by Martin Brinkmann on January 24, 2019 in Internet – 5 comments
Is phishing still a thing? KnowBe4, a security training company, released details on the top clicked phishing email subjects of the fourth quarter of 2018; in other words: the subject lines that get unsuspecting users to interact with phishing emails the most.
The data comes from two sources: simulated phishing emails used by KnowBe4 customers and Phish Alert Button interactions.
Phishing is quite the problem on today’s Internet. While additional security features such as two-factor authentication may block some attacks dead in their track, it all comes down to users in the end.
Attackers invent new ways to trick users. In 2017, they used Punycode domains to make domain names look like the real deal, or Google phishing emails that gave the attacker access to emails and contacts.
The following email subjects top the list:
- Password Check Required Immediately/Change of Password Required Immediately 19%
- Your Order with Amazon.com/Your Amazon Order Receipt 16%
- Announcement: Change in Holiday Schedule 11%
- Happy Holidays! Have a drink on us. 10%
- Problem with the Bank Account 8%
- De-activation of [[email]] in Process 8%
- Wire Department 8%
- Revised Vacation & Sick Time Policy 7%
- Last reminder: please respond immediately 6%
- UPS Label Delivery 1ZBE312TNY00015011 6%
Several of these subjects are Holiday themed; these will change in the coming quarters. Common themes include shipping and delivery emails, security related emails, company policy emails, and seasonal emails.
Passwords and security, as well as email subjects that demand action or are of concern to the user, are commonly used in phishing emails.
The company tracks social media email subjects separately.
The top list looks like this:
- LinkedIn email subjects, e.g. Add Me, Join My Network, New Endorsements, Profile Views 39%
- Facebook email subjects, e.g. Password change or Primary email change.
- Pizza, e.g. free pizza or anniversary, 10%
- Motorola login alerts, 9%
- New Voice Message, 6%
- Your friend tagged a photo, 6%
- Your password was successfully reset, 6%
- Secure your account, 4%
- You have a new unread message, 3%
It is surprising that LinkedIn tops the list and not Facebook. Several security related messages are in the top ten, but most social media email subjects used to phish data focuses on interaction on the service.
Closing Words
Phishing attacks have evolved over the years; it is no longer enough to push millions of emails with phishing links to users. Attackers create emails that spark user interest or concern, and put effort in creating email subjects that catch a user’s attention as these determine whether a user opens the email to read the body content (and interact with it) or not.
Most phishing attacks would fall short if users would never click on links in emails.
Now You: What is your take on phishing in 2018? Still as much a threat as in 2010?