Image: Getty Images/iStockphoto

Email phishing attacks work by spoofing or referencing well-known topics that the attackers hope will arouse fear or concern or interest on the part of the recipients. These types of campaigns also try to exploit subjects that are in the news, which is why coronavirus-related phishing emails have been a common tactic since the virus surfaced earlier this year. A report published Wednesday by security trainer KnowBe4 looks at some of the most common subjects used in phishing emails during the second quarter of 2020.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)

To compile its “Q2 2020 Top-Clicked Phishing Report,” KnowBe4 examined tens of thousands of email subject lines from simulated phishing tests as well as “in-the-wild” email messages that employees received and reported to their IT departments as suspicious. The templates for the simulated phishing tests, which organizations use to help educate employees, were based on real phishing attacks.

Email phishing attacks with subjects related to COVID-19 remained prevalent last quarter, accounting for 56% of all the subject lines analyzed. Beyond directly mentioning the coronavirus, some of these scam emails alluded to related side effects, such as work reopenings, rescheduled meetings, stimulus payments, and new vacation policies. (Also check out the most clicked phishing email subject lines based on a 2019 fourth-quarter report from KnowBe4.)

“It’s no surprise that phishers and scammers are using the avalanche of new information and events involving the global coronavirus pandemic as a way to successfully phish more victims,” KnowBe4 CEO Stu Sjouwerman said in a press release. “These phishing scams are becoming more aggressive and more targeted as this pandemic continues. Everyone should remain very skeptical of any email related to COVID-19 coming into their inbox.”

However, cybercriminals also tapped into such popular subjects as social media sites like Facebook and LinkedIn, password resets, and security alerts. Among the top social media subjects, LinkedIn accounted for 42% of the analyzed emails with such subject lines as “You appeared in new searches this week,” “People are looking at your LinkedIn profile,” “Please add me to your LinkedIn Network,” and “LinkedIn Password Reset.”

Phishing attacks that exploited Facebook used such subject lines as “Your Friend Tagged a Photo of You” and “Your friend tagged you in photos on Facebook.” Campaigns spoofing Twitter tried to entice people with a subject line of “Someone has sent you a Direct Message on Twitter.”

“A login alert for Chrome on Motorola Moto X,” “New voice message at 1:23AM,” and “55th Anniversary and Free Pizza” were other subjects touted in phishing emails.

“LinkedIn messages continue to dominate the top social media email subjects, with several variations of messages such as ‘people are looking at your profile’ or ‘add me,'” KnowBe4 said in its report. “Other alerts containing security-related warnings come unexpectedly and can cause feelings of alarm. Messages such as a friend tagged you in a photo or mentioned you can make someone feel special and entice them to click. And everyone loves free pizza!”

The top 10 general subjects seen in the simulated phishing emails analyzed last quarter include:

  1. Password Check Required Immediately
  2. Vacation Policy Update
  3. Branch/Corporate Reopening Schedule
  4. COVID-19 Awareness
  5. Coronavirus Stimulus Checks
  6. List of Rescheduled Meetings Due to COVID-19
  7. Confidential Information on COVID-19
  8. COVID-19 – Now airborne, Increased community transmission
  9. Fedex Tracking
  10. Your meeting attendees are waiting!

“Hackers are playing into employees’ desires to remain security minded,” KnowBe4 said in the report. “Unsurprisingly, half of the top subjects for this quarter were around the coronavirus pandemic. Curiosity is also piqued with security-related notifications and HR-related messages that could potentially affect their daily work.”

Looking at the subject lines found among the “in-the-wild” phishing emails last quarter, KnowBe4 identified the following as the top 10:

  1. Microsoft: Abnormal log in activity on Microsoft account
  2. Chase: Stimulus Funds
  3. HR: Company Policy Notification: COVID-19 – Test & Trace Guidelines
  4. Zoom: Restriction Notice Alert
  5. Jira: [JIRA] A task was assigned to you
  6. HR: Vacation Policy Update
  7. Ring: Karen has shared a Ring Video with you
  8. Workplace: [company_name] invited you to use Workplace
  9. IT: ATTENTION: Security Violation
  10. Earn money working from home

“Here again we see subjects related to the coronavirus and working from home,” KnowBe4 said in its report. “Cybercriminals are preying on heightened stress, distraction, urgency, curiosity, and fear in users. These types of attacks are effective because they cause a person to react before thinking logically about the legitimacy of the email.”

With phishing emails a persistent threat, Javvad Malik, security awareness advocate for KnowBe4, advises organizations to educate employees on how to identify and report them.

“With the majority of business for many organizations being conducted over email, it is not unusual for emails to be sent requesting or providing commercial information,” Malik said. “But not everything is always what it seems, and users should exercise caution when they receive any unsolicited, or unexpected emails, particularly ones which contain links or attachments. It is why it’s important for organizations to invest in security awareness training so that users can identify and report any suspected phishing emails.”