Top keywords used in subject lines for phishing emails: Expel

In recent months, cyber-criminal groups have brought the US IT infrastructure to a halt. Phishing is one of the most utilized tools by hacking groups and continues to be at the top of the most seen attack methods. Last week, Expel published a report, bringing attention to some of the top phishing keywords used in malicious emails. According to the findings, organizations and companies must prioritize preventing Business Email Compromise (BEC) and credential harvesting through phishing.

Top phishing keywords

The findings were the result of over 10,000 malicious emails which contained some of the most used keywords in the email’s subject lines. According to the Expel report, these keywords engage the recipient by targeting several themes, such as spoofing legitimate business activities, encouraging the victim to act, and by creating a sense of urgency. Almost all attacks are made to deceive victims into divulging their credentials, so they make the malicious email appear legitimate. Successful attacks usually involve creating simple actions and by capitalizing on emotions like urgency, loss, or fear. The actions tend to be simple like open this file or go to this website, they utilize quick actions to avoid the victims questioning whether the email is genuine.


To spoof recognized business invoices, the top three email subject lines include “RE: INVOICE”, “Missing Inv####; from (legitimate business name) and “INV####”. They utilize these generic business terms to avoid suspicion by blending in with genuine work-related emails. This takes advantage of most employees which are likely to respond quickly to emails from clients, colleagues, or vendors.

According to Expel’s findings, genuine communications and alerts generally use the term “New” in the subject line to create interest among recipients. Taking advantage of this, hacker groups are using this term to increase the likelihood of a potential victim responding to the email. Some top subject line keywords used are “New Message from ####”, “New Scanned Fax Doc-Delivery for ####” and New FaxTransmission from ####”.


Subject lines utilizing the term “message” are also gaining traction among hackers, according to Expel reports. It is common for people to use their work account to respond swiftly to their co-workers, clients, or vendors, therefore they are more likely to respond or act to messages quickly. The top phishing email subject line includes, “Message from ####”, “You have a New Message” and “Telephone Message for ####”.


Hacking groups are using phrases focused on verification and expiration notices for emails. Keywords that prompt a sense of urgency or action are most used by hackers, as they encourage people into clicking without giving much thought. Some subject lines include, “Verification Required!”, Action Required: Expiration Notice on (business email address), “[Action Required] Password Expire” and “Attention Required. Support ID: ####”. The keyword “Required” also prompts the employees’ sense of responsibility to encourage them to act quickly.

Some other phishing keywords also include blank subject, file, request, action, document, eFax, Verification and VM, among others.

A phishing attack can lead to several problems for a business. Enabling multi-factor authentication (MFA) is one way to alleviate credential harvesting through phishing. Organizations can also prevent phishing campaigns by developing comprehensive phishing education programs. This way, they can stay up to date with the latest phishing trends to educate employees and update their policies.

For more news and updates, visit

You can also reach out to us on Facebook, & LinkedIn or Contact us directly



Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.