Business and HR-related messages topped the list
Business phishing emails were the highest-clicked category globally in the first quarter this year. For instance, subject lines concerned invoices, purchase orders, requests for information, shared files, IT notifications and so on. (Note that messages concerning HR-related subject matter can be tricky because they often spoof the user’s domain and use a fake “HR” mailbox name.) Other fraudulent business-related messages are those that appear to come from popular online services. Typically, these spoof the domains and often the “look” of popular websites. It should be noted, what most of these messages have in common is that they convey urgency and lure the end user into taking some action.
Top subject lines clicked in the U.S.
Here are the top 5 phishing subject lines that found potential victims inside the United States:
- HR: New requirements tracking Covid vaccinations
- Password Check Required Immediately
- HR: Vacation Policy Update
- HR: Important: Dress Code Changes
- Acknowledge Your Appraisal
Top subject lines clicked outside the U.S.
And, here are the top 5 that worked globally:
- Authorize Pending Transaction on your Wallet
- HR: Registration for COVID-19 Study
- IT: End of Year Password Policy
- HR: Code of Conduct
- Your Benefit Account Has Been Updated
Holiday-related messages also brought clicks
They also found that holiday-themed emails tempted employees to click. For example, messages about shortened workdays or days off around holidays tend to generate a curiosity that it just too hard for some to resist. And of course, messages purporting that the user has received a gift clearly prey on their emotions. These emotional triggers often lead to clicking on a malicious link that could ultimately jeopardize the entire organization.
Here are some of the top holiday-related subject lines that were clicked on:
- HR: Change in Holiday Schedule
- Someone special sent you a Valentine’s Day ecard!
- St. Patrick’s Day: Employee Behavior/Company Policies
- Our Valentine’s Day Gift To You
- Starbucks: Happy Holidays! Have a drink on us.
Phishing “in the wild”
Finally, they include in their report the top subject lines that are NOT part of any training and testing software. These are called “in the wild” threats for that reason: They are phishing techniques that are actually out in the real world, being passed maliciously to users for ill-conceived gains. Fortunately, these particular users were well-trained and reported them to their IT departments as suspicious.
- IT: Software Update
- Google Forms: Your Voice Engagement Survey
- Zoom: You missed a Zoom meeting
- Project Notice
- Dropbox: Updates about your account
Other subject areas of concern
Beyond what we’ve already discussed above, a few other areas are popular with scammers:
- Coronavirus/COVID-19 Phishing
- Banking and Finance
- Phishing For Sensitive Information
- Mail Notifications
- Social Networking
- Current Events
The moral to the story: Users need to be trained to be suspicious of any messages they receive that trigger an emotional response. Also, they should be vigilant about verifying with the actual person/department/company purported to be the sender, any requests for sensitive information (financial or otherwise), before clicking any links or taking any other action. If you’d like to see KnowBe4’s full infographic, click here. Feel free to print it out or pass on to your staff.