Report: beware consumer scams that target users at work

Back in October, PhishMe® reported a Netflix email scam appearing in office in-boxes. Now our 2017 Phishing Resiliency and Defense Report confirms the danger: based on millions of simulated phishes across PhishMe customers, the study shows the most tempting workplace scams have a consumer flavor.

The top “emotional motivators,” or buttons to push, in workplace phishing are:


Nearly 1 in 5 employees bit on entertainment-themed emails. Examples: holiday e-card alerts and college basketball gambling.


One reason: the rise in subscription-based news and social feeds. Bogus Thanksgiving recipes and funny office pictures are leading culprits.


Many of these emails triggered both personal and professional reactions. “Free Coffee” worked well, as did “New Rewards Program.”

As Internet behavior changes, so do cyberattacks.

In previous reports, PhishMe noted that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they’re closer to the bottom. Their themes tend to focus on work versus having fun. For example: fake notices from state bar associations and “Mold Found in Your Office.”

It’s possible that mature anti-phishing programs have conditioned employees to spot work-related scams. Since consumer scams at work are a new trend, they haven’t appeared as often in phishing simulations.

Employees will always take a break to do personal business online, so expect work and home email to continue blurring. Personal devices in the workplace often have multiple email accounts—the source of an email may not be clear.

However, to maintain morale, communication and collaboration, most companies won’t restrict BYOD or access to social media, news and entertainment sites.

The core issue is how people get their news and interact.

Many news and social feeds are now subscription based; they’re common in email and mobile device alerts. This explains the rise in phishing attacks via social media links and fake news sites. Because they’re accustomed to them, people think it’s safe to click.

The best way to combat a knee-jerk response: teach your people to be aware of their emotional reactions to emails and see them as phishing triggers. You can be sure attackers are paying attention.

A few more tips:

  • Understand the dynamics of entertainment or social phishing (think uncritical social acceptance and shortened URLs).
  • Stress vigilance when it comes to emails promising rewards. If its sounds too good to be true…well, you know the rest.
  • Take note of internal reward programs in danger of being mimicked. If you know how legitimate emails look and read and who they ought to come from, you stand a better chance of catching counterfeits.

Last but not least, when creating simulations add some consumer themes. Remember that users’ personal lives don’t stop when they get to work.

For a deeper look at phishing, view our 2017 Phishing Resiliency and Defense Report.

PhishMe Reporter: 5 Reasons Why 10M Users Are a Big Deal
Free training bundle: help your users spot the top holiday scams.

Leave a Reply