According to Microsoft, 91% of cyberattacks start with an email. In an earlier Privacy Peril we provided information on prevalent words phishers of men and women insert in an email subject line to grab the recipient’s attention and increase the likelihood the email will be opened. Expel, Inc. a security monitoring company, analyzed 10,000 phishing emails during the month of July 2021 to determine the “top attack vectors” of email subject lines being used by bad actors. Unsurprisingly, the majority of the illegitimate emails had one or more of three characteristics:
- They impersonated legitimate business activities.
- They created a sense of urgency.
- They prompted the recipient to take some action.
Subject lines including words like “Service Request,” “Action Required,” “New,” “Document” (i.e., “View Attached Document” or “‘X’ shared a document with you”), “Verification,” “eFax,” or “VM” (voicemail abbreviation) were often used because generic business terminology does not stand out as suspicious; action words prompt, well, action; and people are intrigued by something new. Moreover, TechRepublic reported that attackers are sophisticated enough to target finance professionals with fake “invoice” emails or human resources professionals with fake “resume” emails.
As always, be wary of any email that seems out of the ordinary or from an unknown sender. Ask yourself:
- Would a legitimate vendor seek payment of a large outstanding invoice and expect to collect by email?
- Should I act, immediately or otherwise, on a complete stranger’s directive?
- Was this “shared” (and unsolicited) document expected and will it benefit me?
- Is there really anything “new” under the sun?
The answer to each is “no.” Move on.