The numbers are staggering. Each day, 156 million phishing emails are sent. Spam filters catch about 90% of them, but that still means 16 million phishing emails make it through to recipients’ inboxes, where half are opened. Out of the 8 million emails opened, 800,000 of them lure recipients into clicking a link. That simple act can lead to malware being installed, payment card numbers being stolen, personal data being pilfer, and more.
So how do cybercriminals lure people into clicking (or tapping) links in phishing emails? They often lie. Here are five common lies that phishers use to trick you into clicking links:
1. There Is a Problem with Your Account
For a phishing campaign to be successful, cybercriminals need to create email messages that not only grab people’s attention but also get them to act quickly. Falsely claiming that there is a problem with an account can elicit both responses.
In the phishing emails, the cybercriminals first declare that there is a problem with your account that requires immediate attention. Then, they let you know there will be unfortunate consequences if you do not take action quickly. For example, an email supposedly from Netflix might state that your payment card is expired and you need to update it in the next 48 hours to avoid a disruption in service. Or a message supposedly from Chase Bank might tell you that your account has been temporarily suspended because of suspicious activity so you need to verify your account information within 24 hours to restore access.
2. Someone Is Sharing a File with You
People frequently share photos, video clips, reports, business documents, and other types of files using cloud services such as Dropbox and iCloud. Cybercriminals like to take advantage of these services’ popularity in their phishing campaigns. For example, they often send emails that look like official Dropbox notifications. The email message might have a casual tone (e.g., “I just shared a video clip with you that was too large to email”) or a more formal one (e.g., “A new document has just been shared with you by one of the members of your group”). In either case, you will be told to click the provided link to access the file being shared.
Similarly, cybercriminals sometimes create phishing emails that look like the notifications sent by file-sharing functions in popular apps. For instance, hackers have been spoofing Google Docs’ file-sharing notifications for years. In one of the campaigns, the phishing email was designed to list a real contact from the victim’s address book as the sender.
3. Your Payment Is Overdue
Being falsely accused of not paying a bill can get people’s hearts racing. Cybercriminals know that it can also get people’s fingers clicking.
Numerous variations of this phishing scheme exist, but they share two common elements:
- The emails claim that you have not yet paid for a product or service that you recently received.
- The emails tell you to click a link to see the invoice, dispute the bill, or perform some other action in response to the email.
4. Your Order Is Confirmed
When you order products and services from large e-retailers such as Amazon and Walmart, they send you an email that confirms the order and gives details about it (e.g., what was ordered, expected delivery date). Some cybercriminals use fake order confirmations as phishing fodder. The fake confirmations are made to look like the real ones. Besides listing bogus details about the order, the confirmation includes a link that people can use to supposedly dispute it and get a refund. The cybercriminals hope that the email recipients will click this link, thinking that their store account had been used to conduct unauthorized transactions.
5. This Is a Message from HR
Human resources (HR) staff members are responsible for managing the employee lifecycle, administering employee benefits, and handling employees’ sensitive data. Thus, it is common for them to ask employees to download and read files, fill out forms, and provide sensitive information — which is why cybercriminals pretend to be HR staff in phishing emails. Few employees would question why HR is asking click them to click a link to download the new vacation policy or click a link to open an electronic form they need to complete.