The most successful email lures don’t promise riches, but issue imminent cybersecurity warnings or urgent office messages, a report reveals.
By now, even the least-seasoned email user knows not to open messages from Nigerian princes or vacationing “friends” desperate for an emergency loan.
But bad actors have become increasingly clever in phishing attempts. KnowBe4, which provides security awareness training, revealed the most clicked subject line in a fourth-quarter report.
The most-effect lure, the firm found, was an urgent message to immediately check a password, with 39% of users falling for the ruse.
“With more end users becoming security-minded, it’s easy to see how they fall for phishing scams related to changing or checking their passwords,” said Stu Sjouwerman, KnowBe4’s CEO, in a release.
And just because you work in tech, doesn’t mean you’re immune. “These subject lines are very effective against tech pros as well,” said Erich Kron, security awareness advocate, KnowBe4.
SEE: 10 ways to raise your users’ cybersecurity IQ (TechRepublic)
“Tech professionals tend to become comfortable with email and technology, and therefore can be less careful than people who are more suspicious of everything,” Kron said. “When speaking to tech pros about emails they fell for, they seem to realize that they made an error by clicking much faster than non-technical employees, however, it’s often too late at that point.”
But social media messages have also effectively tricked users, notably when LinkedIn is the subject—55% were successful, with Facebook following at 28%.
“Not surprisingly, LinkedIn email subjects top the social media list for Q4 in a pretty big way. Q4 is a time where people are setting resolutions for the following year, and this often involves a job search. Activity related to LinkedIn tends to spike in this quarter, meaning people are more likely to view and click these emails.”
Research for the report was gathered through an examination of thousands of email subject lines from simulated phishing tests.
KnowBe4 also reviewed “in-the-wild” email subject lines, which added previously received email as an additional incentive to open, as well as company emails reported to IT departments as suspicious.
Top 10 most-clicked phishing using general email subjects
(This also represents the actual capitalization and spelling used in the original phishing subject lines.)
- Change of Password Required Immediately 26%
- Microsoft/Office 365: De-activation of Email in Process 14%
- Password Check Required Immediately 13%
- HR: Employees Raises 8%
- Dropbox: Document Shared With You 8%
- IT: Scheduled Server Maintenance – No Internet Access 7%
- Office 365: Change Your Password Immediately 6%
- Avertissement des RH au sujet de l’usage des ordinateurs personnels 6%
- Airbnb: New device login 6%
- Slack: Password Reset for Account 6%
The above email subject lines are a combination of both simulated phishing templates KnowBe4 created and custom tests from their customers.
The “in-the-wild” email subject lines were gathered from actual user emails, which were then reported to their company IT department.
Here are the most popular
(Also with original capitalization and spelling):
- SharePoint: Approaching SharePoint Site Storage Limit
- Microsoft: Anderson Hauck has shared a Whiteboard with you
- Office 365: Medium-severity alert: Unusual volume of file deletion
- FedEx: Correct address needed for your package delivery on [[current_date_0]]
- USPS: Your digital receipt is ready
- Twitter: Your Twitter account has been locked
- Google: Please Complete the Required Steps
- Cash App: Your Account Has Been Closed
- Coinbase: Important Please Resolve Error Now
- Would you mind taking a look at this invoice?
Email users “should be especially cautious if an email seems too good to be true, such as a giveaway,” Sjouwerman said. “As identifying phishing attacks from legitimate emails becomes trickier, it’s more important than ever for end-users to look for red flags, and think before they click.”
KnowBe4 provides security awareness training and simulated phishing forum.