Commentary

Phish Pond: The Most Effective Email Subject Lines (For Malware Pushers)

Email senders struggle year in and year out to find the right subject lines. 

They should search no further. Email security firm KnowBe4 has identified some very effective ones. The trouble is, they’re all phishing scams, and they’re designed to mimic internal company emails. 

Here are the most clicked-on phishing subject lines globally:  

HR: Vacation Policy Update—15% 

HR: Important: Dress Code Changes—15%

Password Check Required Immediately—13%

HR: Your performance evaluation is due—10% 

Weekly Performance Report—9%

LinkedIn: Who’s search for you online—8%

IT: Internet Report8% 

HR: Please update W4 for file—8% 

Acknowledge Your Appraisal—7% 

Employee Expense Reimbursement for [[email]]—7% 

Now it can be argued that few savvy people would respond to these emails. About the only one that might get this writer is the LinkedIn onemy inclination is to never answer anything from HR.   

But people apparently fall for them, causing untold damage to their companies. They also fall for these common “in the wild” attack lines:  

Google: You were mentioned in a document: “Strategic Plan Draft”

IT: Inventory Form

Microsoft 365: Microsoft 365 has new password requirements 

Amazon: Balance paid on your seller account

Xerox: New document was processed for [[email]] 

Zoom: [[manager_name]] has sent you’re a message via Zoom Message Portal 

Facebook: Your recent Facebook login 

Your fax is pending for preview 

Money has been successfully withdrawn from your bank account

Want to protect yourself at work? Here are the top 5 attack vector types: 

  • Link 
  • Phishing Hyperlink in the Email  
  • Spoofs Domain 
  • Appears to Come From the User’s Domain 
  • Branded 
  • Phishing Test Link Has User’s Organizational Logo and Name 
  • PDF Attachment 
  • Email Contains a PDF Attachment 
  • Credentials Landing Page 
  • Phishing Link Direct Users to Data Entry or Login Landing Page 

Here’s the takeaway from all this:  

"We already know that more than 80% of company data breaches globally come from human error," says Stu Sjouwerman, KnowBe4's CEO. "New-school security awareness training your staff is one of the least costly and most effective methods to thwart social engineering attacks.”

1 comment about "Phish Pond: The Most Effective Email Subject Lines (For Malware Pushers)".
Check to receive email when comments are posted.
  1. Craig Mcdaniel from Sweepstakes Today LLC, July 27, 2022 at 12:57 a.m.

    One other big trick the bad guys use is to put the malware link in the "unsubscribe" notice.  Also the bad guys didn't use copywrite or trademark brand names. Now they have been using more brands names in their emails.

Next story loading loading..
About the Author

Ray Schultz is the former editor of DM News, Chief Marketer, Direct, Circulation Management and other marketing titles.