Top Phishing Subject Lines Revealed

phishing subject lines

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having worked for CGNET off-and-on since the early 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

April 27, 2022

phishing subject lines

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having worked for CGNET off-and-on since the early 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

April 27, 2022

Each quarter, our partners at KnowBe4 report on the top phishing subject lines clicked on in the cybersecurity training emails they’ve deployed. Using those results, they share which fraudulent subject lines generated the most interaction with unsuspecting employees, both within and outside of the United States. This information is useful to have when providing cybersecurity awareness training to your own staff.

Business and HR-related messages topped the list

Business phishing emails were the highest-clicked category globally in the first quarter this year. For instance, subject lines concerned invoices, purchase orders, requests for information, shared files, IT notifications and so on. (Note that messages concerning HR-related subject matter can be tricky because they often spoof the user’s domain and use a fake “HR” mailbox name.) Other fraudulent business-related messages are those that appear to come from popular online services. Typically, these spoof the domains and often the “look” of popular websites.  It should be noted, what most of these messages have in common is that they convey urgency and lure the end user into taking some action.

Top subject lines clicked in the U.S.

Here are the top 5 phishing subject lines that found potential victims inside the United States:

  1. HR: New requirements tracking Covid vaccinations
  2. Password Check Required Immediately
  3. HR: Vacation Policy Update
  4. HR: Important: Dress Code Changes
  5. Acknowledge Your Appraisal

Top subject lines clicked outside the U.S.

And, here are the top 5 that worked globally:

  1. Authorize Pending Transaction on your Wallet
  2. HR: Registration for COVID-19 Study
  3. IT: End of Year Password Policy
  4. HR: Code of Conduct
  5. Your Benefit Account Has Been Updated

Holiday-related messages also brought clicks

They also found that holiday-themed emails tempted employees to click. For example, messages about shortened workdays or days off around holidays tend to generate a curiosity that it just too hard for some to resist.  And of course, messages purporting that the user has received a gift clearly prey on their emotions. These emotional triggers often lead to clicking on a malicious link that could ultimately jeopardize the entire organization.

Here are some of the top holiday-related subject lines that were clicked on:

  1. HR: Change in Holiday Schedule
  2. Someone special sent you a Valentine’s Day ecard!
  3. St. Patrick’s Day: Employee Behavior/Company Policies
  4. Our Valentine’s Day Gift To You
  5. Starbucks: Happy Holidays! Have a drink on us.

Phishing “in the wild”

Finally, they include in their report the top subject lines that are NOT part of any training and testing software.  These are called “in the wild” threats for that reason: They are phishing techniques that are actually out in the real world, being passed maliciously to users for ill-conceived gains. Fortunately, these particular users were well-trained and reported them to their IT departments as suspicious.

  • IT: Software Update
  • Google Forms: Your Voice Engagement Survey
  • Zoom: You missed a Zoom meeting
  • Project Notice
  • Dropbox: Updates about your account

Other subject areas of concern

Beyond what we’ve already discussed above, a few other areas are popular with scammers:

  • Coronavirus/COVID-19 Phishing
  • Banking and Finance
  • Phishing For Sensitive Information
  • Mail Notifications
  • Social Networking
  • Current Events

The moral to the story: Users need to be trained to be suspicious of any messages they receive that trigger an emotional response. Also, they should be vigilant about verifying with the actual person/department/company purported to be the sender, any requests for sensitive information (financial or otherwise), before clicking any links or taking any other action. If you’d like to see KnowBe4’s full infographic, click here.  Feel free to print it out or pass on to your staff.

You May Also Like…

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published.

Translate »
Share This
Subscribe