Kaspersky reveals phishing emails that confuse employees

Phishing simulator data from Kaspersky Security Awareness Platform shows workers tend not to notice pitfalls hidden in emails devoted to corporate issues

Almost one in five employees clicked a malicious link in an email imitating phishing attacks, according to phishing simulator data from Kaspersky Security Awareness Platform.

Recently, Kaspersky Lab used phishing simulator data in a study that has revealed employees are most likely to click on a phishing link within an email if the subject line and sender appear to relate to work or a missed delivery.

Kaspersky’s study was conducted between January 2021 and May 2022 and included the results of over 29,000 employees from 100 countries. With phishing emails behind an estimated 91% of all cyberattacks, the importance of understanding those campaigns that employees will fall for the easiest cannot be overstated.

Evaluating employees cyber security training 

The most effective phishing email in the study carried the subject line “Failed delivery attempt - Unfortunately, our courier was unable to deliver your item,” with 18.5% of people sent the email clicking the link it provided.

Using the Kaspersky Security Awareness Platform, system administrators can mimic phishing emails and send them without warning to employees. The results can then be tracked to indicate the level of security awareness amongst employees.

“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful,” comments Elena Molchanova, Head of Security Awareness Business Development at Kaspersky. 

Keeping up with cyber tactics

Other effective subject lines included “Emails not delivered due to overloaded mail servers,” “Online employee survey: What would you improve about working at the company,” and “Reminder: New company-wide dress code,” all of which prompted 17.5-18% of recipients to click their links. The most effective sender names included “Mail delivery service,” “The Google support team,” and “HR Department.”

Among the other phishing emails that gained a significant number of clicks are; reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).

“Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training – so users will develop a strong vigilance skill that will allow them avoid falling for targeted attacks or so-called spear phishing,” added Molchanova. 


Featured Articles

Tech & AI LIVE: Key Events that are Vital for Cybersecurity

Connecting the world’s technology and AI leaders, Tech & AI LIVE returns in 2024, find out more on what’s to come in 2024

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

Technology & AI

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI