Cyber security company Kaspersky has collected information on types of email messages that convince receivers to click dangerous links. The company has created a product that allows organizations to simulate attacks, phishing attempts and other threats. Simulation campaigns are targeted at employees, and the tool collects information on what they did with the messages.
Kaspersky’s phishing simulation campaigns have produced valuable results. The five most effective phishing email subject lines are at the moment:
- Subject: Failed delivery attempt – Unfortunately, our courier was unable to deliver your item. Sender: Mail delivery service. Click conversion: 18.5%
- Subject: Emails not delivered due to overloaded mail servers. Sender: The Google support team. Click conversion: 18%
- Subject: Online employee survey: What would you improve about working at the company. Sender: HR Department. Click conversion: 18%
- Subject: Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5%
- Subject: Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16%
A significant number of clicks was achieved with phishing emails that referred to the following things:
- Reservation confirmations from a booking service (11%)
- A notification about an order placement (11%)
- An IKEA contest announcement (10%).
In other tests, it was discovered that up to 30% of phishing email receivers click malicious links if messages are re-sent a few times.
Naturally, we should expect that cybercriminals will invent new subject lines that are even better than the current ones. Avoiding unasked, unknown links is the most important thing to remember. Perhaps the following email subject lines have been in media so often that people have learned to avoid them.
- I hacked your computer and know your search history: only 2% of clicks.
- Free Netflix and $1,000: 1% of clicks.
Header image by Andrea Piacquadio.