In a Webroot study of 600 IT decision makers, phishing attacks leapfrog from the number three spot in 2017 to the number one breach concern among organizations. Although 100 percent of those surveyed train employees on cybersecurity best practices, that number drops by half when asked if their program framework was continuous. As reports of data breach continue to climb, annual compliance reminders or one-time onboarding briefs just don’t cut it in combatting today’s world of crafty cybercriminals. Threat actors vigilantly adjust and adapt their tactics through social engineering which continues to be the most popular way to launch email attacks.

Building a successful security awareness program starts with education. Phishing simulation campaigns are a great way to kick-off your program, implement ongoing training and keep your employees sharp while identifying additional training needs.

Can you spot phishy indicators? Below are a few of our most popular phishing templates used by our clients; see if you can recognize what’s phishy before reading the hints.

 

Email #1 Drive-By Attack

 

From: Hilton Orlando <hilton-orlando@encyrpt-mail.net>

Subject: You Deserve a Vacation – Take One on Us!

 

Hi Joe,

Have you heard the news? Hilton Orlando has partnered with the Madison Chamber of Commerce to give one lucky Madison resident an all-expenses-paid vacation to one of the most magical destinations in the world!

Enter to Win!

You deserve a vacation this summer. Enter for your chance to win:

  • A four-night stay at Hilton Orlando
  • Eight theme park tickets to Walt Disney World Resort
  • Rental vehicle access for five days

 

Hurry! The 2018 Hilton Orlando’s Summer Getaway Sweepstakes ends 7/31. Enter today to win the Orlando getaway of your dreams!

Learn More

Good Luck!

Merida White

Hilton Orlando Client Relations

 

What’s phishy about this email?

  • The offer is too good to be true. Any time an email subject is offering free goods or services raise your suspicions  
  • These links don’t tell you where they lead. Hackers use link masking to hide the actual URL of the link. Most browsers will display the true link by hovering the mouse pointer over it
  • The personal touches. It is easy to find company logos, signatures and position titles from the internet, and hackers use this to their advantage to make phishing emails look more legitimate and target their victims

 

Email #2 Attachment Attack

From: Dropbox

Subject: Michael Schmidt wants to share “schmidt_2018_1040.pdf” with you

 

Michael Schmidt invited you to a Dropbox shared folder called “schmidt_2018_1040.pdf” and left you this message:

“FYI”

Download Folder

 

What’s phishy about this email?

  • Do you know Michael Schmidt? It’s easy for hackers to look up employee directories, many are available online
  • If you do know Michael, do you work with him regularly? Out of the blue correspondence is a phishing red flag
  • Scrutinize the email, from Dropbox and “FYI” as a file name is vague and unclear. Hackers purposefully titillate, giving just enough to entice you further to click and see for yourself  

Email #3 Business Email Compromise Attack

From: Samsung mail <samsung@strong-encryption.com>

Subject: Failed payment

Hey Joe,

I just tried making a payment with our corporate credit card and it didn’t go through. The number is correct I think. Did we get a new card? Maybe the expiration date or code is different? Can you send me this info quick? I need to get this taken care of today or we’ll be fined.

Thanks,

Jenna Hulbert

Account Manager

Sent from my Samsung Galaxy smartphone

What’s phishy about this email?

  • The sender appears to be an account manager. Inspect the sender line, the email is from Samsung mail, and the @strong-encryption is a phishy domain
  • A manager is requesting sensitive information via email. You should never share confidential information via email, and any manager would be familiar with this commonplace company policy
  • There’s a sense of urgency and pressure for you to act quickly. The short timeline and financial consequence is designed to create anxiety, so you respond with the information before you have a chance to think it through

SecurityIQ’s phishing simulator includes 1,000s of phishing templates in a variety of attack types and difficulty levels. Our customizable templates make training fun, interactive and engaging while building a culture of security awareness for your organization. Teach your team to detect phishing like a pro! Start your free trial.