What are the most attractive phishing lures? Security, packagedelivery, password expiration/change and company-relatednotifications, according to simulated test findings from Tampa Bay,Fla. cybersecurity firm KnowBe4.

KnowBe4 tracked examined tens of thousands of email subjectlines from simulated phishing tests to uncover just what makes a userwant to click over the third quarter of 2017. A number offinancial institutions were among those tested.

The top 10 list represents a mix of personal and companynotifications, showed email continues to be an effective way tophish users:

1. Official Data Breach Notification: 14%

2. UPS Label Delivery 1ZBE312TNY00015011: 12%

3. IT Reminder: Your Password Expires in Less Than 24 Hours: 12%

4. Change of Password Required Immediately: 10%

5. Please Read Important from Human Resources: 10%

6. All Employees: Update your Healthcare Info: 10%

7. Revised Vacation & Sick Time Policy: 8%

8. Quick company survey: 8%

9. A Delivery Attempt was made: 8%

10. EmailAccount Updates: 8%

Mike Rogers, the former chairman of the House IntelligenceCommittee, spoke last week at the U.S. Chamber of Commerce'scybersecurity summit about phishing attacks, as the next big attack vector, and theirincreased potential to dramatically impact an organization'seconomic loss and liability. He noted that cybercriminals,particularly those with nation-state backing, have created suchsophisticated email phishing attacks that it is nearly impossibleto defend against malware infections.

Rogers also cited that the availability of personal informationon social media sites as driving advanced social engineering bycybercriminals, who use the information to create highlypersonalized phishing schemes. Rogers said sophisticated phishingemails are responsible for more than 90% percent of successfulcyberattacks.

In addition to the top 10 most-clicked general email subjectlines, KnowBe4 also evaluated the top 10 global social networkingsubject lines for Q3 2017. These subject lines represent simulatedphishing tests that KnowBe4 clients sent to a user's inbox as ifthey were coming from a social media site and reflecting some sortof account activity. Following in the footsteps from Q2, four ofthe top 10 spots again went to LinkedIn, which users often havetied to their work email addresses. This, too, plays into the humanpsyche, as people want to connect and manage their reputation ontheir social networking sites so often open and interact withemails from the sites. LinkedIn poses an interesting dilemma fororganizations and their employees as it is important to both havean updated and active presence on LinkedIn, yet the platform isobviously highly targeted by cybercriminals for social engineeringand phishing activities.

“By playing into the human psyche, hackers will successfullycontinue to infiltrate an organization through a phishing email.The level of sophistication hackers are now using makes it nearlyimpossible for a piece of technology to keep an organizationprotected against social engineering threats,” Perry Carpenter,chief evangelist and strategy officer at KnowBe4, said. “Phishingattacks are smart, personalized and timed to match topical newscycles. Businesses have a responsibility to their employees, theirshareholders and their clients to prevent phishing schemes. KnowBe4has a proven track record of helping them do just that.”