5 Most Prevalent Phishing Subject Lines


Chances are good there's a phishing scam lurking amid your emails right now. If there isn't, then perhaps there will be tomorrow, or the next day. The question is, will you fall for it?

Phishing emails are getting tougher to block because attackers are crafting their bait to be more convincing to targets, researchers report. And employees are quick to open potentially malicious emails, even when they know they should be on alert.

Here's a look at the most commonly used phishing subject lines, the messages they include, and what they reveal about their attackers' goals and tactics.

'Assist Urgently'

Attackers convey a sense of immediacy when they don't want targets to dwell on their choice to act. It's something they want you to make a decision on quickly.

Maybe the note won't say "assist urgently," but a similar prompt for employees. Related subject lines he commonly sees include "Review" or "Quick Review," both of which demand a person to take action. 'Important: (1) NEW message from' is another popular one.


"Invoice" is seen in six of the top ten phishing subject lines detected. Financial motivation is far in the lead when considering phishing subject lines.

While the top six scams differ in message content, all try to lure their targets with the word "invoice" as the subject line. Money is a powerful motivator. Attackers know it, and they're using it to their advantage.

'Verify Your Account'

This subject line has less to do with direct financial gain and more to do with credential theft. While there may be a financial component to these types of attacks, credential phishing is typically done to gain a foothold inside a target network.

When talking about this idea of credential phishing, 'verify account' is designed to get you on a landing page to validate your credentials. Attackers want your username and password. To get them, they might try to impersonate a brand you frequently use.

'AMAZON: Your Order no #812-4623 might have ARRIVED'

These types of emails are frequently seen around the holidays. Certain types of attacks were more prevalent during different times of the year: financial and tax-related scams arrived around tax season, and fraudulent messages about deliveries show up at Christmastime.

Most people who frequently shop on Amazon will investigate emails like these to see which order it's referring to, or remind themselves of what they purchased. They'll click the link to see what they ordered, and they realize they've already infected their machine.

'Copy' or 'Document Copy'

While malicious links are increasingly commonplace in phishing emails, attachments continue to be popular – and effective – especially in emails related to invoices, payment notifications and statements, or alerts associated with online ordering and billing.

This aligns with the trend of attackers improving their understanding of business context. If they know employees frequently send documents, they know a malicious spreadsheet or Word file won't seem out of place.

The fact that many phishing subject lines are short – only one or two words – is indicative of attackers' understanding that modern business communication is relatively informal. People in a business context do things in a hurry. It doesn't have to be specific.