HR & IT emails top phishing attacks, KnowBe4 report reveals

A report released by cybersecurity firm KnowBe4 has revealed that human resources (HR) and information technology (IT) related emails top the list of phishing email subjects, contributing 42% and 30%, respectively, to phishing scams. The Q1 2024 phishing test report highlights the sustained prominence of these categories in deceiving employees.

Phishing emails remain one of the most frequent techniques employed by cybercriminals to infiltrate organisations globally. According to KnowBe4’s 2023 Phishing by Industry Benchmarking Report, nearly one-third of users are prone to clicking on malicious links or responding to fraudulent requests. With advancements in artificial intelligence and other innovative tools, cybercriminals have developed increasingly sophisticated phishing messages designed to outsmart users. These malicious actors craft phishing strategies that appear legitimate, tricking employees into reacting emotionally and with urgency, often leading them to click on harmful links or download infected attachments.

The report underscores that HR-related phishing attacks, which focus on topics such as dress code changes, tax and healthcare updates, and training notifications, comprise the highest proportion at 42%. This trend has been consistent for the last three quarters. These emails are particularly effective due to their potential impact on an employee’s work life and their ability to evoke immediate responses, often leaving recipients to act before verifying the email's validity.

Closely following are IT-related phishing emails, representing 30% of top phishing email subjects. These emails often appear to come from internal departments like IT, making them especially convincing. Messages that seem to originate from within the organisation, such as those requesting system updates or password changes, can prompt employees to act swiftly without proper scrutiny, thereby exposing their companies to security risks.

Additionally, the report noted an increase in personalised phishing attacks, including those related to tax, healthcare, and ApplePay, which target users' sensitive information. These tactics are successful because they raise alarms over personal information, prompting recipients to engage as a means of protecting their private data without considering the email's authenticity.

Stu Sjouwerman, CEO of KnowBe4, explained, "Cybercriminals are becoming increasingly tactical in exploiting employee trust by using HR-related phishing emails due to their seemingly legitimate source. Emails from an internal department like HR or IT are particularly harmful as they appear to come from a trusted source, prompting employees to act quickly before confirming legitimacy, thus exposing the company to security vulnerabilities."

Sjouwerman emphasised the importance of a well-trained workforce in fostering a strong security culture. He stated that a knowledgeable workforce is the best defence against preventable cyberattacks, enhancing an organisation's overall cybersecurity posture.