KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. We analyze 'in the wild' attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, and top attack vector types.
Top Phishing Emails Seen "In the Wild" are Mostly Business-Related
Business phishing emails are the most clicked subject category globally. These are particularly effective because, left unanswered, they could potentially affect the user’s daily work, enticing employees to react quickly before thinking logically about the email’s legitimacy. The email source may be hidden by a spoofed domain, making it even easier to miss, and may even have the company name and logo (sometimes even the employee’s name) in the email body.
Emails from Human Resources are Likely to be Clicked
Last quarter, half of the phishing tests that were clicked on had subject lines related to Human Resources, including vacation policy updates, upcoming performance reviews, and a notice of an expense reimbursement.
By now most people know that if they receive a text message confirming an $1800 order they never placed, or telling them they’ve just won a new grill, they shouldn’t click on it. But what if it’s from their HR Department about an upcoming performance review? Or, what if the attachment is a draft of a Strategic Plan that mentions their name?
“We already know that more than 80% of company data breaches globally come from human error,” said Stu Sjouwerman, KnowBe4’s CEO. “New-school security awareness training your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognize a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”
Top Attack Vectors are Phishing Links and Spoofed Domains
Almost every email subject we examined contained a phishing link. When these links are clicked they often
lead to disastrous cyberattacks such as ransomware and business email compromise. Spoofed domains look like they are coming from within the users' organization, adding an illusion of legitimacy and a sense of urgency to the email.
In Q2 2022, we examined ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious. We also reviewed tens of thousands of email subject lines and categories from simulated phishing tests, and top attack vector types in both categories. The results are below.
Common ‘In-The-Wild’ Emails for Q2 2022:
- HR: Your performance evaluation is due
- Google: You were mentioned in a document: "Strategic Plan Draft"
- IT: Inventory Form
- Microsoft 365: Microsoft 365 has new password requirements
- Amazon: Balance paid on your seller account
- Xerox: New document was processed for [[email]]
- Zoom: [[manager_name]] has sent you a message via Zoom Message Portal
- Facebook: Your recent Facebook login
- Your fax is pending for preview
- Money has been successfully withdrawn from your Bank Account
Top Phishing Email Subjects Globally
- HR: Vacation Policy Update
- HR: Important: Dress Code Changes
- Password Check Required Immediately
- HR: Your performance evaluation is due
- Weekly Performance Report
- LinkedIn: Who's searching for you online?
- IT: Internet Report
- HR: Please update W4 for file
- Acknowledge Your Appraisal
- Employee Expense Reimbursement for [[email]]
Top Attack Vector Types
- Link - Phishing Hyperlink in the Email
- Spoofs Domain - Appears to Come From the User's Domain
- Branded - Phishing Test Link Has User's Organizational Logo and Name
- PDF Attachment - Email Contains a PDF Attachment
- Credentials Landing Page - Phishing Link Directs User to Data Entry or Login Landing Page
*Capitalization and spelling are as they were in the phishing test subject line.
**Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers.
See results from all previous quarters in our Top Clicked Phishing Email Subjects topic.