Subject Lines That Are Most Frequently Used as Bait
We have been advocating email security very eagerly since we work with a frightening amount of test cases. Looking out for possible threats will act as a first line of defence and might possibly save you the trouble of weeding out an infection that’s bothering your system. But the question logically arises: what exactly should I look out for? KnowBe4, a security awareness training institute, has compiled a list of subject lines and topics that are bound to bait victims. This list is eye-opening and gives us not just some keywords we should be wary about, but also a glimpse of how our mindsets are manipulated into falling for the trap.
According to researchers at KnowBe4, email phishers have moved past promising great riches to creating panic and urgency by dangling security concerns in front of you. This seems logical, as people are likely to open links and attachments if it means they are at risk. Unfortunately, this means that even cyber-aware people are not exempt from becoming targets. In fact, as we know more about security, we tend to be more anxious to make sure our security is bulletproof, thus increasing the likelihood of taking the bait.
“These subject lines are very effective against tech pros as well,” said Erich Kron, security awareness advocate, KnowBe4.
The list has been divided into two sections: social media centric subject lines and security breach centric subject lines.
Subject Lines Related to Social Media
LinkedIn Job Offers
The bitter truth is that you’re being monitored. Your browsing interests, your page visits, your behaviour while skimming through websites are all picked up through cookies. The true intention behind this is to tailor your web surfing experience to your interests. However, this data, once in the wrong hands, can be dangerously misused.
So, suppose you’re someone looking for prospective job offers. We all recognize LinkedIn as a hub for corporate discussions. This makes emails with LinkedIn job offers as their subject line very believable. According to KnowBe4, 55% of phishing campaigns with LinkedIn as the subject line were successful.
“Not surprisingly, LinkedIn email subjects top the social media list for Q4 in a pretty big way. Q4 is a time where people are setting resolutions for the following year, and this often involves a job search. Activity related to LinkedIn tends to spike in this quarter, meaning people are more likely to view and click these emails.”
An invisible observer can easily collect knowledge about you by closely following your Facebook group activities, the people you interact with, the kind of topics you engage with online, and also the ‘About’ section of your profile. Moreover, Facebook has also diversified into the Facebook Marketplace, where you can buy and sell products.
After understanding so much about you, it isn’t that unlikely that a hacker can tailor a mail that has a high chance of success. KnowBe4 says about 28% of phishing campaigns using Facebook in the subject line are successful.
Other social media platforms are slowly joining Facebook and LinkedIn. The intention might not be just gaining illegal access to your systems, but also identity theft and credential misuse.
Subject Lines Related to Your Security
Change of Password Required Immediately 26%
Microsoft/Office 365: De-activation of Email in Process 14%
Password Check Required Immediately 13%
HR: Employees Raises 8%
Dropbox: Document Shared With You 8%
IT: Scheduled Server Maintenance – No Internet Access 7%
Office 365: Change Your Password Immediately 6%
Avertissement des RH au sujet de l’usage des ordinateurs personnels 6%
Airbnb: New device login 6%
Slack: Password Reset for Account 6%
The above email subject lines are a combination of both simulated phishing templates KnowBe4 created and custom tests from their customers.
Email users “should be especially cautious if an email seems too good to be true, such as a giveaway,” Sjouwerman, CEO of KnowBe4 said. “As identifying phishing attacks from legitimate emails becomes trickier, it’s more important than ever for end-users to look for red flags, and think before they click.”