HR-related phishing emails more likely to be clicked, report finds

Employers told to prioritise security awareness amid increased cyber threats

HR-related phishing emails more likely to be clicked, report finds

Employees are more likely to become victims of HR-related phishing emails, a new report has found, which underscored how business-related frauds are gaining momentum.

KnowBe4's latest report, which it sourced from its phishing tests, found that employees are most likely to click on phishing emails with the following subjects:

  • Google: You were mentioned in a document: "Strategic Plan Draft" (17%)
  • HR: Important: Dress Code Changes (15%)
  • HR: Vacation Policy Update (14%)
  • Adobe Sign: Your Performance Review (11%)
  • Password Check Required Immediately (11%)
  • Acknowledge Your Appraisal (7%)
  • IT: Internet Report (7%)
  • Main points from today's meeting (6%)
  • USAA: Account Suspension (6%)

Read more: Coronavirus cyberattacks: Beware of the phish

"These attacks are effective because they could potentially affect users' daily work and cause a person to react before thinking logically about the legitimacy of the email," read the report.

It further shows the shift of phishing emails from personal to business matters, as personal-related subjects from social media fell off the list. The report also found that the top five attack vector types are:

  1. Link - Phishing hyperlink in the email
  2. Spoofs Domain - Appears to come from the user's domain
  3. PDF Attachment - Email contains a PDF attachment
  4. Branded - Phishing test link has user's organisational logo and name
  5. Credentials Landing Page - Phishing link directs user to data entry or login landing page

Read more: FBI: Hackers target HR, payroll in phishing scam

The report comes amid the heightened threat of cyberattacks as more businesses go “virtual”. Previously, employers were warned against online payroll-related frauds and COVID-related scams. Stu Sjouwerman, CEO of KnowBe4, said it’s essential that employers train their employees on cybersecurity as threats become more sophisticated.

"As phishing emails evolve and become more sophisticated, it is imperative that organisations prioritise security awareness training for all employees, now more than ever," said Sjouwerman. "New-school security awareness training for employees helps combat phishing and malicious emails by educating users on what to look out for - it is the key to creating a healthy level of scepticism to better protect an organisation and build a stronger security culture."