Bait for the phish: The subject lines that reel them in.

To those of us who work in the MarComm field – or in business generally – it may seem odd how so many people can get suckered into opening e-mails that contain malware or otherwise wreak havoc with their devices.

But as it turns out, the phishing masters have become quite adept at crafting e-mail subject lines and content that successfully ensnare even the most alert recipients.

In fact, the phishers actually exploit our concerns about security by sending e-communications that play off of those very fears.

To study this effect, cybersecurity firm KnowBe4 conducted an analysis of the most clicked-on phishing subject lines of 2018. Its evaluation was two-pronged – charting actual phishing e-mails received by KnowBe4 clients and reported by their IT departments as suspicious, as well as conducting simulated phishing tests to monitor recipient behavior.

What KnowBe4 found was that the most effective phishing e-mail subject lines generally fall into five topic categories:

  • Passwords
  • Deliveries
  • IT department
  • Company policies
  • Vacation

More specifically, the ten most clicked-on subject lines during 2018, in order of rank, were these:

  • #1. Password Check Required Immediately / Change of Password Required Immediately
  • #2. Your Order with Amazon.com / Your Amazon Order Receipt
  • #3. Announcement: Change in Holiday Schedule
  • #4. Happy Holidays! Have a drink on us
  • #5. Problem with Bank Account
  • #6. De-activation of [recipient’s e-mail address] in Process
  • #7. Wire Department
  • #8. Revised Vacation & Sick Time Policy
  • #9. Last reminder: please respond immediately
  • #10. UPS Label Delivery 1ZBE312TNY00015011

Notice that nearly all of them pertain to topics that seem important, timely and needing the attention of the recipient.

Another way that KnowBe4 analyzed the situation was by pinpointing the e-mail subject lines that were deployed most often in phishing e-mails during 2018.

Here are the Top Ten, ranked in order of their usage:

  • #1. Apple: You recently requested a password reset for your Apple ID
  • #2. Employee Satisfaction Survey
  • #3. Sharepoint: You Have Received 2 New Fax Messages
  • #4. Your Support Ticket is Closing
  • #5. Docusign: You’ve received a Document for Signature
  • #6. ZipRecruiter: ZipRecruiter Account Suspended
  • #7. IT System Support
  • #8. Amazon: Your Order Summary
  • #9. Office 365: Suspicious Activity Report
  • #10. Squarespace: Account billing failure

Commenting on the results that were uncovered by the evaluation, Perry Carpenter, a strategy officer at KnowBe4 had this to say:

“Clicking [on] an e-mail is as much about human psychology as it is about accomplishing a task. The fact that we saw ‘password’ subject lines clicked … shows us that users are concerned about security.  Likewise, users clicked on messages about company policies and deliveries … showing a general curiosity about issues that matter to them.”

Carpenter went on to note that KnowBe4’s findings should help corporate IT departments understand “how recipients think” before they click on phishing e-mails and the links within them.

How about you? Are there other e-mail subject lines beyond the ones listed above that you’ve encountered in your daily activities and that raise your suspicions? Please share your examples in the comment section below.

2 thoughts on “Bait for the phish: The subject lines that reel them in.

  1. I’ve been lucky. I’m semi-retired/self-employed and frequently recognize fake “business” emails, but I don’t get many. They usually involve password or account problems I know I don’t have. I derive more satisfaction by reporting as spam every unwanted message from a politician!

    I only got tricked once into giving out my password, got suspicious and had the bank change it in time. It was on a new phone, and I was new to using cellphones.

    The scam I keep running into, though, is actually on a long-suffering AT & T land line, kept for almost sentimental reasons. Someone with an Indian accent calls regularly pretending to be Microsoft security. A threatening voice claiming to be from the IRS leaves unconvincing messages. And a female from “card services” is always trying to get into my credit account and warn me of my terrible credit rating (which actually is 810). It helps that one keeps life fairly simple and can untangle the spaghetti coming in one’s direction.

    There is no substitute for common sense … Trouble is, it’s not that common!

  2. Here’s one I received just today: subject “[Password_Expiration]” from “Microsoft Password”. I easily identified it as a phishing attack because the sender’s email address didn’t remotely resemble a Microsoft domain — a dead giveaway which reveals that most phishers are idiots to boot.

    What many people don’t realize is that, when you send an email message, you can use anything you want as the “from” (sender’s) email address – just as you can use any postal address (fake, or real) as the return address when sending a letter through the U.S. Postal Service.

    Phishers take advantage of this “feature” to frighten recipients into thinking they’ve been hacked when they receive an email from themselves. This tactic, known as “spoofing,” gives the attack more credibility than the usual run-of-the-mill attacks perpetrated by idiots, thereby improving the odds that victims will click on the dreaded link.

    If you receive an email like this, it’s easy to tell if it was spoofed. Simply look for the message in your “Sent Items” folder. If you were truly hacked, you’ll find it there because the sender used your credentials (i.e. your email address and password) to compose and send the message. Otherwise the message was spoofed.

    My suggestion: Whether you are the victim of a hack or a phishing attack, NEVER click that dreaded link! Instead, if you were hacked, change your password immediately. On the other hand, if the message was spoofed, simply delete it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s