最容易让你上钩的十类钓鱼邮件

作为一名报道网络安全的记者，危险之一在于黑客们每天都会往我的邮箱里发送钓鱼邮件。

如果你不信，可以问问《财富》的母公司时代的安全团队。

One hazard of being a cybersecurity reporter is that attackers send phishing emails to my inbox on a daily basis.

If you don't believe me, ask the security team at Time Inc., Fortune's parent company.

事实上，任何网友都可能成为黑客、间谍和网络罪犯的目标。你可能认为自己并不是什么特别的人，但是互联网有趣的一点在于即便你很无趣（当然，考虑到你是《财富》的读者，你一定不会无趣），黑客仍然可能会攻击你，可能是为了直接牟利，也可能是把你作为攻击其他人的垫脚石。

考虑到钓鱼的低成本和高成功率，无论是最低级的个人黑客，还是最可怕的由政府支持的计算机破解者，它无疑都是最受青睐的手段之一。近来最著名的钓鱼攻击，也许就是俄罗斯支持的入侵者进入了希拉里·克林顿竞选活动的前主席约翰·波德斯达的邮箱，将其内容公布在网上。去年，黑客在美国大选期间入侵了许多国家和地方的选举数据库。最近几周，另一波针对核电厂业务系统的攻击又得到了曝光。

这些只是近日里关注度最高的钓鱼事件。考虑到威胁无处不在，人们最好还是重温一下攻击者惯用的诱饵伎俩。在最近的一份研究中，为企业员工提供网络安全意识培训的KnowBe4公司总结了钓鱼成功率最高的手段。

2017年4月1日至6月30日期间，KnowBe4通过发送欺诈邮件，进行了一项在线自由钓鱼测试，看看到底有多少客户上当。公司给200多万用户发送了大约660万封虚假邮件。以下是十条成功率最高的邮件，一共成功欺骗了22,060人，这些人点击了信息中的链接。（受害者总数要多得多，这里只是被前十名邮件欺骗的人数。）

最成功的钓鱼邮件

按主题排序

安全警告

21%

休假/病假政策调整

14%

UPS快递单号：1ZBE312TNY00015011

10%

突发新闻：美联航乘客死于脑出血——视频

10%

已尝试为您投递包裹

10%

致所有员工：请更新医疗信息

9%

请立刻更改密码

8%

请立刻验证密码

7%

异常登录行为警告

6%

必须立刻采取行动

6%

以上数据取自欺骗了22,060人的钓鱼邮件（2017年第二季度）

Truth is, anyone online can be a target for hackers, spies, and cybercriminals. You might not think you're that interesting, but the funny thing about networks is that even if you are boring (surely, you mustn't be, given that you're a Fortune reader), hackers may still aim to A) profit from your misfortune, and B) use you as stepping stone to get at someone else.

Given its cheap cost and high success rate, phishing has become a favorite scam of everyone from the lowliest crooks to the mightiest state-sponsored computer crackers. Perhaps the most well-known recent example of a phishing attack occurred when likely Moscow-backed intruders pilfered the email inbox of John Podesta, former chairman of Hillary Clinton's presidential campaign, eventually leading to their publication online. Last year hackers infiltrated many state and local election databases in the U.S. during the lead-up to last year's vote. And in recent weeks, another wave of attacks came to light that targeted the business systems of nuclear power plants.

These are just some of the recent high profile instances of phishing. Given the pervasiveness of the threat, it's wise for people to brush up on the type of lures that attackers use to bait their victims. In a recent survey, KnowBe4, a firm that provides cybersecurity awareness training for employees, compiled data on the phishing attempts it found most successfully duped people.

KnowBe4 measured the number of times clients and participants in its free online free phishing test took the bait of its own trick emails between April 1 and June 30, 2017. During that period, the company sent roughly 6.6 million bogus messages to more than 2 million individuals. Below is data on the top 10 messages; they fooled 22,060 people, each of whom clicked on the links inside the messages. (The number of total victims is much higher, but we're just focusing on those who fell for the top 10 lures.)

Most successful phishing emails

By subject line

Based on phishing emails that tricked 22,060 people (Q2 2017)

从数据中，你可以发现最具有欺骗性的消息。“安全警告”遥遥领先，有超过4,600人上当。其他有关安全的钓鱼邮件，例如密码保护和异常账户行为，也有很高的成功率。其他效果突出的伎俩还包括快递相关的通知，工作相关的信息以及新闻。

KnowBe4表示，平均来看，打开钓鱼邮件的用户里有16%会点击附带链接。在真正的攻击情景中，这些都是恶意链接，可能会导致登陆信息遭窃，或是系统被强制安装恶意软件。而KnowBe4这次测试附带的链接是无害的。

KnowBe4的首席执行官Stu Sjouwerman在接受《财富》采访时表示，攻击者往往会选择公司员工作为目标，因为他们认为“在他们设法进入企业内网时，企业员工最容易让他们得手”。

他表示：“攻击媒介里，排名第一的就是电子邮件，所以用户需要接受培训，不要点击邮件中的链接，也绝对不要打开未经请求或核实的附件。”（值得一提的是，KnowBe4有44%的攻击都与LinkedIn消息有关，人们往往会把工作邮箱的地址与LinkedIn关联。）

以上并不是钓鱼邮件的完整清单，只是KnowBe4设计并测试的部分主题。网络罪犯十分狡猾，他们能想出无数种花样引你上钩。

知道人们在哪些情况下最容易受骗，可以帮助你避开那些最危险的骗局。（财富中文网）

译者：严匡正

From the data, you can piece together what tends to fool people the most. "Security Alert" leads by a mile, having duped more than 4,600 people. Other lures relating to security had good success too, such as items related to password hygiene and unusual account activity. Other effective tactics involved sending notes purporting to relate to package deliveries, work-related information, and news.

On average, KnowBe4 says it finds that 16% of people who open a phishing email click on the links within it. In real attack scenarios, those links or attachments will be malicious, and can lead to a theft of login credentials or the installation of malware onto a device. KnowBe4's links, on the other hand, were benign.

Stu Sjouwerman, CEO of KnowBe4, told Fortune that attackers often aim for employees because they consider them "the low-hanging fruit that they can manipulate to get into a network."

"The number one attack vector is email, so all users need to be trained to not click on links in emails, and never open an attachment they did not ask for or did not expect without verification," he said. (It's worth noting that 44% of KnowBe4's attacks were related to LinkedIn messages, which people often connect to their work email addresses.)

The above is by no means an exhaustive list of phishing lures. These are just some subject lines that KnowBe4 devised and tested. Cybercriminals are a crafty bunch, and there are an infinite number of variations they could try to get the best of you.

Knowing what people fall for most can help arm you against the most successful schemes.