HR-related emails continue to dominate attacks

KnowBe4’s Q3 2023 top-clicked phishing results are in, showing that HR business-related messages and popular seasonal messages continue to pique the interest of employees.

Phishing emails are still one of the most common methods to effectively perpetuate malicious attacks on organisations globally. KnowBe4’s 2023 Phishing by Industry Benchmarking Report revealed that nearly one in three users are likely to click on a suspicious link or comply with a fraudulent request. Because of this, cybercriminals remain innovative and refine their strategies to stay up to date with current trends and use tactics in order to grab the attention of end users to ultimately outsmart them. This results in cybercriminals changing phishing email subjects to be more believable while preying on emotions by inflicting urgency, confusion and distress in order to get employees to click on a malicious phishing link or download an attachment.

This steady trend from the last two quarters — of cybercriminals using email subjects coming from HR — includes messages related to dress code changes, training notifications, holiday updates and more. These are effective because they may cause a person to react before thinking logically about the legitimacy of the email and have the potential to impact an employee’s personal life and professional workday.

Holiday and seasonal phishing email subjects were also used this quarter, with four out of the five top holiday email subjects in the Northern Hemisphere related to Halloween and autumn items that are used as bait to incentivise unsuspecting end users. Additionally, the report reflects the consistent trend of using IT and online service notifications as well as tax-related email subjects.

“The continued trend of disguising emails as coming from an internal department such as HR is especially dangerous to organisations because they appear to be coming from a trusted, reliable source,” said Stu Sjouwerman, KnowBe4 CEO.

“These malicious emails take advantage of employee trust and create vulnerabilities within an organisation that could potentially result in its downfall. KnowBe4’s phishing test reports emphasise the importance of new-school security awareness training that educates end users on the latest and most common cyber attacks and threats. An educated workforce is essential to fostering a strong security culture and is an organisation’s best defence to stay safe online.”

Image credit: iStock.com/JanWillemKunnen