HR-disguised phishing emails duping staff worldwide: report

'These emails take advantage of employee trust and typically incite action that can result in disastrous outcomes'

HR-disguised phishing emails duping staff worldwide: report

Phishing attacks disguised as emails from the HR department are continuing to bait employees across the world, finds a survey. One half or 50% of the top phishing email subjects globally pretend to come from an organisation's HR department, according to KnowBe4’s 2023 Phishing by Industry Benchmarking Report.

KnowBe4 CEO Stu Sjouwerman said the trend of phishing emails that appear to come from HR is "especially concerning."

"These disguised emails take advantage of employee trust and typically incite action that can result in disastrous outcomes for the entire organisation.”

Most popular phishing emails from ‘HR’

The full list includes:

  • “Possible typo (15%)
  • “HR: Important: Dress Code Changes” (11%)
  • “HR: Please update W4 for file” (11%)
  • Adobe Sign: Your Performance Review” (10%)
  • “HR: Vacation Leave Notice: Plan Your Time Off Now!” (10%)
  • “HR: Vacation Policy Update” (9%)
  • “HR: Your training is past due” (9%)
  • “Google: You were mentioned in a document: ‘Strategic Plan Draft’” (9%)
  • “You have a new voicemail” (8%)
  • “Bad customer review received - Please take action ASAP” (8%)

The list is more diverse than the phishing email subjects from KnowBe4's report last year. This time, malicious emails also appear to come from IT and managers, and are even disguised as tax-related emails.

"These attacks are effective because they could potentially affect users' daily work, and cause a person to react before thinking logically about the legitimacy of the email," KnowBe4 said in an infographic.

There are also phishing emails disguised as holiday, event, and survey messages from the HR department, according to the report. They include:

  • “HR: Change in Holiday Schedule”
  • “HR: Happy 4th of July Message”
  • “HR: Juneteenth Survey”
  • “HR/July 4th: RSVP for Company BBQ”
  • “Juneteenth Celebration Sign-up”

Fighting phishing emails and cyberattacks

Various organisations across the world are reporting that they are being targeted by cyberattacks, and some executives are growing concerned that their company could be next.

In a survey from EisnerAmper, 71% of business leaders believe that their next cybersecurity breach will be because of an internal staff error.

KnowBe4's report confirmed this fear is plausible, as it found that 33.2% of untrained employees will likely click a phishing email.

Educating employees on the most common cyberattacks and threats will be crucial in fighting phishing and malicious emails, according to Sjouwerman.

"An educated workforce is an organisation's best defence and is essential to fostering and maintaining a strong security culture," he said.