About 50% of the email subjects clicked in phishing tests use HR-related messaging, according to a July 25 report from KnowBe4, a provider of security awareness training and a simulated phishing platform.
In the company’s Q2 top-clicked phishing report, nearly 1 in 3 users were likely to click on a suspicious link or comply with a fraudulent request. The most popular emails with HR-related subject lines focused on dress code changes, training notifications, W4 updates, performance reviews and vacation policy updates.
“The threat of phishing emails remains as high as ever as cybercriminals continuously tweak their messages to be more sophisticated and seemingly credible,” Stu Sjouwerman, CEO of KnowBe4, said in a statement.
“The trend of phishing emails revealed in the Q2 phishing report is especially concerning, as 50% of these emails appear to come from HR — a trusted and crucial department of so many, if not all organizations,” he said. “These disguised emails take advantage of employee trust and typically incite action that can result in disastrous outcomes for the entire organization.”
HR-related subjects may be particularly effective in phishing scenarios because they may cause employees to react before thinking about the legitimacy of the email, according to the report.
Holiday email subjects were particularly clickable this quarter, with 4 out of 5 top holiday emails appearing to come from HR. The subjects used bait that referred to holiday celebrations, schedule changes and incentives linked to national holidays such as Juneteenth and the Fourth of July.
“New-school security awareness training for employees is crucial to help combat phishing and malicious emails by educating users on the most common cyber attacks and threats,” Sjouwerman said.
Unfortunately, workers are increasingly likely to fall for advanced phishing attacks, according to a recent report. More people are falling for attacks that impersonate a senior executive, especially at workplaces with remote and flexible schedules that may rely on virtual communication.
HR data is also becoming a growing target for cybersecurity attacks, prompting HR leaders to take on more cybersecurity responsibility. Even if data appears to be stored and encrypted in a third-party application, employees may export the data to run reports and then share them over email or messaging apps.
Talent acquisition leaders also have seen cybersecurity threats in the form of fake job applicants that may steal sensitive client information in recent years. An FBI agent previously told HR Dive HR pros should watch for oddities during video interviews, check documents carefully and, if possible, conduct at least one interview in person.