Skip to main content
2024 Annual Public Policy Forum, December 4, 2024 REGISTER

Cybercriminals targeting a business’s employees are increasingly using HR-related email topics, such as dress code or vacation schedule changes, in phishing attacks designed to dupe people into clicking on a malicious link or attachment.

KnowBe4, a firm that provides security awareness and a simulated phishing platform, recently reported that 50% of the email subjects clicked in its 2023 Q2 phishing tests had HR-related messages. People were duped with email subject lines about employee rewards programs, dress code updates, holiday or vacation schedule changes, surveys, performance reviews, and tax-related documents purportedly sent by their HR department.

“The threat of phishing emails remains as high as ever as cybercriminals continuously tweak their messages to be more sophisticated and seemingly credible,” said Stu Sjouwerman, CEO, KnowBe4. “The trend of phishing emails revealed in the Q2 phishing report is especially concerning, as 50% of these emails appear to come from HR – a trusted and crucial department of so many, if not all organizations.”

Malicious emails disguised as HR messages take advantage of an employee’s trust. Hackers use subject lines designed to make workers react quickly before thinking logically about the legitimacy of the email.

These topics prey on emotions by causing stress, confusion, panic or even excitement, to entice an employee to click on a malicious link or attachment that will download malware onto the business’s computer system, infecting data files and potentially leading to heavy financial losses.

Other popular “bait” subjects used in Q2 were holiday-related phishing email subjects, ostensibly coming from the company’s HR department, referring to Juneteenth or the Fourth of July holiday celebrations or holiday schedule changes. Tax-related subjects, such “HR” messages asking employees to click on links to update their W-4 form used for federal tax withholding, are another growing trend.

Sjouwerman said phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe. Cybercriminals are constantly refining their strategies to outsmart end users with phishing email subjects that are realistic and believable.

“An educated workforce is an organization’s best defense and is essential to fostering and maintaining a strong security culture,” Sjouwerman said.

To download a copy of the Q2 2023 KnowBe4 Phishing Report infographic, go here.