author photo
By Aaron Jentzen
Mon | May 6, 2019 | 12:30 PM PDT

Some people train hard to be able to make quick decisions in specific situations—think of the split-second choices demanded of pro athletes, for example. But for most of us, the more we’re pushed to make quick decisions, the more we’re likely to make mistakes. Cyber attackers know this all too well, and they use it to their advantage. When a phishing email creates a real sense of urgency, it’s harder to scrutinize the message with a critical eye.

Science supports this as well; a neuroscience research study suggests that our brains analyze information very differently when under speed stress than under accuracy stress, affecting decision making. This illustrates why effective anti-phishing training is about changing behaviors, not just raising awareness of the threat.

Tricky subject lines from simulated phishing tests

Some phish are harder to detect than others, as can be seen in the 2019 State of the Phish Report by Proofpoint Security Awareness Training. The report analyzed the subject lines from simulated phish sent by Proofpoint customers to their end users over a 12-month period. (This analysis was limited to campaigns sent to at least 1,500 recipients.) Here are the subject lines from some of the emails that fooled the most users:

  • Toll Violation Notification
  • [EXTERNAL]: Your Unclaimed Property
  • Updated Building Evacuation Plan (also among the highest failure rates in 2017)
  • Invoice Payment Required
  • February 2018 – Updated Org Chart
  • Urgent Attention (a notification requesting an email password change)

These subject lines tend to convey urgency, spark curiosity, or provoke strong emotions. And some—for example, those that refer to building evacuation plans and updated org charts—take advantage of both curiosity and a sense of familiarity by using topics designed to blend in with other corporate communications. Phishing emails—both simulated and real—that use these techniques are likely to fool end users who have not been given the skills they need to identify and avoid suspicious messages.

3 most common subject lines in email fraud

In Business Email Compromise (BEC) attacks—also known as email fraud—a social engineer builds trust by impersonating someone the recipient already knows or is inclined to trust, with the goal of convincing the target to initiate a wire transfer or disclose sensitive information (like employee tax data). Scammers try to lull email recipients into believing they are communicating with someone familiar to them, which can make an urgent request more believable.

This can be seen in Proofpoint’s Autumn 2018 report, Protecting People: A Quarterly Analysis of Highly Targeted Cyber Attacks. Proofpoint researchers found that the following subject lines were the most common among BEC attacks spotted during Q3 2018:

  1. Request (22%)
  2. Urgent (21%)
  3. Payment (15%)

Together, these three subjects accounted for 58% of all BEC attacks (up from 48% in the previous quarter). While this data doesn’t show how often people fell for these lures, their growing popularity with attackers suggests that they are effective. In addition to urgent subject lines, more than 99% of all email fraud identified in Q3 used a spoofed display name—an easy way for an attacker to impersonate someone familiar to the recipient.

How end-users respond to personalized lures

Another question explored in the State of the Phish Report is whether users are more likely to click when phishing emails are more personalized. The report found that using details like first names and/or last names and redisplaying the recipient’s email address within the email body led to failure rates that were higher than the 9% average across all simulated phishing campaigns. In particular, redisplaying email addresses inside of phishing tests seemed to lend greater credibility to messages, making end users more likely to engage with them.

[Source: Proofpoint 2019 State of the Phish Report]

Creating a program that keeps challenging your end-users

From creating urgency to spoofing display names to crafting personalized lures, attackers are constantly devising new, more sophisticated phishing emails. To keep end users thinking and learning, those who administer security security awareness training must continue to challenge end users with more difficult tests.

While developing an ongoing, comprehensive security awareness program is essential to reduce risk from phishing attacks, it can take some convincing to win over management and end users.

To learn how to make the case for your training program, register for the April 24 SecureWorld web conference, From Skeptics to Champions: Selling the Value of Security Awareness Training Throughout Your Organization.