New research into phishing attacks has shown that the most clicked on email subject lines are those that relate to online security concerns.
A report released today by security awareness training company KnowBe4 revealed that emails with titles that trick people into believing that they've already been hacked are the most likely to be opened.
To produce the Q3 2019 Top-Clicked Phishing Tests Report, KnowBe4 researchers sent out thousands of simulated phishing emails with various subject lines, then observed which ones drew clicks. The organization also examined "in-the-wild" email subject lines that include actual emails users received and reported to their IT departments as suspicious.
The results found that simulated phishing test emails with the subject "Password Check Required Immediately" were the most clicked on, with 43% of users falling for this security-based ruse.
The next most clicked on subject titles, which each lured in 9% of users, were "A Delivery Attempt was made" and "Deactivation of [[email]] in Process."
Interestingly, subject lines promising vast riches or the spiciest of romances were not among the top ten most clicked. Instead, people were hooked by work-based subject lines offering basic information or the promise of relatively modest gains.
The subject line "New Organizational Changes" hooked 4% of users, and 7% couldn't resist clicking on an email with the subject line "Updated Employee Benefits." While 4% of users gave in to the urge to open a message titled "Staff Review 2018," 6% were intrigued enough by a message called "Revised Vacation & Sick Time Policy" to give it a click.
A further tactic that proved successful was using the universal lure of food. Researchers found that 8% of users opened a simulated phishing email with the subject line "New food trucks coming to [[company_name]]."
"As cybersecurity threats persist, more and more end users are becoming security minded," said Stu Sjouwerman, CEO of KnowBe4.
"They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so [users] need to remain vigilant."