Top 10 Phishing E-Mail Subject Lines – Don’t Take the Bait!

We all receive an avalanche of e-mails every day. (In fact, you are likely reading this as a result of an e-mail that arrived in your inbox!) Some e-mails are important, some we ignore, many are harmless. But some others are deliberate attempts to fool us into giving away our sensitive personal or financial information. Called “phishing,” these e-mails continue to reach our inboxes every day, unfortunately, because they work. And scammers are becoming more and more sophisticated in their efforts.

Top Phishing E-mail Subject Lines
It’s becoming harder to tell if an e-mail is legitimate or not, and research shows that some phishing e-mail subject lines are very effective in tricking the recipient to take the bait and open them. According to recent tests conducted by Florida-based cybersecurity firm KnowBe4, the 10 subject lines listed below had the highest open rate.

#1 SECURITY ALERT – 21%

#2 REVISED VACATION AND SICK TIME POLICY – 14%

#3 UPS LABEL DELIVERY 1ZBE312TNY00015011 – 10%

#4 BREAKING: UNITED AIRLINES PASSENGER DIES FROM BRAIN HEMORRHAGE–VIDEO –10%

#5 A DELIVERY ATTEMPT WAS MADE – 10%

#6 ALL EMPLOYEES: UPDATE YOUR HEALTHCARE INFO – 9%

#7 CHANGE OF PASSWORD REQUIRED IMMEDIATELY – 8%

#8 PASSWORD CHECK REQUIRED IMMEDIATELY – 7%

#9 UNUSUAL SIGN-IN ACTIVITY – 6%

#10 URGENT ACTION REQUIRED – 6%

To get this list, KnowBe4 sent over 22,000 simulated phishing e-mails to users who had completed a free phishing awareness test on their website.

Phishing attacks are more sophisticated
It used to be that phishing e-mails were fairly easy for the observant Internet user to spot. The e-mails were typically riddled with poor grammar and spelling errors, and linked to phony web sites with strange URLs. The spoof sites were unencrypted, evidenced by the “http://” addresses instead of “https://”, the more secure, encrypted ones. Or so we thought.

These days, scammers are hosting fake pages with https:// connections. The sites even have the padlock icon in the browser address bar to make them look more legitimate. In fact, recent statistics released by anti-phishing firm PhishLabs show that nearly 25% of all phishing sites were hosted on https:// domains in the third quarter of this year. This is double the number in the previous quarter, and up substantially from 3% last year.

How to Protect Yourself
With the ever-changing landscape of online scams, here are some suggestions from investigative reporter Brian Krebs that still hold true when trying to protect against phishing attempts.

If it’s urgent, it’s likely fake. Most phishing e-mails will convey an intense sense of urgency—saying if you don’t act fast you or someone you love will experience some kind of loss, pain or financial trouble. The reason for this is that phishers want to play on emotion, not reason. Plus, they know their scam sites have a short life-span and could be shut down at any moment.

According to Krebs, the best approach is to bookmark the sites that store your sensitive information. If you receive an urgent e-mail that seems suspect, you can visit the site in question manually and login that way. Don’t click on links in the body of the e-mail or open any attachments.

Don’t take links at face value. Before clicking on any links, hover over it with your mouse so you can see the actual link address. Keep in mind that the most important part of a link is the “root” domain. To find that, Krebs says, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

Beware of forged “From” fields. Just because an e-mail says in the “From” field that it was sent by a legitimate company doesn’t mean that it’s true. This information is often forged. To find out who sent a message, Krebs recommends learning how to examine an e-mail’s “headers.” These are the important data included in all email. However, these “headers” are often hidden by your e-mail service provider, so it’s worth a few minutes of your time to view a tutorial on how to read e-mail headers and help thwart scammers.

If you didn’t ask for it, don’t install it. Malware can also come through other seemingly innocent channels other than e-mails. For instance, a password stealing virus could be distributed as a Facebook video that you need a “special code” to view the embedded content.

When it comes to suspicious e-mails, or any other questionable messages in cyberspace, the best rule of thumb is this: when in doubt, don’t open, just delete!

Resources: Krebs on Security; Credit Union Times, Lifewire, Phishlabs, Fortune