A growing number of successful phishing attacks are using fake emails related to human resources (HR) accounts, new research has found.
In Q2 2023 most clicked phishing report, KnowBe4 said the most clicked emails had subject lines related to human resources issues in an organization, such as dress code changes, training notifications, holiday updates and more.
In fact, holiday updates are the hottest topic these days, which would make sense considering we’re in the height of summer vacation. Overall, vacation-related emails accounted for 19% of all successful phishing emails, followed by dress code changes (11%) and the W4 form (11%).
Abusing employee trust
“The trend in phishing emails revealed in the second quarter phishing report is particularly concerning as 50% of these emails appear to come from HR – a trusted and crucial department of so many, so not all organizations,” says Stu Sjouwerman, CEO of KnowBe4.
“These disguised emails abuse employee trust and typically prompt action that can have catastrophic consequences for the entire organization. New-school security awareness training for employees is crucial to help combat phishing and malicious emails by educating users about the most common cyber-attacks and threats. A well-trained workforce is an organization’s best defense and essential to fostering and maintaining a strong security culture.”
Phishing remains the most successful attack vector out there. Threats carefully craft these emails, assuming the identities of trusted individuals and entities and mimicking their style and tone of voice almost flawlessly.
The common denominator in these emails is that there is always a sense of urgency to make the scam work – the victims shouldn’t have time to think about it.
Ultimately, phishing emails are easy to spot with a little common sense. Do they come from the domain of the entity claiming to be the sender? Are there typos and other errors? Are the senders asking for things that don’t really make sense? Is the offer in the message too good to be true? These are all red flags that victims can use to determine if they are being targeted.