Phishing mail continue to be the smoothest way for cybercriminals to get into an individual’s or an organisation’s computer network. Enticed by the ‘subject header’ in the emails, staff click the links purported to be sent by the HR department or the line in-charges, allowing the hacker to sneak into the system and infect it with malware.

That about 91 per cent of all cyberattacks begin with a phishing email and that phishing techniques are involved in 32 per cent of all successful data breaches, shows how harmful the phishing technique can be.

One in five (16 to 18 per cent) click the link in the email templates imitating these phishing attacks. A phishing simulator created by cybersecurity solutions firm Kaspersky throws light on what kind of phishing mails attract people more.

Data gathered from the phishing simulator, where volunteers joined the test, provides interesting insights into the kind of phishing mails that attracted them the most.

The simulator helps companies check if their staff can distinguish a phishing email from a real one without putting corporate data at risk.

An administrator can choose from a set of templates mimicking common phishing scenarios or create a custom template, then send it to a group of employees.

Top phishing mails

According to a few simulator-led campaigns, the top lures are:

1) Failed delivery attempt: Unfortunately our courier was unable to deliver your item. Sender: Mail delivery service. (About 18.5 per cent users clicked the link.).

2) Emails not delivered due to overloaded mail servers. Sender: The Google support team (About 18 cent users clicked)

3) Online employee survey: What would you improve about working at the company. Sender: HR Department. (About 18 per cent clicked the link)

4) Reminder: New company-wide dress code. Sender: Human Resources. (About 17.5 cent clicked the link)

5) Attention all employees: new building evacuation plan. Sender: Safety Department. (About 16 cent . clicked the link)

Among the other phishing emails that have gained a significant number of clicks are reservation confirmations from a booking service (11 per cent ), a notification about an order placement (11 per cent), and an IKEA contest announcement (10 per cent ).

The statistics are based on the results of 29,597 employees from 100 countries. The presented data includes templates sent to more than 100 users.

Threatening doesn’t work

Interestingly, employees are not worried if the attacker sends them a threatening mail. “The attempts are less successful. A template with the subject ‘I hacked your computer and know your search history’ got only 2 per cent of the clicks,” the data suggested.

“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training,” Elena Molchanova, Head of Security Awareness Business Development at Kaspersky, said.

How to thwart phishing attacks

Organisations are advised to remind their employees about the basic signs of phishing emails. A dramatic subject line, mistakes and typos, inconsistent sender addresses and suspicious links are the basic hallmarks of a phishing attack.

“If there is any doubt about the received email, check the format of attachments before opening them and the link accuracy before clicking,” she said.

This can be achieved by hovering over these elements - make sure the address looks authentic and the attached files are not in an executable format.

“You must always report phishing attacks. If you spot a phishing attack, report it to your IT security department and, if possible, avoid opening the malicious email. This will allow your cybersecurity team to reconfigure anti-spam policies and prevent an incident,” she said.