Cyber researchers report that about 30% of phishing emails are opened by recipients. This finding was shared with socialbites.ca by a local information security firm, Antiphishing. The conclusions came after 40,000 simulated phishing tests and observations from more than 20,000 employees across 37 companies.
In many cases — about 59% — employees opened emails with infected links. Emails carrying malicious attachments accounted for 32% of openings, while phishing messages reaching a worker’s account on social networks or instant messaging apps accounted for 9%.
The firm highlighted the five most common examples of malicious mails that employees encounter most often.
Business offer
Attackers frequently send notes to employees proposing partnerships with another company, typically within the same sector.
To appear credible, the message imitates formal business correspondence and cites real projects related to the target company’s activities.
An attached file, such as a compressed archive, contains code that, when opened, starts a malicious program. This grants attackers access to the victim’s corporate networks to extract confidential data.
A maneuver for scientists
Phishers may impersonate staff from well-known universities. They target scientists and journalists with a personalized link to a phishing registration form for a popular university online conference.
The objective is to steal login credentials for services like Google, Microsoft, Facebook, and Yahoo. In some cases, attackers offer a phone discussion to increase believability.
During a 2021 operation, scammers posed as staff from the London School of Oriental and African Studies and placed a phishing form on a compromised university-affiliated site. Victims were then directed to that site to complete the registration process.
As a result, attackers can obtain email account details to assemble political intelligence and send phishing emails from that address.
Advertising offer
Another tactic involves false requests for industrial services. An attached PDF is presented as a guide, but it actually contains an image with a link to malware.
Clicking the link installs a spyware program capable of stealing passwords and other data, enabling attackers to compromise accounts for resale or further exploitation.
Electronic signature service
In this scheme, the victim is asked to sign a document using an electronic service such as DocuSign. The message appears to come from a legitimate company and requests signing an attached document.
The user first encounters a page that seems to verify whether the user is visiting a phishing site, then is redirected to a final page asking for Microsoft account credentials.
Fake tech support
In a 2021 campaign, scammers pretended to represent a computer services firm. A bogus subscription invoice arrived by email, inviting the recipient to contact the company’s supposed technical support at a provided phone number.
During a follow-up call, the operator advised visiting a counterfeit company site and downloading remote-access software. After installation, the caller was prompted to share a password, granting full control to the intruders.
Who is the hacker’s main target?
According to Antiphishing, IT department staff show the greatest susceptibility, engaging in unsafe actions in about 75% of cases, while programmers tend to resist more effectively. However, most attacks succeed due to human error, such as clicking suspicious links or entering credentials on dubious sites.
Targeted attacks zero in on a specific person or organization, using information the victim would reasonably trust. Perpetrators may know the victim’s work environment and the tools they use, which lends credibility to phishing messages and lowers alertness. A security expert from a major analytics firm notes that people of all experience levels can fall for social engineering when pressure to act arises.
Experts emphasize that many people overlook infrastructure security, regardless of age or credentials. The advice is clear: scrutinize every message, avoid opening attachments, and refrain from clicking suspicious links to minimize risk.