KnowBe4's latest reports on top-clicked phishing email subjects have been released for 2022 and Q4 2022. We analyze 'in the wild' attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, top attack vector types, and holiday email phishing subjects.
Business phishing emails have always been effective and continue to be successful because of their potential to affect a user’s workday and routine. The 2022 results reveal that 49% of email subjects are HR related, creating a sense of urgency in users to act quickly, sometimes before thinking logically and taking the time to question the email’s legitimacy. Cybercriminals constantly refine their strategies to outsmart end users and organizations by changing phishing email subjects to be more believable and attention grabbing. This shift in phishing tactics over time is evident in the increasing trend of cybercriminals using business-related email subjects.
“Cybercriminals are smart and pay attention to what works and what does not when it comes to effective phishing emails,” said Stu Sjouwerman, CEO, KnowBe4. “This is why we see email subjects evolve and upgrade over time to keep up with end users and what they may be susceptible to. Phishing emails are a year-round threat and remain a challenge during the holiday season as well – holiday phishing emails are the one gift that no one wants to receive in their inbox. KnowBe4’s phishing test reports emphasize the importance of new-school security awareness training that educate users on the latest and most common cyber attacks and threats. A strong security culture and an educated workforce is an organization’s best defense to remain vigilant and stay safe online from cybercriminals and their attempted threats.”
Download a copy of both the 2022 and the Q4 2022 KnowBe4 Phishing Infographics.
Each quarter, we examine ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious. In Q4 2022 we saw mostly IT and online service notifications that could potentially affect users' daily work:
We have seen a lot more business related subjects coming from HR/IT/Managers in the past year. Others involve logins on new devices and password resets. These attacks are effective because they could potentially affect users' daily work, and cause a person to react before thinking logically about the legitimacy of the email:
In 2022 we started tracking the top attack vector types used in KnowBe4 Phishing Security Tests. Unsurprisingly, the #1 vector we saw each quarter was phishing links in the email body. When these links are clicked they often lead to disastrous cyberattacks such as ransomware and business email compromise. Other top attack vectors are as follows:
In addition to our standard categories, we also examined the most-clicked holiday phishing email subjects in Q4 2022. Similar to general phishing email subjects, holiday phishing email subjects largely consist of emails from HR and IT. However, they are also tailored specifically to the holiday season by mentioning holiday parties, gifts, food and more:
*Capitalization and spelling are as they were in the phishing test subject line.
**Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers.
See results from all previous quarters in our Top Clicked Phishing Email Subjects topic.