Beware - that email from HR could well be a phishing scam

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

A growing number of successful phishing attacks are using fake emails related to human resources (HR) accounts, new research has revealed.

In its Q2 2023 top-clicked phishing report, KnowBe4 said that the most-clicked emails had subject lines related to human resources in an organization, such as dress code changes, training notifications, vacation updates and more. 

In fact, vacation updates are the hottest topic these days, which would make sense given that we’re in the peak of summer holidays. In total, emails related to vacationing made up 19% of all successful phishing emails, followed by dress code changes (11%) and the W4 form (11%).

Abusing employee trust

“The trend of phishing emails revealed in the Q2 phishing report is especially concerning, as 50% of these emails appear to come from HR – a trusted and crucial department of so many if not all organizations,” said Stu Sjouwerman, CEO, KnowBe4. 

“These disguised emails take advantage of employee trust and typically incite action that can result in disastrous outcomes for the entire organization. New-school security awareness training for employees is crucial to help combat phishing and malicious emails by educating users on the most common cyber attacks and threats. An educated workforce is an organization’s best defense and is essential to fostering and maintaining a strong security culture.” 

Phishing continues to be the most successful attack vector out there. Threat actors carefully craft these email messages, assuming the identities of trusted individuals and entities and mimicking their style and tone of voice almost flawlessly. 

The common denominator in these emails is that there’s always a sense of urgency, as for the scam to work - the victims shouldn’t have time to think things through.

At the end of the day, with a little common sense, phishing emails are easy to spot. Are they coming from the domain of the entity the sender claims to be? Are there any typos and other errors? Are the senders asking for things that don’t really make sense? Is the offer in the message too good to be true? All of these are red flags victims can use to determine if they’re being targeted. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.