KnowBe4 Releases Q2 2018 Top-Clicked Phishing Report

Messages Playing into Human Psyche of Being Popular or Wanted Continue to Sail Through Security Defences

York, UK July 24, 2018 – KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform, today shared its Top 10 Global Phishing Email Subject Lines for Q2 2018. The messages in the report, which were compiled from analysing KnowBe4 user data, are based on simulated phishing tests users received or real-world emails sent to users who then reported them to their IT departments.

Ironically, the top three messages for Q2 2018 show that hackers are playing into users’ commitment to security, all tricking users with clever subject lines that deal with passwords or security alerts.

Hackers continue to take advantage of the human psyche. A recent report from Webroot validates this notion with IT decision makers believing their organisations are most vulnerable to phishing attacks – more so than new forms of malware. Fifty-six per cent of IT decision makers in the U.S. believe their businesses will be most susceptible to phishing attacks, while 44 per cent of IT decision makers in the U.K. are most concerned with ransomware attacks. By playing into a person’s psyche to either feel wanted or alarmed, hackers continue to use email as a successful entry point for an attack.

“Hackers are smart and know how to leverage multiple psychological triggers to get the attention of an innocent victim. In today’s world, it’s imperative that businesses continually educate their employees about the tactics that hackers are using so they can be savvy and not take an email at face-value. Hackers will continue to become more sophisticated with the tactics they use and advance their utilisation of social engineering in order to get what they want,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

KnowBe4 understands that humans are the attack surface of choice for cybercriminals. This is because humans can be easily manipulated or fooled by social engineering tactics. The company examined tens of thousands of email subject lines from simulated phishing tests to uncover just what makes a user want to click. They also examined ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious.

The Top 10 Most-Clicked General Email Subject Lines Globally for Q2 2018 include:

1. Password Check Required Immediately 15%
2. Security Alert 12%
3. Change of Password Required Immediately 11%
4. A Delivery Attempt was made 10%
5. Urgent press release to all employees 10%
6. De-activation of [[email]] in Process 10%
7. Revised Vacation & Sick Time Policy 9%
8. UPS Label Delivery, 1ZBE312TNY00015011 9%
9. Staff Review 2017 7%
10. Company Policies-Updates to our Fraternisation Policy 7%

*Capitalisation and spelling are as they were in the phishing test subject line
**Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers

When investigating ‘in-the-wild’ email subject lines, KnowBe4 found the most common for Q2 2018 included:

• Microsoft: Re: Important Email Backup Failed
• Microsoft/Office 365: Re: Clutter Highlight
• Wells Fargo: Your Wells Fargo contact information has been updated
• Chase: Fraudulent Activity On Your Checking Account – Act Now
• Office 365: Change Your Password Immediately
• Amazon: We tried to deliver your package today
• Amazon: Refund - Valid Billing Information Needed
• IT: Ransomware Scan
• Docusign: Your Docusign account is suspended
• You have a secure message

*Capitalisation and spelling are as they were in the phishing test subject line
**In-the-wild email subject lines represent actual emails users received and reported to their IT departments as suspicious. They are not simulated phishing test emails.

Businesses that are not already working with KnowBe4 to train their workforce into an effective last line of defence can utilise a number of free tools at www.knowbe4.com to test their users and their network.

About KnowBe4
KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform, is used by more than 19,000 organisations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organisations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognised computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s training based on his well-documented social engineering tactics. Thousands of organisations trust KnowBe4 to mobilise their end-users as the last line of corporate IT defence.
Number 231 on the 2017 Inc. 500 list, #70 on 2017 Deloitte’s Technology Fast 500 and #2 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is headquartered in Tampa Bay, Florida with European offices in England, the Netherlands, Germany and offices in South Africa and Singapore.

Media contact:
Louise Burke
Origin Communications
louise@origincomms.com
+44 (0) 7917 176095