Voices

Top 10 most successful phishing headlines reveal human faultlines

Firms are spending top dollar of late on security training for their staff, which is a good idea considering most security breaches are the result of social engineering; In other words, it’s not technology but human beings that are at the highest risk of information breaches.

Socially engineered hacks usually take the form of phishing, a pun on “fishing,” a method by which bad actors send emails with enticing and deceiving subject lines with the hope that recipients will click on embedded links. These links can lead to surprise downloads of malware, software created to cause damage to a computer; or ransomware, software that holds sensitive information “hostage” until a fee is paid. Such malicious links can also entice victims to type in passwords to their online bank accounts, for instance, giving the cybercriminal access to a person’s accounts.

At accounting firms, phishing is particularly troublesome because hackers can gain access to treasure troves of highly sensitive client financial data. KnowBe4, a security awareness training and simulated phishing platform provider, has compiled a report on the top 10 most-clicked phishing subject lines. Knowing these should help accountants’ eyes perk up when they see these subject lines, and double-check to make sure the email is legitimate.

During its most recent quarterly review, KnowBe4 examined tens of thousands of email subject lines from simulated phishing tests. The company also examined real-world subject lines that show actual emails users received and reported to their IT departments as suspicious.

The table below shows the top 10 most-clicked phishing subject lines, by percentage of recipients who clicked on the links, in KnowBe4’s study.

Password check, or change of password, required immediately 19%
Your order with Amazon, or Amazon order receipt 16%
Announcement: Change in holiday schedule 11%
Happy Holidays! Have a drink on us 10%
Problem with bank account 8%
De-activation of [recipient's email] in progress 8%
Wire department 8%
Revised vacation and sick time policy 7%
Last reminder: Please respond immediately 6%
UPS label delivery 1ZBE312TNY00015011 6%

“Clicking an email is as much about human psychology as it is about accomplishing a task,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4, in a statement. “The fact that we saw ‘password’ subject lines clicked four out of four quarters shows us that users are concerned about security. Likewise, users clicked on messages about company policies and deliveries each quarter. showing a general curiosity about issues that matter to them. Knowing this information gives corporate IT departments tangible data to share with their users and to help them understand how to think before they click.”

Implementing security training at accounting firms is no longer a value-add; it’s a necessity. Every staff member is a potential target and has a role to play in firm security. For more insight into how to implement a successful security training program, see the American Institute of CPAs security resource center here.