You know the old adage: The more things change, the more they stay the same—as phishing tactics show. The tried-and-true “Security Alert!” subject line is still the most-effective social engineering lure out there, because even though it’s been circulating for years, people still fall for it, over and over.
KnowBe4 has released its Top 10 Global Phishing Email Subject Line report for Q2 2017. While the results show that users click most frequently on business-related subject lines (“Security Alert” leads at a whopping 21%), they still click with alarming frequency on subject lines not related to work topics. But the list as a whole tells us much about ourselves.
Before we dive into the subject lines themselves, let’s remember that according to Osterman Research, email has been the No. 1 network infection vector since 2014.
“It’s an effective method because it gives attackers more control than merely placing traps on the web and hoping that people will stumble over them,” KnowBe4 noted. “Instead, attackers craft and distribute enticing material to both random and targeted means. This method gives the cyber-criminals greater control in selecting potential victims, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle.”
But it’s not like there aren’t red flags, mostly on the urgency front. If you’re a phisher, time is money, and they want to incite as many unsuspecting dupes as possible to click on their links as quickly as can be, because it’s all a volume game. At the same time, we live in an anxiety-filled world where rushing someone can be a pretty good tactic—the tendency to not think and just do is exacerbated when one feels rushed Accordingly, three have time elements: No. 7 is “Change of Password Required Immediately” (clicked 8% of the time); No. 8 is “Password Check Required Immediately” (7% effectiveness) and No. 10 is “Urgent Action Required” (6%).
Never mind that if something were truly urgent, it’s unlikely that a legitimate stakeholder would choose email to communicate—in our emoji-filled modern world, emailing is only one step above the US Post Office on the real-time communications scale. And remember: Banks, the IRS and other institutions that hold the keys to our livelihoods in their grubby digital hands don’t ask for account info in emails. Ever.
One of the subject lines is actually pretty savvy, given that there are plenty of legit emails that have the exact same verbiage; in fact, I got one from my bank just yesterday. “Unusual sign-in activity” is No. 9 at 6%. Of course, as noted above, the one from my bank didn’t give me a link to follow.
The business-related subject lines are a mixed bag. Two of them purport to be from HR (and presumably would be easy to debunk just by, oh I don’t know, maybe looking at the sender’s address??). For instance, the second most-effective lure in all of the US is “Revised Vacation & Sick Time Policy,” with a 14% effectiveness rate. Who would have thought? Emails relating to time off work are pretty popular!
The other HR lure is “All Employees: Update your Healthcare Info”, coming in at No. 6 with a 9% effectiveness rate. I could insert a snarky comment here about the healthcare bill moving through Congress—but I won’t.
Shipping notices are effective too—everyone loves to get packages. “UPS Label Delivery 1ZBE312TNY00015011” and “A Delivery Attempt was made” both have a 10% effectiveness rate, placing them midfield.
And then there’s No. 4—the dark horse that on one hand, makes me fear for our society as a whole—and on the other makes me guffaw. “BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO” claims a 10% effectiveness rate. People apparently have a morbid fascination with such things, which is the “scary society” part of this. Sure, “if it bleeds it leads” has long been the motto of local news teams everywhere--but just remember, to quote Nietzsche, when you look into the abyss, the abyss also looks into you.
But perhaps more interestingly, it showcases the fact that people still love to hate on United. Me among them.
At any rate, the Top 10 is an interesting window into human nature—as well as a mirror in which corporate IT teams should be gazing.
“The subject lines we are reporting here actually made it through all the corporate filters and into the inbox of an employee. That’s astounding,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.
That’s right—astounding! Shame on you, IT.
“We are in a security arms race, and a multi-layered defense is critical because each layer has different points of effectiveness and ineffectiveness,” Carpenter added. “If crafted correctly, the right type of message can sail through all of the defenses because it is finding the least effective point of each and playing into the human psyche of wanting to receive something you didn’t know about or needing to intervene before something is taken away. Ultimately this means that a company’s ‘human firewall’ is an essential element of organizational security because people truly are the last line of defense.”