are experiencing has gone up. Attackers are becoming more sophisticated and varied in their approach, using multiple threat vectors."
The most effective phishing scams
In addition to the survey results provided in Wombat's new "State of the Phish" report, the company also analyzed the results of millions of simulated phishing attacks sent through its platform to customers. The simulated phishing attacks are one of the tools the company uses to help train businesses on how to steer clear of phishing scams. The analysis shed light on the most effective types of phishing scams.
Wombat found that phishing emails disguised as legitimate work emails are some of the most effective when it comes to hooking victims. In one example, a simulated phishing email disguised as an “Urgent Email Password Change” request had a 28% click rate.
"Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation," Wombat writes. "They were more cautious with messages we consider to be 'consumer oriented,' such as gift card offers and social networking notifications."
The Wombat report went on to describe four types of highly effective phishing emails that employees need to be cautious about. They include:
- Technical emails
These types of scams typically pose as error reports and bounced email notifications. A “Delivery Status Notification Failure” is a popular example, according to Wombat.
- Corporate emails
Corporate email scams are designed to look like official corporate communications. Examples of these include benefits enrollment messages, invoices and communications about confidential human resources documents. - Commercial emails
These are business-related emails that may not be specific to your organization. Some of the topics of these phishing emails include insurance notifications, shipping confirmations and wire transfer requests.
- Consumer emails
These types of scams are designed to replicate many of the emails that are regularly sent to the general public. Examples include messages about social networking notifications, gift cards, bonus miles, frequent flier accounts, big-box store memberships and more.
"Remember, phishing attacks are often preceded by social engineering phone calls, or impostors gaining access to information or areas they should not," the report reads. "You should teach your end users to not only watch out for phishing emails, but other [social engineering] threat vectors as well."
Want to learn more about how to avoid phishing scams? Read "Five ways to detect a malicious phishing email" today!