Top 11 phishing keywords to avoid getting hacked

In your message, try to reference a familiar business activity. Also, provide the target victim with a clear instruction, while weaving in a sense of urgency. And there you have it: the ingredients for a convincing phishing attempt.

A US threat detection specialist has just published a roundup of the most commonly-used keywords in phishing email subject lines. The research highlights just how easy it is for busy workers to swallow the scammer’s bait…

The elements of a convincing phishing message

The purpose of any phishing attack is to trick the victim into doing what the scammer wants. This usually means either clicking a link to launch malicious script, or else getting them to reveal sensitive information.

Any cyber pro worth their salt should be able to spot a phishing email. And if you work for a cyber team within an organization, part of your job will involve making sure other employees know how to spot a suspicious message.

So in theory, employees will stick to the company’s strict protocols for things like payment authorization and information disclosure. They’ll cross check the sender’s domain. They’ll look at things like formatting, spelling and grammar. They’ll also be very wary of unusual links and forms.

In real life, things are different. Those employees might have a hundred messages to get through before lunch, so they’re not going to forensically examine each one. Hackers know this. They also know that if they focus on certain elements in their scam attempt, it increases the chances of the message slipping through the net.

These elements are as follows:

Imitate a legitimate business activity. This includes things like bill payments, contract renewals and transaction queries.

Create a sense of urgency. Give the suggestion that things will go wrong if the matter is not dealt with.

Call to action. Imply that if the target completes this simple step, it means one less item on their to-do list. The victim thinks that by following the instruction in the message, it will result in an easy win.

The top phishing trigger words

Expel, a US threat detection company, analyzed 10,000 malicious emails investigated by the company’s security operations center in July 2021. The aim was to isolate the most frequently used keywords used by phishing scammers in their email subject lines.

Here are some of the most popular trigger words:



  • Missing Inv [Number]; From [Business Name]
  • INV[Number]



  • New Message from [Name]
  • New Scanned Fax Doc-Delivery for [Name]
  • New FaxTransmission from [Name]



  • Message from [Name]
  • You have a New Message
  • Telephone Message for [Name]



  • Verification Required
  • Action REquired: Expiration Notice on [business email address]
  • Action Required: Password Expiry
  • Attemtion REquired. Support ID: [Number]



  • You have a Google Drive File Shared
  • [Name] sent your some files
  • File [Number]
  • [Business Name] Sales Project Files and Request for Quote



  • [Business Name] - W-9 Form Request
  • Your Service Request [Number]
  • Request Notification [Number]



  • Action Required: Expiration Notice on [business email address]
  • Action Required [Date]
  • [Action Required] Password Expire



  • File Document [Number]
  • [Name], You have received a new document in [Company System]
  • Attn: [Name] - You have an important [Business Name] designated document
  • Document for [business email address]
  • View Attached Documents
  • [Name] shared a document with you



  • Verification Required!



  • eFax from ID [Number]
  • eFax message from [phone number] - 2 page(s), Caller-ID: +[phone number]



  • VM from [phone number] to Ext [Number] on [Date]
  • VM from [Numer] Received - for [user name] [Date]

Social engineering/phishing penetration testing

Pen testers are often tasked with designing a simulated phishing campaign. The idea is to test the susceptibility of employees to attacks. It gives the organization an overview of how vulnerable it is to threats. Afterwards, you can use the results to flag up the areas that need work, and as an educational aid to teach employees about ways to recognize attacks. This type of pen testing can also provide useful information for optimizing your spam filters and other perimeter defenses.

The key to a successful pen test phishing campaign is to make it look convincing. Focus on the activities employees are involved in day-to-day (e.g. if the company doesn’t usually deal with eFax or voicemails, avoid them in your content). Consider inserting references to real-life people and companies they do business with. For the email subject lines, the above list of examples should hopefully give you some inspiration.

More resources…

For an exploration of how hackers perform phishing scams and why they are often so effective, check out our explainer video.  Want to learn more about ethical social engineering? Check out this course.

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Mike Turner says:

    Thank You for sharing this amazing blog. I really appreciate you for this.

  • Pranab Nath says:

    Thank you for the post. After reading it, I do see a lot of phishing emails in my inbox. I have to be more careful before opening them.

  • Chirag Patel says:

    This is a must share post specially with my co-workers as one of them recently fell for it. He refused to pay the hackers and he had to loose all his data.

  • Leopold says:

    The number and sophistication and even non-sophistication of these attacks has exploded. I had to find a better spam solution for our company to protect everyone. Some of the bait is soooooo tempting.

    “You are out of e-mail storage. Click here to increase your storage.”

    “[Actual supervisor’s name from company] was discussing [Actual employee’s name] salary. Find out what was said.”

    “[Actual employee’s name], please review and sign your performance appraisal before this Friday”

    Even in cases where you know it is 99% likely a scam, some of this bait is just soooooo tempting. Relying on the human factor is tough. So whatever we could do to reduce the temptation was well worth it.

  • Luis says:

    Being uneducated on this subject and giving in to the impulse of curiosity, has left me a victim to the circumstance created by the BlackHat Hacker.

  • CloudStakes Technology says:

    Nice blog and helpful informations

  • >