A terse message from your boss? Notice of an important meeting rescheduled? Find out more from one study on the subject.

Phishing activity in Q4 2020 was plagued with work-related email subject in the email headers, such as corporate policy changes, to bait remote-working personnel.

Social media messages were another area of concern, holding the number one spot at 47% on a phishing report by KnowBe4, which had examined tens of thousands of email subject lines from simulated phishing tests. Also studied were ‘in-the-wild’ email subject lines in actual emails users received and reported as suspicious.

Check out the related infographics:


The security awareness training firm’s CEO Stu Sjouwerman noted: “It’s no surprise that phishing attacks related to working from home are increasing, given that many countries around the world have (migrated to WFH) for nearly a year now. Just because employees may be more used to their home office environment doesn’t mean that they can let their guard down. The bad guys deploy manipulative attacks intended to strike certain emotions to cause end users to skip critical thinking and go straight for that detrimental click.”

Top 10 phishing header topics

Whether we read an email or not depends on the urgency and relevance level solicited by the header/title. The following have been the most effective:

  • Password Check Required Immediately  
  • Touch base on meeting next week 
  • Vacation Policy Update 
  • COVID-19 Remote Work Policy Update 
  • Important: Dress Code Changes  
  • Scheduled Server Maintenance — No Internet Access 
  • De-activation of [[email]] in process 
  • Please review the leave law requirements  
  • You have been added to a team in Microsoft Teams  
  • Company Policy Notification: COVID-19 – Test & Trace Guidelines  

When investigating ‘in-the-wild’ email subject lines, KnowBe4’s data showed the most common throughout Q4 2020 include: 

  • IT: Annual Asset Inventory  
  • Changes to your health benefits  
  • Twitter: Security alert: new or unusual Twitter login  
  • Amazon: Action Required | Your Amazon Prime Membership has been declined 
  • Zoom: Scheduled Meeting Error  
  • Google Pay: Payment sent  
  • Stimulus Cancellation Request Approved  
  • Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription  
  • RingCentral is coming! 
  • Workday: Reminder: Important Security Upgrade Required  

Note that email subject headers are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers. 

‘In-the-wild’ email subject lines represent actual emails users received and reported to their IT departments as suspicious. They were not simulated phishing test emails.