Poisoned Apples: Email Subject Lines That Snooker Recipients

Want to get a prospect to open your email? Mention LinkedIn in the subject line. That’s one of the findings of a report by security firm KnowBe4, unveiled in time for World Social Media Week. But we don’t recommend that you try it.

KnowBe4 conducted a test with simulated phishing tests, and found that subject lines that spoofed LinkedIn were clicked on 50% of the time.

These subject lines from Hell typically prey on the concerns of recipients -- especially concerning human resources, corporate policies, W-2 forms and Amazon. These ranked in the top 10 this quarter or simulated tests and in-the-wild email subject lines, the company says.

Appearing to come from Linked In, they include:

  • Join my network
  • Profile Views
  • Add me to your network
  • New InMail Message

These subject lines were a combination of KnowBe4’s simulated phishing templates and customized tests it designed for clients.



Many LinkedIn users, especially those with business development responsibilities, have their accounts tied to their corporate email addresses, increasing the risk of a phishing attack or social engineering threat against the company.

Social media is another promising avenue for cyber crime

“From the standpoint of a hacker, social media gives an all-access entry point into an organization because some social media accounts are tied to corporate email addresses. I cannot stress enough that employees need to be hyper-vigilant about clicking on emails and links that come to their corporate email addresses,” states Stu Sjouwerman, CEO, KnowBe4. 

Sjouwerman adds that “clicking to view a new job posting or to identify who has viewed your LinkedIn profile could easily open the gates to bad actors who want to cause damage to the organization.” 

The weak spot in many firms is the propensity of employees to click on what they think are trusted sources. 

They do this to protect their information, but end up being compromised.

“To best protect personal information and your organization, you have to have a defense-in-depth security strategy that includes training your users to spot phishing emails,” Sjouwerman says.

On the other hand, this test shows that a legitimate company working with LinkedIn could enjoy skyrocketing click-through rates, assuming LinkedIn would allow it to use the name.

Happy Social Media Week. 

Next story loading loading..