This is the second year we've published quarterly results of the most-clicked phishing email subjects across a few categories. We separate the data into subjects related to social media and general emails from the millions of phishing tests our customers run per year, the third 'In The Wild' category reflects common attacks we see as a result of millions of users clicking the Phish Alert Button on real phishing emails and sending the email to us for analysis.  

It is important that even the most vigilant users are staying up to date on current threats and specific subjects the bad guys are trying. Understanding the reasons particular subjects garner more clicks is also a great reminder to ALWAYS think before you click, and you can clearly see the hackers are always trying to use our psyche against us. 

Last quarter's results were a mix of personal and company notifications, showing email continues to be an effective way to phish users.

Q1 2018 Top Clicked Phishing Email Subjects Infographic

Top 10 Most-Clicked General Email Subject Lines Globally for Q4 2018 include:

  1. A Delivery Attempt Was Made - 21%
  2. Change of Password Required Immediately - 20%
  3. W-2 - 13%
  4. Company Policy Update for Fraternization - 10%
  5. UPS Label Delivery 1ZBE3112TNY00015011 - 10%
  6. Revised Vacation and Time Policy - 8%
  7. Staff Review 2017 - 7%
  8. Urgent Press Release to All Staff - 5%
  9. Deactivation of (email) in Process - 4%
  10. Please Read: Important from HR - 2%

Most common ‘in-the-wild’ email subject lines:

  • IT DESK: Security Alert Reported on Campus
  • IT DESK: Campus Emergency Scare
  • IT DESK: Security Concern on Campus Earlier
  • Amazon: Billing Address Mismatch
  • Password Review
  • Urgent Security Event: Your account details were found online
  • Wells Fargo: New device detected
  • Microsoft: Updates to our terms of use
  • GasBuddy: Major car recall announced today
  • CNN: Facebook-Cambridge Analytica Apology Tour

*Capitalization and spelling are as they were in the phishing test subject line
*In-the-wild email subject lines represent actual emails users received and reported to their IT department as suspicious. They are not simulated phishing test emails

Can This Data Really Make My Users More Secure?

The short answer is yes. Based on this data, KnowBe4 customers can and should model phishing campaigns using templates related to these subjects to strengthen their human firewall. We recommend starting with 1- and 2-star level tests -- these are easier to spot -- and over a 12-month period increase the difficulty level to 4- and 5-star templates which are much harder to identify. 

You can even target specific groups, departments, and/or individuals with different phishing difficulty levels. That way, security leaders can phish users at a maturity level that is most likely to help each group – and it also allows for some gamification.

Phishing Emails Account for 98% of Social Engineering Attacks

This comes at a time when phishing emails continue to plague organizations. Just this month the U.S. State Department warned its staff against a “tidal wave” of malicious email meant to trick users into opening them. Verizon’s 2018 Data Breach Investigations Report, also issued this month, notes that phishing emails account for 98% of all social engineering related incidents and breaches. And while hackers have always used topical news stories to color their phish attempts, the rise in ‘in-the-wild’ emails related to campus security incidents highlights the emotional depths to which these bad actors will go to breach an organization.

Free Phishing Security Test

Did you know that 91% of successful data breaches started with a spear phishing attack?

Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineeringspear phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test. Did you know that KnowBe4 also supports "Vishing" where you can actually send your users simulated voice mail attacks?


Article Courtesy of KnowB4 
Written By: Stu Sjouwerman