KnowBe4 Phishing Report: Fake HR Emails Tricking Employees

KnowBe4‘s latest quarterly phishing report shows cybercriminals heavily using human resources (HR) business-related messages that pique interest from employees and can potentially affect them.

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations globally, according to the KnowBe4 second-quarter 2023 report. Cybercriminals are constantly refining their strategies to stay up to date with market trends, and outsmart end users and organizations by creating phishing email subjects that are realistic and believable.

One-half (50%) of phishing emails appear to come from HR, a trusted and crucial department of many, if not all organizations, according to the report.

KnowBe4’s Stu Sjouwerman

“These disguised emails take advantage of employee trust and typically incite action that can result in disastrous outcomes for the entire organization,” said Stu Sjouwerman, KnowBe4‘s CEO.

Cybercriminals prey on emotions and aim to cause distress, confusion, panic or even excitement in order to entice someone to click on a phishing link or malicious attachment. KnowBe4’s 2023 Phishing by Industry Benchmarking Report revealed nearly one in three users is likely to click on a suspicious link or comply with a fraudulent request.

Surprising Findings of Phishing Report

KnowBe4’s James McQuiggan

“Interestingly, there is a high click rate with HR-style emails as users tend to respond quickly to emails from HR related to compensation, benefits, and sometimes a sense of urgency,” said James McQuiggan, security awareness advocate at KnowBe4. “Anything to do with money or urgency are typical lures cybercriminals leverage to get users to click links or open attachments.”

Cybercriminals use email subjects coming from HR related to dress code changes, training notifications, vacation updates and more, the phishing report revealed. These are effective because they may cause a person to react before thinking logically about the legitimacy of the email and have the potential to impact an employee’s personal life and professional workday.

Holiday phishing email subjects were also used last quarter, with four out of the five top holiday email subjects appearing to have come from HR. Incentives referring to national holidays such as Juneteenth and the Fourth of July, holiday celebrations and schedule changes, were used as bait for unsuspecting end users. Additionally, the report reflects the consistent trend of using IT and online service notifications, as well as tax-related email subjects.

“Cybercriminals constantly evolve their tactics as they do one attack style and users adapt,” McQuiggan said. “They must shift to find another way to convince someone to click a link.”

One encouraging finding from the phishing report is the high rate of HR phishing means organizations have opportunities to educate more and train employees, he said.

“Falling for simulated phishes allows security teams to reinforce policies and recognize vulnerable topics to make real criminal phishing less successful in the future,” McQuiggan said.