KnowBe4, the world’s largest popular security awareness training and simulated phishing platform,today shared its Top 10 Global Phishing Email Subject Lines for Q1 2018. The results are compiled from analyzing data of KnowBe4 users. While the results show that users, when delivered a simulated phishing test, still continue to open messages with a mix of subject lines related to personal and company notifications, KnowBe4 found an alarming trend with ‘in-the-wild’ emails. These messages, which based on actual messages they received and reported to their IT departments, show the top three subject lines relate to security concerns on school campuses.

This comes at a time when phishing emails continue to plague organisations. Just this month the U.S. State Department warned its staff against a “tidal wave” of malicious email meant to trick users into opening them. Verizon’s 2018 Data Breach Investigations Report, also issued this month, notes that phishing emails account for 98% of all social engineering related incidents and breaches. And while hackers have always used topical news stories to color their phish attempts, the rise in ‘in-the-wild’ emails related to campus security incidents highlights the emotional depths to which these bad actors will go to breach an organisation.

“Hackers do what works – and what works is manipulating a human’s psyche to make them feel curious, important or, sadly, scared. As technical controls continue to improve at thwarting automated attacks, hackers are upping their sophistication at bypassing technical controls through the use of social engineering,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

KnowBe4 understands that humans the attack surface of choice for cybercriminals. The company examined tens of thousands of email subject lines from simulated phishing tests to uncover just what makes a user want to click. They also examined ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT department as suspicious.

The Top 10 Most-Clicked General Email Subject Lines Globally for Q1 2018 include:

1. A Delivery Attempt Was Made                                                   21%
2. Change of Password Required Immediately                         20%
3. W-2                                                                                                        13%
4. Company Policy Update for Fraternisation                            10%
5. UPS Label Delivery 1ZBE3112TNY00015011                            10%
6. Revised Vacation and Time Policy                                              8%
7. Staff Review 2017                                                                             7%
8. Urgent Press Release to All Staff                                                5%
9. Deactivation of (email) in Process                                             4%
10. Please Read: Important from HR                                                2%

*Capitalisation and spelling are as they were in the phishing test subject line
*Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers

When investigating ‘in-the-wild’ email subject lines, KnowBe4 found the more common included: 

• IT DESK: Security Alert Reported on Campus
• IT DESK: Campus Emergency Scare
• IT DESK: Security Concern on Campus Earlier
• Amazon: Billing Address Mismatch
• Password Review
• Urgent Security Event: Your account details were found online
• Wells Fargo: New device detected
• Microsoft: Updates to our terms of use
• GasBuddy: Major car recall announced today
• CNN: Facebook-Cambridge Analytica Apology Tour

*Capitalisation and spelling are as they were in the phishing test subject line
*In-the-wild email subject lines represent actual emails users received and reported to their IT department as suspicious. They are not simulated phishing test emails.

Carpenter continued, “Again, as the addition of Facebook-Cambridge Analytica shows, we see news stories influencing the social engineering emails that hackers send. Cybercriminals expect that users will always be eager to correct a wrong address or to ensure that their bank accounts aren’t being breached. What’s not expected is a user population that has been properly trained to identify suspicious emails, no matter how well-disguised or emotionally charged they are. People are the last line of defence and it continues to be more and more important that organisations take this position seriously by, first and foremost, ensuring their users are properly trained.”

Businesses that are not already working with KnowBe4 to train their workforce into an effective last line of defence can utilisea number of free tools at www.knowbe4.com to test their users and their network.