The most successful phishing attacks… come from you


It’s a bit exhausting being an online person in 2022. Hyper-vigilance is the price we all have to pay to exist online or work online, which is a prerequisite for almost any business these days (at least in some form or fashion). But, there’s no end to spam emails, phishing emails, malware, ranomware, you name it. As an individual, some familiar looking phone number is always calling you trying to trick you into giving up financial details. You’re catching emails from all sorts of people, many of which are scams. Twitter impersonators, Facebook scammers — they’re everywhere.

There’s simply no end to the onslaught of people trying to con you, scam you, steal from you, impersonate you, etc.

And not to add insult to injury, but a recent report found that the most successful phishing attempts? They look like they came from you.

Phishing Emails Masquerading as HR Or IT Notifications Get the Most Clicks

The most insidious part of phishing emails is that they don’t necessarily require you to do anything other than click a link or open an attachment for a threat vector to gain access to your system(s). And there’s few things that get people to perk up, click on something or try to take action than getting an email they think came from their HR department or IT department.

KnowBe4 is a cyber awareness company, and they put out an annual “Phishing by Industry Benchmarking Report.” The research is designed to assess an organization’s “Phish-prone Percentage” (PPP), which indicates how many of its workers are susceptible to phishing scams.

Their report found that emails from HR/IT are most likely to be clicked by employees; and half of those getting clicked had HR-related subject lines such as ‘vacation policy updates,’ ‘dress code changes,’ or ‘upcoming performance reviews.’

The calls are coming from inside the house

It’s such a natural reaction for employees to hop to when they think they’ve received an email from HR. It’s a visceral, gut reaction. I get it. But it’s one of those things you have to drill into your employees that they have to check the domain, company logo, email address, etc. before clicking on anything. Furthermore, you have to train them to think contextually — is it actually time for performance reviews? Is the company likely to announce a change to the vacation policy via email without speaking about it first? And most importantly, why do I need to click a link or download a .pdf in order to see the policy?

Most emails to employees would just include the information… in the body of the email. Or potentially point to an intranet link. But that’s where training comes in handy yet again — don’t ever click on the link, just navigate to the intranet on your own to see if there’s a new resource or policy announcement.

The hard part is that something like 80% of phishing successes are a result of human error. KnowBe4 CEO Stu Sjouwerman said to Spiceworks, “New-school security awareness training your staff is one of the least costly and most effective methods to thwart social engineering attacks.”

Need help?

If you want to train your staff in how to recognize phishing attempts, or maybe most importantly, just instill in them the mindset to pause and question every business email they get, we can help. We aid hundreds of companies in their cybersecurity battles against phishing, malware, ransomware, etc. We love to chat cybersecurity, and we could probably help you shore up your defenses.

Drop us a line, and let us show you how we can make your business more safe today.