Bait for the phish: The subject lines that reel them in.

To those of us who work in the MarComm field – or in business generally – it may seem odd how so many people can get suckered into opening e-mails that contain malware or otherwise wreak havoc with their devices.

But as it turns out, the phishing masters have become quite adept at crafting e-mail subject lines and content that successfully ensnare even the most alert recipients.

In fact, the phishers actually exploit our concerns about security by sending e-communications that play off of those very fears.

To study this effect, cybersecurity firm KnowBe4 conducted an analysis of the most clicked-on phishing subject lines of 2018. Its evaluation was two-pronged – charting actual phishing e-mails received by KnowBe4 clients and reported by their IT departments as suspicious, as well as conducting simulated phishing tests to monitor recipient behavior.

What KnowBe4 found was that the most effective phishing e-mail subject lines generally fall into five topic categories:

  • Passwords
  • Deliveries
  • IT department
  • Company policies
  • Vacation

More specifically, the ten most clicked-on subject lines during 2018, in order of rank, were these:

  • #1. Password Check Required Immediately / Change of Password Required Immediately
  • #2. Your Order with Amazon.com / Your Amazon Order Receipt
  • #3. Announcement: Change in Holiday Schedule
  • #4. Happy Holidays! Have a drink on us
  • #5. Problem with Bank Account
  • #6. De-activation of [recipient’s e-mail address] in Process
  • #7. Wire Department
  • #8. Revised Vacation & Sick Time Policy
  • #9. Last reminder: please respond immediately
  • #10. UPS Label Delivery 1ZBE312TNY00015011

Notice that nearly all of them pertain to topics that seem important, timely and needing the attention of the recipient.

Another way that KnowBe4 analyzed the situation was by pinpointing the e-mail subject lines that were deployed most often in phishing e-mails during 2018.

Here are the Top Ten, ranked in order of their usage:

  • #1. Apple: You recently requested a password reset for your Apple ID
  • #2. Employee Satisfaction Survey
  • #3. Sharepoint: You Have Received 2 New Fax Messages
  • #4. Your Support Ticket is Closing
  • #5. Docusign: You’ve received a Document for Signature
  • #6. ZipRecruiter: ZipRecruiter Account Suspended
  • #7. IT System Support
  • #8. Amazon: Your Order Summary
  • #9. Office 365: Suspicious Activity Report
  • #10. Squarespace: Account billing failure

Commenting on the results that were uncovered by the evaluation, Perry Carpenter, a strategy officer at KnowBe4 had this to say:

“Clicking [on] an e-mail is as much about human psychology as it is about accomplishing a task. The fact that we saw ‘password’ subject lines clicked … shows us that users are concerned about security.  Likewise, users clicked on messages about company policies and deliveries … showing a general curiosity about issues that matter to them.”

Carpenter went on to note that KnowBe4’s findings should help corporate IT departments understand “how recipients think” before they click on phishing e-mails and the links within them.

How about you? Are there other e-mail subject lines beyond the ones listed above that you’ve encountered in your daily activities and that raise your suspicions? Please share your examples in the comment section below.

The Ad Fraud Gravy Train Keeps Chugging Along — No Matter What …

xbnAd fraud is quite a large issue for online advertisers – and it’s been on many companies’ radar screens for a long time.

But even with the higher visibility and greater scrutiny of online ad fraud, it seems to be a problem that only gets bigger.

The most recent example of the phenomenon came to light a few weeks ago, when ad fraud prevention consulting firm Pixalate announced that a newly discovered botnet has been draining literally billions of dollars from advertisers’ MarComm coffers.

The botnet is dubbed Xindi – the same name as the hostile aliens in the Star Trek sci-fi TV series.

Xindi is making money for its creators by serving actual ads – but to simulated audiences.  It has spread via familiar methods such as phishing.

Pixalate estimates that just shy of 78 billion fake ad impressions have been racked up so far.  Even at low cost-per-impression revenue figures, the high volume amounts to several billions of dollars of illicit revenues siphoned (and counting).

What makes the Xindi botnet particularly nettlesome is that it’s designed to go after computers and networks at high-end organizations, enabling it to “mimic” desirable web traffic (i.e. affluent consumers).

xbotAccording to Pixalate, already there could be as many as 8 million computers compromised in more than 5,000 networks, including a goodly number of Fortune 500 companies as well as university and governmental networks.

Such desirable locations and ad audiences translate into lucrative online ad pricing (CPMs of $200 or more).

In the event, advertisers are paying high prices … for nothing.

To counteract Xindi, Pixalate recommends that the Internet Advertising Bureau update its protocols to factor in the pace of ad requests, so that impression generated after a certain time period cannot be accepted as valid — and hence would be non-billable.

Whether this or other remedies will actually happen is up in the air at the moment (the IAB isn’t onboard with the recommendations).

Either way, what seems clear is that whatever the remedial actions that are taken, burgeoning ad fraud activity is bound to continue.

The question is, can it ever be contained, or will it just continue to grow and grow?  If you have any thoughts or ideas on the challenge, please share them with other readers.