Image: GettyImages/Maskot

In recent months, hacking groups have brought critical aspects of U.S. infrastructure to a halt, and phishing is a popular tool in cybercriminal’s seemingly ever-expanding armamentarium of attack methods. On Wednesday, Expel released a report, highlighting the top keywords used in phishing attempt subject lines. Based on the findings, employees may need to be particularly wary of the seemingly innocuous emails in their inboxes.

“Attackers are trying to trick people into giving them their credentials. The best way to do this is to make the email look legitimate, prompt one clear action and lace it with emotion – urgency or fear of loss are the most common,” said Ben Brigida, director, SOC Operations, at Expel. “The actions are as simple as ‘go to this site’ or ‘open this file,’ but the attacker wants you to be moving too fast to stop and question if it’s legitimate.”

SEE: Security incident response policy (TechRepublic Premium)

Malicious emails: Top phishing attempt keywords

To determine this list of keywords, Expel looked at 10,000 malicious emails. In a blog post about the findings, Expel said the keywords in these subject lines target one or multiple themes in an effort to “make recipients interact with the content.” These themes include “imitating legitimate business activities, generating a “sense of urgency” and cueing the “recipient to act.”

Some of the top listed phishing keywords are designed to imitate legitimate business invoices.

In order, the top three such subject lines include “RE: INVOICE,” “Missing Inv ####; From [Legitimate Business Name] and “INV####.”

To add context to these phishing attempts disguised as standard invoices, Expel said that “generic business terminology doesn’t immediately stand out as suspicious and maximizes relevance to the most potential recipients by blending in with legitimate emails, which presents challenges for security technology.”

Per Expel, subject lines highlighting newness are frequently used in phishing attempts with examples including “New Message from ####, “New Scanned Fax Doc-Delivery for ####” and “New FaxTransmission from ####.”

Adding context to this roundup of “new” subject lines, Expel said legit communications and alerts regularly use the term “new” to “raise the recipient’s interest,” adding that “people are drawn to new things in their inbox, wanting to make sure they don’t miss something important.”

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Subject lines highlighting new messages and further actions requirements are also popular phishing methods, according to Expel, with phrasing focused on expiration notices for emails and passwords, verification requirements and others.

“Keywords that promote action or a sense of urgency are favorites among attackers because they prompt people to click without taking as much time to think. “Required” also targets employees’ sense of responsibility to urge them to quickly take action,” the post said.

Other top phishing attempt subject lines include blank subject lines, file/document sharing language, service and form requests, action requirements and eFax angles.

Spearphishing: Targeting specific employees

On average organizations will face more than 700 social engineering cyberattacks annually and 10% of the targeted attacks are business email compromises (BEC), according to a July Barracuda Networks report; among social engineering attacks analyzed by company researchers, phishing represented 49%.

Interestingly, a person’s role at a company may play a role in their risk of being targeted by cybercriminals. For example, Barracuda Networks determined that IT professionals receive an average of 40 targeted phishing attacks annually and this number jumps to 57 for CEOs.

Brigida said the subject line action is “ideally” a task the email recipient does in their day-to-day job so that the “request feels familiar or routine.”

“If a user is in finance, they may fall for an invoice-themed phish. If they are in recruiting, they may fall for a resume-themed phish,” Brigida said. “The job of an attacker is to trick the user into doing what they want, evading security detection tools in the process by blending in with typical business activities.”