Hooked on Phishing: The 5 Most Popular Themes That Encourage Users to Click

Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
February 20, 2024

Credential phishing is the number one email attack by volume, responsible for over 70% of all advanced attacks targeting Abnormal customers. These attacks employ deceptive social engineering techniques to trick recipients into giving up their credentials to email accounts, banking accounts, social media accounts, and more. Typically, phishing emails will appear to come from legitimate sources, such as banks, government agencies, well-known brands, or even internal IT teams, tricking unsuspecting recipients into entering their usernames and passwords into phishing sites.

To illustrate how effective these attacks can be, we’ve analyzed which phishing attacks experience the highest click rate and categorized them based on the words included in the subject line. The data shown below is analyzed based on attacks that users opened during the POV process with Abnormal, when attacks were not being actively blocked by the platform.

Calculations are based on the percentage of engaged-with phishing attacks in 2023 that included the keyword(s) in the subject line. For example, of all the credential phishing attacks in which a user clicked a link in 2023, 18.4% of them included keywords in the subject line related to invoices or payments. The examples shown in each category are real attacks sent to Abnormal customers.

1. Invoice or Payment - 18.4%

Phishing emails involving invoices or payment requests are designed to trick recipients into believing that they owe or are receiving money. These emails often contain financial details, such as payment deadlines, order information, the amount due, invoice numbers, and/or payment instructions.

Common Keywords in the Subject Line: invoice, ACH, deposit, wire, loan, payoff, reimbursement, payment, wiring, finance, remittance, receipt, charge, folio, balance, statement


In this attack, the threat actor spoofs an email address on a legitimate domain and sends a message to the target, claiming that a recent invoice had not been processed. When clicked, the link directs the recipient to a fake Adobe Acrobat document with a prompt to enter their login credentials.

2. Document Sharing - 7.9%

Document sharing is another common theme scammers use to trick users into clicking. These emails often appear to be from a legitimate source, such as a colleague or a vendor, and they may contain a link to a document in Dropbox, Box, or another cloud storage service. The email may request that you share a document or folder, or it may notify you that a document has been shared with you. In some cases, the email may even ask you to sign or review a document and provide feedback.

Common Keywords in the Subject Line: document, doc, pdf, shared, file, scanned


In this phishing attack, the attacker impersonates a real estate transaction management software called Dotloop. The email targets a multinational law firm, claiming that an amendment has been made to an important document and prompts the recipient to click on a link to view this document. Upon clicking on the link, the recipient is redirected to a malicious URL where they would be asked to enter their Dotloop credentials. Upon accessing the Dotloop account, threat actors would then have details about every real estate transaction for the company.

3. New Message Notification - 5.5%

New message notifications claim that the recipient has unread messages or other notifications requiring their attention. Threat actors will typically impersonate reputable sources like email providers, social media platforms, voicemail providers, or other online services to trick unsuspecting recipients. They may even include personalized details like your name or email address to enhance their credibility.

Common Keywords in the Subject Line: message, mail, voicemail


In this attack, the threat actor impersonates an “Admin Security” account, notifying the recipient that they have a new secure message. The email also states that the message will expire in two days and encourages the recipient to click an “Open Message” link. Upon doing so, the target is redirected to a Microsoft 365 phishing page where they are asked to enter their credentials under the guise that they will be able to view the “secure message” awaiting them.

4. Action Required - 4.5%

Another common credential phishing email ploy comes in the form of an ‘action required’ notice. This could be anything from a request to change your password, confirm your email address, verify your account, or update your payment information. These emails often appear to be from a software platform, bank, or online retailer. A sense of urgency is often an indicator of malicious activity, so users should be especially wary of any email that requires immediate action.

Common Keywords in the Subject Line: action, require, request


In this credential phishing attempt, the threat actor uses a real domain from a venture capitalist firm, but the display name makes it appear that it is being sent from the security team at a treatment center. The email itself has Microsoft branding and states that multi-factor authentication (MFA) is expiring today and must be updated to continue using Microsoft 365 applications. The message includes a QR code, which leads to a fake Microsoft 365 landing page where the target will be prompted to enter their credentials.

5. Account Notice - 3.5%

Finally, malicious actors often create phishing attacks related to unexpected account notices, stating that an account has been suspended, compromised, or is in need of urgent attention. Like most phishing emails, they appear to be from a trusted contact or brand but may also include personal details like account number, partial Social Security number, or password, making them appear authentic.

Common Keywords in the Subject Line: account, iCloud, user, access


This credential phishing attack features an impersonation of an IT manager at a university, alerting the target that there was unusual activity in their campus email account. In order to avoid deactivation of the account, the user is prompted to confirm their identity by clicking on a link for what appears to be the Campus Email Support System. In actuality, the link leads to a malicious landing page where the user is at risk of compromising their confidential information.

Stay One Step Ahead of Phishing Attacks With Abnormal

With the threat landscape constantly changing, it’s important to understand how threat actors are shifting their techniques to trick their targets into clicking credential phishing links. However, by understanding the most popular themes and being aware of how threat actors inspire fear and urgency, we can all better protect ourselves (and our organizations) from these credential phishing attacks.

That said, the best defense is simply preventing these attacks from reaching the inbox at all by harnessing the power of defensive AI to prevent even the most sophisticated attacks. Abnormal’s advanced AI models establish a baseline of typical user behavior and analyze text patterns, tone, and content to detect suspicious activity and prevent these credential phishing attacks from reaching end users.

Interested in learning more about how Abnormal can protect your organization from phishing attacks? Schedule a demo today.

Schedule a Demo
Hooked on Phishing: The 5 Most Popular Themes That Encourage Users to Click

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More