Most Effective Phishing Emails Revealed

Phishing is an effective method of obtaining login credentials and installing malware and ransomware, and email is the most common vector used for these scams, but what are the most effective phishing emails? What types of emails are most likely to fool your employees into installing malware or disclosing their login credentials?

This week, security awareness training company KnowBe4 has released its Q3 phishing report, detailing the top ten most effective phishing emails – emails that are most likely to result in employees clicking through and revealing their credentials.

KnowBe4’s Top Ten List of the Most Effective Phishing Emails

For its Q3 report, KnowBe4 included phishing email subject lines that are used in attacks on consumers and businesses.  Listed below are the most effective phishing emails together with the percentage of individuals that clicked through. The figures come from the company’s phishing simulation platform, and were the most effective phishing emails out of thousands of subject lines assessed through the platform.

  1. Official Data Breach Notification (14%)
  2. UPS Label Delivery 1ZBE312TNY00015011 (12%)
  3. IT Reminder: Your Password Expires in Less Than 24 Hours (12%)
  4. Change of Password Required Immediately (10%)
  5. Please Read Important from Human Resources (10%)
  6. All Employees: Update your Healthcare Info (10%)
  7. Revised Vacation & Sick Time Policy (8%)
  8. Quick company survey (8%)
  9. A Delivery Attempt was made (8%)
  10. Email Account Updates (8%)

Phishers are increasingly using emails that appear to have been sent via social media networks. An analysis of the effectiveness of those phishing campaigns showed that the emails most likely to be clicked by employees were sent from LinkedIn.  Phishing emails asking users to ‘add me as a contact’, ‘reset password’, ‘new message,’ and invitations to ‘join network’ were effective 41% of the time.

Since many individuals use their work email addresses for their LinkedIn accounts, and also use of the same password for their work email account and their LinkedIn account, falling for such a scam could see their work email account compromised as well as their LinkedIn profile. With access to work email accounts, phishers can launch further scams and plunder the accounts for sensitive data.

Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders and their clients to prevent phishing schemes. KnowBe4 has a proven track record of helping them do just that.”

How to Protect Against Phishing

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of