Site icon Sophos News

Phishing tricks – the Top Ten Treacheries of 2020

Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…
…it’s not the crooks on the other end.
The crooks are testing you all the time, so you might as well test yourself and get one step ahead.
(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)
You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customisable templates of its own that we update regularly.
The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.

History teaches us that email tricks can work surprisingly well with no text in the message body at all. One of the most prevalent email viruses of all time was HAPPY99, also known as Ska, which came out just over 20 years ago at the start of 1999. The email consisted only of an attachment – there was no subject line or message, so the only visible text in the email was the name of the attachment, HAPPY99.EXE. If you opened it, a New Year’s fireworks display appeared, though the animation was cover for the virus infecting your computer and then spreading to everyone you emailed thereafter. Ironically, the lack of any explanatory text at all meant that the email was much less suspicious than if the subject line had contained words in a language the recipient wouldn’t have expected. HAPPY99 as a filename all on its own had a timely and global appeal that almost certainly tricked millions more people into clicking it than if it had included any sort of marketing pitch.

Searching for the best worst

Well, the Phish Threat team asked themselves, “Which phishing templates give the best, or perhaps more accurately, the worst results?”
Are business email users more likely to fall for sticks or carrots? For threats or free offers? For explicit instructions or helpful suggestions? For “you must” or “you might like”?
The answers covered a broad range of phishing themes, but had a common thread: not one of them was a threat.
Most of them dealt with issues that were mundane and undramatic, while at the same time apparently being interesting, important, or both.
Nothing on this list was truly urgent or terrifying, and they all sounded likely and uncomplicated enough to be worth getting out of the way quickly.

The Top (or Bottom) Ten

What to do?

By the way, if you’re in the security team and you don’t have a quick and easy way for your staff to report potential cybersecurity problems such as suspicious phone calls or dodgy emails, why not set up an easy-to-remember internal email address today, and get used to monitoring it?
It doesn’t take much encouragement to turn your entire workforce into the eyes and ears of the security team.
After all, when it comes to cybersecurity, an injury to one really is is an injury to all.


Exit mobile version