Phishing Email Subject Lines That Reel Them In

February 14, 2019
Aaron Jentzen

Some people train hard to be able to make quick decisions in specific situations — think of the split-second choices demanded of pro athletes, for example. But for most of us, the more we’re pushed to make quick decisions, the more we’re likely to make mistakes. Cyber attackers know this all too well, and they use it to their advantage. When a phishing email creates a real sense of urgency, it’s harder to scrutinize the message with a critical eye.

Science supports this as well; a neuroscience research study suggests that our brains analyze information very differently when under speed stress than under accuracy stress, affecting decision making. This illustrates why effective anti-phishing training is about changing behaviors, not just raising awareness of the threat.

Trickiest Subject Lines From Simulated Phishing Tests

Some phish are harder to detect than others. As part of our 2019 State of the Phish Report, we analyzed the subject lines from simulated phish our customers sent to their end users over a 12-month period. (We limited our analysis to campaigns sent to at least 1,500 recipients.) Here are the subject lines from some of the emails that fooled the most users:

  • Toll Violation Notification
  • [EXTERNAL]: Your Unclaimed Property
  • Updated Building Evacuation Plan (also among the highest failure rates in 2017)
  • Invoice Payment Required
  • February 2018 – Updated Org Chart
  • Urgent Attention (a notification requesting an email password change)

These subject lines tend to convey urgency, spark curiosity, or provoke strong emotions. And some — for example, those that refer to building evacuation plans and updated org charts — take advantage of both curiosity and a sense of familiarity by using topics designed to blend in with other corporate communications. Phishing emails — both simulated and real — that use these techniques are likely to fool end users who have not been given the skills they need to identify and avoid suspicious messages.

3 Most Common Subject Lines in Email Fraud

In business email compromise (BEC) attacks — also known as email fraud — a social engineer builds trust by impersonating someone the recipient already knows or is inclined to trust, with the goal of convincing the target to initiate a wire transfer or disclose sensitive information (like employee tax data). Scammers try to lull email recipients into believing they are communicating with someone familiar to them, which can make an urgent request more believable.

This can be seen in Proofpoint’s Autumn 2018 report, Protecting People: A Quarterly Analysis of Highly Targeted Cyber Attacks. Proofpoint researchers found that the following subject lines were the most common among BEC attacks spotted during Q3 2018:

  1. Request (22%)
  2. Urgent (21%)
  3. Payment (15%)

Together, these three subjects accounted for 58% of all BEC attacks (up from 48% in the previous quarter). While this data doesn’t show how often people fell for these lures, their growing popularity with attackers suggests that they are effective. In addition to urgent subject lines, more than 99% of all email fraud identified in Q3 used a spoofed display name — an easy way for an attacker to impersonate someone familiar to the recipient.

How Personalized Lures Affect Users

Another question we explored in our State of the Phish Report is whether more personalized phishing emails make users more likely to click. Our ThreatSim® Phishing Simulations product allows customers to use personalized fields when designing phishing tests. They can add first names and/or last names, as well as redisplay the recipient’s email address within the email body.

We found that all types of personalization led to failure rates that were higher than the 9% average across all simulated phishing campaigns. In particular, redisplaying email addresses inside of phishing tests seemed to lend greater credibility to messages, making end users more likely to engage with them.

 

Source: 2019 State of the Phish Report

 

Challenging End Users With Real-World Lures

From creating urgency to spoofing display names to crafting personalized lures, attackers are constantly devising new, more sophisticated phishing emails. To keep end users thinking and learning, those who administer security awareness training must continue to challenge end users with more difficult tests.

Unlike other phishing simulation tools, our ThreatSim tool provides Dynamic Threat Simulation phishing templates based on current real-world lures spotted by Proofpoint’s industry-leading threat intelligence. These templates are a great way to incorporate emerging threats into your campaign cadence and assess your users’ ability to respond to trending attacks.