Why We STILL Fall for Phishing Emails

Why We STILL Fall for Phishing Emails

You grab a quick sip of coffee and flip on the computer.  You’re headed to a meeting in 5 minutes, but you decide to run through your email.  An easy deletion here, a tag there, but wait – here’s one that seems to be truly urgent.  It says click on this link and all will be well.  You click and nothing happens.  Oh well, off you go to your meeting. 

Unknowingly, you’ve clicked on a phishing email and unleashed a world of hurt for your company.

Why do so many of us still fall for phishing emails?  Are we too trusting?  Or careless?  Or rushed?

What we do know is that 91% of cyberattacks start with a phishing email.  It’s the single most successful tool cybercriminals use to steal your money, username and password, or both.

Cybersecurity Myths

Most of us don’t intend to wreak havoc.  But, we may not fully understand the risks because we believe these myths:

  • Our business has no information that hackers want.
    • Reality: Every business has data that can be exploited and turned into cash.  No exceptions.
  • We don’t think it’s our responsibility because IT should be able to stop all bad emails in the first place.
    • Reality: No tech tool can stop all dangerous emails.  Plus, some of the most effective emails ask you to do something but they don’t include links.  Spam filters let those emails through.
  • We think a data breach is no big deal.
    • Reality: In fact, the potential costs of a breach are significant, including exposure of client and business information, a costly insurance claim, reputational damage, and legal action.
  • We’re too busy to be diligent.
    • Reality: The bad guys count on this.

How to Evaluate Emails

We can all be smarter when it comes to evaluating emails.  It doesn’t take much extra time, either.  Here’s how:

  • Recognize Your Responsibility
  • Slow Down
  • Quick Check Risky Fields
  • Suspend Your Curiosity
  • Make Your Default “No Click”

Pay extra attention to these types of requests:

  • Transfer money or pay an invoice, especially if it’s “new” bank routing information
  • Purchase gift cards   
  • Change bank account information for payroll direct deposit
  • Enter your username and password or your email will stop working
  • Any unusual request that appears to come from a manager or supervisor – just walk down the hall and ask if you can or make a phone call to double-check.

Beware of These Subject Lines

Some email subject lines attract more clicks than others. Here are specific subject lines that were the top-clicked phishing emails in Q1 2019 according to KnowBe4:

Top-Clicked Social Media Related Subjects: 

  • LinkedIn: Join my network, Profile Views, Add me to your network, New InMail Message
  • Facebook: Password Change, Primary email changed
  • Login alert for Chrome on Motorola Moto X
  • Your password was successfully reset
  • New voice message at 1:23AM
  • Your Friend Tagged a Photo of You

Top 10 Most-Clicked General Email Subjects:

  1. De-activation of [[email]] in Process
  2. A Delivery Attempt was made
  3. You Have A New Voicemail
  4. Failed Delivery for Package #5357343
  5. Staff Review 2018
  6. Revised Vacation & Sick Time Policy
  7. APD Notification
  8. Your Order with Amazon.com
  9. Re: w-2
  10. Scanned image from MX2310U@[[domain]]

Most Common ‘In the Wild’ Attacks were:

  • Wells Fargo: You have a new secure mail
  • Undelivered Mail
  • Etrade: Action Required!
  • Microsoft Teams: Rick sent a message
  • Microsoft/Office 365: Action required: Update your payment information now
  • Stripe: Just now someone logged in to your account
  • HR: Your Action Required
  • Amazon: Refund Notification
  • OneDrive: Your OneDrive is out of storage space
  • HR: Download your W2 now

Education and Attitude

It all comes down to education and attitude.  Make sure you’re not the one who falls for phishing emails.  After all, the bad guys only need to get it right once – we need to get it right every time.


To learn more about how CRU Solutions can help keep your business safer, contact us.