Humans are the weakest link in an organisation’s cyber security programme. They are also the last line of defence.

Knowing what kind of phishing email subject lines they will click should be useful for companies, as well as for criminals.

KnowBe4, the provider of a security awareness training programme which it claims is used by 13,000 organisations worldwide, this week shared its Top 10 Global Phishing Email Subject Lines for Q3 2017.

The results this quarter were a mix of personal and company notifications, showing email continues to be an effective way to phish users. The company examined tens of thousands of email subject lines from simulated phishing tests to uncover just what makes a user want to click.

The subject lines were a combination of simulated phishing templates created by KnowBe4 for clients and custom tests designed by KnowBe4 customers. The Top 10 for inducing Pavlovian responses in the third quarter were:

1. Official Data Breach Notification – 14%
2. UPS Label Delivery 1ZBE312TNY00015011 –12%
3. IT Reminder: Your Password Expires in Less Than 24 Hours – 12%
4. Change of Password Required Immediately – 10%
5. Please Read Important from Human Resources – 10%
6. All Employees: Update your Healthcare Info – 10%
7. Revised Vacation & Sick Time Policy – 8%
8. Quick company survey – 8%
9. A Delivery Attempt was made – 8%
10. Email Account Updates – 8%

“Phishing attacks are responsible for more than 90 per cent of successful cyber attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organisation protected against social engineering threats,” said Perry Carpenter, chief evangelist and strategy officer. “Cyber Security Awareness Month is the perfect time to remind companies of the need to educate all of their employees.”

In addition to the Top 10 most-clicked general email subject lines, KnowBe4 also evaluated the Top 10 global social networking subject lines for Q3 2017. These subject lines represent simulated phishing tests that KnowBe4 clients sent to a user’s inbox as if they were coming from a social media site and reflecting some sort of account activity.

Following in the footsteps from Q2, four of the top 10 spots again went to LinkedIn, which users often have tied to their work email addresses.

This, too, plays into the human psyche, says KnowBe4, as people want to connect and manage their reputation on their social networking sites so often open and interact with emails from the sites. “By playing into the human psyche, hackers will successfully continue to infiltrate an organisation through a phishing email,” said Perry Carpenter. “Phishing attacks are smart, personalised and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders and their clients to prevent phishing schemes. KnowBe4 has a proven track record of helping them do just that.”

KnowBe4 encourages businesses to try out a number of free tools at to test their users and their network.