Top Phishing Email Scam Subject Keywords


Phishing scam art. Be aware of these top phishing email scam subjects.

Written by: Jay H.

Phishing is the top cybersecurity threat facing individuals and organizations alike. Last year, forty-three percent of data breaches involved phishing, demonstrating just how widespread the issue is. A recent report from Expel analyzes phishing emails and uncovers the most common tactics scammers use to trick victims successfully.

After analyzing ten thousand malicious emails, Expel determined the top phishing keywords scammers use in email subject lines. These keywords aim to make recipients interact with the email contents by targeting one or more of the following themes:

  • Falsifying legitimate business activities
  • Creating a sense of urgency
  • Encouraging the recipient to act quickly

Bad actors used these recipes to craft largely successful phishing campaigns. By being aware of phishing tactics, you can create an educational phishing awareness program to inform your employees and reduce risk in your organization.

Top Phishing Keywords


“Invoice” was the most prominent keyword because it blends in with legitimate business emails. “Most people are also inclined to respond promptly to communications from coworkers, vendors, or clients if they believe action is required, like returning an invoice,” said Expel.

Real subject lines:

  • Missing Inv ####; From [Legitimate Business Name]
  • INV####


“New” is another keyword phishers use to raise the recipient’s interest. Most users don’t want to miss anything important in their inbox, and “new” makes the message stand out.

Real subject lines:

  • New Message from ####
  • New Scanned Fax Doc-Delivery for ####
  • New Fax Transmission from ####


New messages from coworkers, vendors, or clients require prompt communication, meaning most recipients are inclined to act quickly.

Real subject lines:

  • Message From ####
  • You have a New Message
  • Telephone Message for ####


Attackers favour keywords that create a sense of urgency and push people to click without thinking.

Real subject lines:

  • Verification Required!
  • Action Required: Expiration Notice on [business email address]
  • [Action Required] Password Expire
  • Attention Required. Support ID: ####

<Blank Subject>

Blank subject lines generally evade automated security processes since there is no content to scan.


“File” is yet another generic business term that helps phishing messages blend in.

Real subject lines:

  • You have a Google Drive File Shared
  • [Name] sent you some files
  • File- ####
  • [Business Name] Sales Project Files and Request for Quote


“Request” prompts a sense of urgency for the recipient to take action. Usually, these requests include accessing a link, downloading a file, or providing sensitive information.

Real subject lines:

  • [Business Name] – W-9 Form Request
  • Your Service Request ####
  • Request Notification: ####


“Action” urges the recipient to respond immediately without thinking, rather than leaving the email for later.

Real subject lines:

  • Action Required: Expiration Notice on [business email address]
  • Action Required: [Date]
  • Action Required: Review Message sent on [Date]
  • [Action Required] Password Expire


“Document” is used regularly in business communication and helps the phishing email blend in. Once again, sharing a document prompts employees to respond quickly.

Real subject lines:

  • File Document ####
  • [Name], You have received a new document in [Company system]
  • Attn: [Name] – You have an important [Business name] designated Document
  • Document For [business email address]
  • View Attached Documents
  • [Name] shared a document with you


Yet again, “verification” is another action word that urges the recipient to respond quickly. Usually, the user is prompted to access a link, download a file, or provide sensitive information.

Real subject lines:

  • Verification Required!


Many organizations rely on eFax, so this can be an effective keyword to tempt users into clicking the link or downloading the file.

Real subject lines:

  • eFax from ID: ####
  • eFax® message from “[phone number]” – 2 page(s), Caller-ID: +[phone number]


Most employees want to respond promptly and may be tempted to listen to new messages quickly.

Real subject lines:

  • VM from [phone number] to Ext. ### on Tuesday, May 4, 2021
  • VM From ****#### Received – for <[user name]> July 26, 2021
  • ‘”””1 VMAIL RECEIVED on Monday, June 21, 2021 3:02:55 PM””

Steps To Take

All it takes is for one of your employees to fall for a phishing email scam to jeopardize your organization. As you can tell, the stakes are high. Luckily, there are steps you can take to reduce your risk.

To learn more about how we can protect your business from the devastation of cyberattacks, contact us today.

Protected by Copyscape

Comments are closed.