Washington, DC - “Sophisticated phishing emails are behind more than 90% of successful cyberattacks,” – Mike Rogers, former Chairman of the House Intelligence Committee

According to a new study by the security firm KnowBe4, found that the most effective phishing emails create a sense of urgency or panic in their recipients.

That’s not really surprising. Think about it, phishing relies heavily on social engineering. Social engineering, as it pertains to phishing, is the act of creating a believable enough situation that a target gives the intended reaction. By trying to invoke panic, the phishers are making their attack more effective because humans are prone to rash decisions. So instead of just looking at a believable email, now there’s an impetus to act as well.

Said Greg Kras of KnowBe4: “When you look at the top five items, four out of those five [most-clicked phishing email headlines for Q3] have words like ‘expires,’ ‘immediately,’ ‘notification… They’re all designed to get that sense of urgency. When people see that, they go into corrective action overflow where they’re trying to address what they consider to be a problem.”

Here are some of the most-clicked email headlines from the last three months:

  • Official Data Breach Notification (14%)

  • UPS Label Delivery 1ZBE312TNY00015011 (12%)

  • IT Reminder: Your Password Expires in Less Than 24 Hours (12%)

  • Change of Password Required Immediately (10%)

  • Please Read Important from Human Resources (10%)

  • All Employees: Update your Healthcare Info (10%)

  • Revised Vacation & Sick Time Policy (8%)

  • Quick company survey (8%)

  • A Delivery Attempt was made (8%)

  • Email Account Updates (8%)

There were also a spate of emails professing to be from LinkedIn, Amazon and Microsoft.

What can I do to stay safe?

The best advice we can offer is to verify before taking any action via email. If someone is asking you to take urgent action within your company, call them. Make sure. Don’t just blindly trust it.

For emails emanating from big companies, check the address it comes from. They wouldn’t be emailing from some spotty mail server, you’ll know it’s really from them.

Additionally, inspect any links before clicking on them. Make sure the domain you’re visiting is the correct one.

It’s impossible to stay completely safe from phishing, but vigilance is the best defense. If it looks funny, verify it. If it smells funny, verify it. And if you can’t verify it, leave it alone.