KnowBe4 Releases Q3 2018 Top-Clicked Phishing Report

Messages that are security minded and play into
human curiosity continue to bypass security defenses

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today shared it’s Top 10 Global Phishing Email Subject Lines for Q3 2018. The messages in the report, which were compiled from analyzing KnowBe4 user data, are based on simulated phishing tests users received or real-world emails sent to users who then reported them to their IT departments. The top three messages for Q3 2018 show that hackers are playing into users’ commitment to security, with password checks, as well as their curiosity, with a new voicemail or order on its way.Q3 2018 Phishing Report

Eighty-seven percent of global executives view untrained staff as the greatest cyber risk to their business, according to a recent report by Willis Towers Watson and ESI ThoughtLab. Compounding this finding is the fact that staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cybersecurity framework. The research also identified the most common types of attacks include malware/spyware (81 percent) and phishing (64 percent).

“Hackers are leveraging an individual’s desire to remain security minded or well informed by playing into his/her psyche,” said Perry Carpenter, chief evangelist and strategy officer, KnowBe4. “They do this by making someone believe they are at risk or that something needs immediate attention. These types of attacks are effective because they cause a person to simply react before thinking logically about the legitimacy of the email. Managing the ongoing problem of social engineering is becoming more and more difficult as hackers play into human emotions by causing feelings of alarm or curiosity.”

In the third quarter of 2018, KnowBe4 examined tens of thousands of email subject lines from simulated phishing tests to uncover just what makes a user want to click. The Company also examined ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious. The results are below.

The Top 10 Most-Clicked General Email Subject Lines Globally for Q3 2018 include:

  • Password Check Required Immediately 29%
  • You Have a New Voicemail 13%
  • Your order is on the way 11%
  • Change of Password Required Immediately 10%
  • De-activation of [[email]] in Process 9%
  • UPS Label Delivery 1ZBE312TNY00015011 6%
  • Revised Vacation & Sick Time Policy 6%
  • You’ve received a Document for Signature 5%
  • Spam Notification: 1 New Messages 5%

*Capitalization and spelling are as they were in the phishing test subject line.
**Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers.

When investigating ‘in-the-wild’ email subject lines, KnowBe4 found the most common for Q3 2018 included:

  • You have a new encrypted message
  • IT: Syncing Error – Returned incoming messages
  • HR: Contact information
  • FedEx: Sorry we missed you.
  • Microsoft: Multiple log in attempts
  • Wells Fargo: Irregular Activities Detected on Your Credit Card
  • LinkedIn: Your account is at risk!
  • Microsoft/Office 365: [Reminder]: your secured message
  • Coinbase: Your cryptocurrency wallet: Two-factor settings changed

*Capitalization and spelling are as they were in the phishing test subject line.
**In-the-wild email subject lines represent actual emails users received and reported to their IT departments as suspicious. They are not simulated phishing test emails.

Businesses need to train their users to be their last line of defense. KnowBe4 has many free tools available at to test the users in their network.


About KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform, is used by more than 20,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s training based on his well-documented social engineering tactics. Tens of thousands of organizations worldwide trust KnowBe4 to mobilize their employees as their last line of defense.

Number 96 on the 2018 Inc. 500 list, #70 on 2017 Deloitte’s Technology Fast 500 and #2 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is headquartered in Tampa Bay, Florida with European offices in England, the Netherlands, Germany and offices in South Africa and Singapore.

Get the latest about social engineering

Subscribe to CyberheistNews