The most common subject lines used in phishing emails targeting businesses show how cyber criminals are exploiting urgency, personalisation and pressure in order to trick victims into clicking on malicious links, downloading malware or otherwise surrendering confidential or sensitive corporate information.
Cyber criminals are well aware that people respond to dozens if not hundreds of emails a day – and this is reflected in the most common subject lines used when conducting business email compromise attacks.
After analyzing 360,000 phishing emails over a three-month period, researchers at cybersecurity company Barracuda Networks have detailed the most common lines used in phishing attacks – these subject lines are the most common because it's highly likely they're often the most successful bait for reeling in victims.
According to Barracuda's spear phishing report, by far the most common subject line used in attacks is simply 'Request' – accounting for over a third of all the phishing messages analysed. That's followed in popularity with messages containing 'Follow up' or 'Urgent/Important' in the subject line.
The simple trick attackers are using here is to make potential victims think they need to open and respond to the email as a matter of urgency – especially if the message is designed to look as if it comes from one of their colleagues, or their boss. That could nudge the victim into responding quickly, without thinking, especially if it claims to come from a board-level executive.
The top subject lines according to Barracuda analysis are based around the following key phrases:
- Follow up
- Are you available?/Are you at your desk?
- Payment Status
- Invoice Due
- Direct Deposit
'Are you at your desk' uses the trick of familiarly to try and coax victims into falling for the attack, while subjects suggesting the email is part of a previous conversation are also used for a similar goal – to trick the user into trusting the sender.
Many of the most-used subject lines also refer to finance and payments; if the recipient thinks they might lose money if they don't respond, they'll likely jump to it. The same also goes for messages about payments – an employee might think it will look bad if they leave somebody without being paid, especially if the request comes from someone who is their senior.
"Increasingly the social element is becoming the key "attack vector" in cybersecurity attacks. In the past, attackers sent ransomware emails, which actually took over the computer and encrypted the files, asking for a ransom," Asaf Cidon, VP for content security at Barracuda Networks told ZDNet.
"But today, they don't even need to send ransomware. They can simply use social manipulation to get the recipient to send a ransom – which is far cheaper, more effective and harder to detect."
To avoid falling victim to phishing attacks, cybersecurity researchers recommend the implementation of DMARC authentication to avoid domain spoofing, along with the deployment of multi-factor authentication to provide users with an extra layer of protection. Those techniques should be combined with user training and the use of security software.
READ MORE ON CYBER SECURITY
- Phishing attacks: Half of organisations have fallen victim in last two years
- How to spot a phishing email CNET
- Phishing alert: One in 61 emails in your inbox now contains a malicious link
- The challenges with preventing phishing attacks: An insider's perspective TechRepublic
- Filled with malware, phishing and scams, does the web need a safety manual?