A new study from KnowBe4 has quantified which phishing subject lines and links are the most likely to be clicked.

The top subject line? Google: You were mentioned in a document "Strategic Plan Draft." That factored into 17% of phishing subject lines. 

That's a very convincing subject. We've written before about how the comments feature in Google Docs has been abused for phishing, and this subject line plays off that. If you're an end-user receiving that email, it looks pretty tempting to click. Who wouldn't want to see a strategic plan draft? 

Coming in behind that on the list:

  • HR: Important: Dress Code Changes (15%)
  • HR: Vacation Policy Update (14%)
  • Adobe Sign: Your Performance Review (11%)
  • Password Check Required Immediately (11%)

These subjects are incredibly clever and represent a bit of a shift in tactics. As KnowBe4 points out, 40% of email subject lines are HR related. Hackers are hoping that these urgent-sounding emails related to your job are going to get you to click. Think about it: it would be hard to avoid clicking on what appears to be your performance review.

Further, the number one vector they have seen for phishing attacks are malicious links in the body of an email. That underscores the importance of scanning all URLs

The end-user has it rough. They already get countless legitimate emails to sort through, plus Slack messages, Teams calls, texts and more. The more convincing an email subject line is, the more likely they are going to click.

That's why it's imperative to take a proactive, preventative approach. Combine that with solid training of all end-users, and you've got a huge leg up.