Subject Lines That Push Your Buttons: The Top Ten Phishing Openers

Consumers are worried about cyber security -- so much so that they are opening phishing emails designed to exploit that fear. When will they learn?

KnowBe4 studied tens of thousands of email subject lines from simulated phishing tests, and found that email users are falling for lines that play on “human emotions by causing feelings of alarm or curiosity,” states Perry Carpenter, chief evangelist and strategy officer, KnowBe4.

The tests included insidious simulated phishing templates created by KnowBe4 for clients and custom email designed by clients.

Here are the most clicked-on phishing test subject lines in the third quarter:

  • Password Check Required Immediately — 29%
  • You Have a New Voicemail — 13%    
  • Your order is on the way — 11%
  • Change of Password Required Immediately — 10% 
  • De-activation of [[email]] in Process — 9% 
  • Password Check Required Immediately — 6%
  • UPS Label Delivery 1ZBE312TNY00015011 — 6% 
  • Revised Vacation & Sick Time Policy — 6% 
  • You’ve received a Document for Signature — 5% 
  • Spam Notification: 1 New Messages — 5%

KnowBe4 also studied “wild west” subject lines from emails that were actually received and reported to company IT departments. Here are the top ten:  

  • You have a new encrypted message 
  • IT: Syncing Error – Returned incoming messages 
  •  HR: Contact information
  • FedEx: Sorry we missed you. 
  • Microsoft: Multiple login attempts 
  • Wells Fargo: Irregular Activities Detected on Your Credit Card
  • LinkedIn: Your account is at risk!
  • Microsoft/Office 365: [Reminder]: your secured message
  • Coinbase: Your cryptocurrency wallet: Two-factor settings changed

"Hackers are leveraging an individual’s desire to remain security minded or well informed by playing into his/her psyche," Carpenter says. "They do this by making someone believe they are at risk or that something needs immediate attention."

Carpenter adds, "These types of attacks are effective because they cause a person to simply react before thinking logically about the legitimacy of the email."

The antidote? Training, KnowBe4 says.  


Next story loading loading..