Skip to main content

Urgent email subject lines can open your organization to phishing

(Image credit: Shutterstock)

Security researchers are always trying to stay one step ahead of cybercriminals which is why, KnowBe4, the company behind the world's largest security awareness training and simulated phishing platform has revealed the results of its Q3 2019 top-clicked phishing report.

The report found that simulated phishing tests with an urgent message to check a password immediately were the most effective with 43 percent of users falling for it. 

When it comes to phishing, social media messages are another area of concern. KnowBe4 found that the top-clicked social media email subjects show that LinkedIn messages are the most popular at 48 percent followed by Facebook at 37 percent.

The company also examined tens of thousands of email subject lines from simulated phishing tests as well as 'in-the-wild' email subject lines which show show actual emails users received and reported to their IT departments as suspicious.

According to the report, the top 10 most common 'in-the-wild' email subject lines in the third quarter of this year included: Skype: New Unread Voicemail Message, Transaction Refund, [[NAME]] shared a document with you, Microsoft Teams: Please authenticate your account, Bonus payments for selected employees, Cisco Webex: Your account is blocked, Amazon: Billing Address Mismatch, USPS: High Priority Package: Track it now!, Verizon: Security Update and Adobe Cloud: Shared a file with you on Adobe Cloud.

From these subjects lines, it is clear that cybercriminals are using urgency to their advantage and they're also imitating popular companies and brands in an effort to make sure their phishing emails are opened.

KnowBe4's CEO Stu Sjouwerman provided further insight on the report's findings, saying:

“As cybersecurity threats persist, more and more end users are becoming security minded. They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so they need to remain vigilant.”

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.