KnowBe4 Releases Q3 2017 Top-Clicked Phishing Report

Results Show Certain Types of Messages Continue to Get Through Because They Play to the Human Psyche  

KnowBe4, the provider of the world’s most popular security awareness training and simulated phishing platform, today shared its Top 10 Global Phishing Email Subject Lines for Q3 2017. The results this quarter were a mix of personal and company notifications, showing email continues to be an effective way to phish users.

Mike Rogers, the former chairman of the House Intelligence Committee, spoke last week at the U.S. Chamber of Commerce’s cybersecurity summit about phishing attacks, his expectation of them as the “next big attack vector”, and their increased potential to dramatically impact an organization’s economic loss and liability. Rogers noted that cyber criminals, particularly those with nation-state backing, have created such sophisticated email phishing attacks that it is nearly impossible to defend against malware infections. He also cited that the availability of personal information on social media sites is driving advanced social engineering by cyber criminals, who use the information to create highly personalized phishing schemes. Rogers said sophisticated phishing emails are responsible for more than 90 percent of successful cyber-attacks.

These statements echo KnowBe4’s position that humans are the weakest link in an organization’s security program. The company examined tens of thousands of email subject lines from simulated phishing tests to uncover just what makes a user want to click.Infographic-1.png

The Top 10 Most-Clicked General Email Subject Lines Globally for Q3 2017 include:

Official Data Breach Notification – 14%

  1. UPS Label Delivery 1ZBE312TNY00015011 – 12%
  2. IT Reminder: Your Password Expires in Less Than 24 Hours – 12%
  3. Change of Password Required Immediately – 10%
  4. Please Read Important from Human Resources – 10%
  5. All Employees: Update your Healthcare Info – 10%
  6. Revised Vacation & Sick Time Policy – 8%
  7. Quick company survey – 8%
  8. A Delivery Attempt was made – 8%
  9. Email Account Updates – 8%

*Capitalization is as it was in the phishing test subject line
*Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers

In addition to the Top 10 most-clicked general email subject lines, KnowBe4 also evaluated the Top 10 global social networking subject lines for Q3 2017. These subject lines represent simulated phishing tests that KnowBe4 clients sent to a user’s inbox as if they were coming from a social media site and reflecting some sort of account activity. Following in the footsteps from Q2, four of the top 10 spots again went to LinkedIn, which users often have tied to their work email addresses. This, too, plays into the human psyche, as people want to connect and manage their reputation on their social networking sites so often open and interact with emails from the sites. LinkedIn poses an interesting dilemma for organizations and their employees as it is important to both have an updated and active presence on LinkedIn, yet the platform is obviously highly targeted by cyber criminals for social engineering and phishing activities.

“By playing into the human psyche, hackers will successfully continue to infiltrate an organization through a phishing email. The level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders and their clients to prevent phishing schemes. KnowBe4 has a proven track record of helping them do just that.”

Businesses that are not already working with KnowBe4 to train their workforce into an effective last line of defense can utilize a number of free tools at to test their users and their network.

About KnowBe4

KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform, is used by more than 13,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s training based on his well-documented social engineering tactics. Thousands of organizations trust KnowBe4 to mobilize their end-users as the last line of corporate IT defense.

Number 231 on the 2017 Inc. 500 list, #50 on 2016 Deloitte’s Technology Fast 500 and #6 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is headquartered in Tampa Bay, Florida with its European headquarters in London, England. For more information, visit and follow Stu on Twitter at @StuAllard.


Return To KnowBe4 Press Releases

Get the latest about social engineering

Subscribe to CyberheistNews