Every quarter, our partners at KnowBe4 report on the most-clicked phishing email subject lines. They look at what they call “in the wild” attacks, which are those real phishing attempts reported by users via their Phish Alert Button. They also share their own data from the phish training messages they’ve deployed so far this year. Additionally, as holiday phishing scams occur regularly throughout a given year, they provide specifics on the holiday-related subject lines most clicked on in the first quarter of 2023. (Often the subject line remains generally the same, with just the holiday name switched out to be both seasonally and sometimes geographically appropriate.) Let’s take a look at what they found.

Business-related messages at the top…again!

A trend throughout the years has been that phishing messages with a subject line pertaining to something work-related get clicked the most. (Which makes sense, since the data revolves around our work email behavior.) For example, who is not going to at least take a look at a message which seems to be from the HR department and is about a new vacation policy?  (These can be especially tricky because they often spoof the user’s domain and use a fake “HR” mailbox name.)  Or a seemingly urgent message about a password problem, which often spoofs the domain and the “look” of a popular website?

Here’s what tops their list:

• HR: Vacation Policy Update
• Password Check Required Immediately
• HR: Important: Dress Code Changes
• Adobe Sign: Your Performance Review
• HR: Please update W4 for file
• IT: Internet Report
• Acknowledge Your Appraisal
• Employee Expense Reimbursement for [[email]]
• Please review the W-9 Agreement Documents
• Recent Activity Report

Danger “in the wild”

KnowBe4 also shared their data on the top subject lines clicked on that are NOT part of their training and testing software. These are subject lines from actual messages sent out in the real world by scam artists. Fortunately, the reason KnowBe4 is aware of these messages is because they were reported to IT departments as suspicious by well-trained employees:

• Please review updated financial policies
• Zoom: The meeting has started! Where are you?
• IT: Laptop Refresh
• Meta: Suspicious Activity
• Sharepoint: [[manager_name]] shared “Test_Data” with you
• Microsoft: Microsoft’s new password requirements
• HR: Please verify your banking information
• DocuSign: DocuSign Account Suspension Notice
• Webmail: Security alert for [[email]]
• Refund has been processed to your account

Some holiday spoilers

KnowBe4 pays special attention to holiday-related phishing messages, as these appear year-round and can be very tempting for employees to ignore. And really, who can blame them?  Messages that might be about shortened workdays surrounding a holiday, or a free gift from a well-known business are pretty tough to resist opening…and maybe clicking on a (dangerous) link for more information.

Here are some from the past few months:

• HR: Change in Holiday Schedule
• New Year Gift Card
• Happy St. Patrick’s Day
• Happy New Year!
• Massage Green SPA: Win Free Massage for Valentine’s Day!

Dishonorable mention

Finally, they share a few other popular subject genres that hackers use to lure in their victims:

• Tax-related issues (particularly in the U.S.)
• Login on New Device notifications
• Password Reset notifications

Don’t get triggered!

The method to the cyber-thief’s madness is to elicit either an emotional response (e.g., fear: “Oh no!” or excitement: “How cool!”) or some other reaction based on urgency. This can cause the reader to unwittingly click on a malicious link or open an unsafe attachment without thinking it through.  Many of the subject lines that showed up in KnowBe4’s lists do just that.  But with appropriate cybersecurity training, employees can be taught to be wary and suspicious, and to report these types of messages to their IT department before opening them.