Consumer Ploys Rise to the Top in Phishing Gambits

The bad guys behind phishing mails are changing up their tactics to appeal to personal motivators in their subject line lures.

In previous years, PhishMe reported that fear, urgency and curiosity were the top emotional motivators behind successful phishes (i.e., Delivery Issue or Parking Ticket for fear, Urgent Order or Canceled Transaction for urgency, and Final Version of the Report or Refund for Purchase for curiosity). Now these are closer to the bottom, replaced by entertainment, social media and reward/recognition gambits.

The shift, detailed in PhishMe’s latest report, is indicative that where work-related scams once ruled supreme when it came to the subject-line phishes that folks would fall for, consumer scams are taking their place.

“Employees will always take a break to do personal business online, so you can expect work and home email to continue blurring,” said the firm in the report. “Personal devices in the workplace often have multiple email accounts—the source of an email may not be distinguished as it should. However, to sustain morale, communication and collaboration, among other reasons, companies are unlikely to restrict BYOD or access to social media, news and entertainment sites.”

At a high level, the issue is how consumers/employees get their news and interact, PhishMe noted.

“Many news and social feeds are now subscription-based; they’re common in email and mobile device alerts,” the firm said. “This explains the rise in phishing attacks via social media links and fake news sites. Because they’re accustomed to them, people think it’s safe to click.”

In terms of the top emotional motivators, simulated e-card phishes appear across the top three: Social, entertainment and reward/recognition. They’re an old ruse but a goodie. Internal promotions (raffles, ticket giveaways, free lunches, etc.) performed strongly, too; and, several financial and compliance scenarios also had strong “take” rates.

And, despite the rise of consumer themes, the business email compromise/CEO fraud email approach, without a link or attachment, are the most effective simulated phishes in PhishMe testing. 

What’s Hot on Infosecurity Magazine?